Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups


  • This topic is locked This topic is locked
18 replies to this topic

#1 Usn2kids2

Usn2kids2

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 29 March 2009 - 11:38 AM

Since yesterday evening I have been receiving pop ups. Registry Defender, Shield Deluxe 2009, and many advertisements like Cancer Foundation and video pop ups kind of like you tube one was media.tv I never allowed anything to scan or install just closed the windows out.
Nothing comes up on my mcafee scan... Will someone please look at my log




DDS (Ver_09-03-16.01) - NTFSx86
Run by cwjonesjr at 12:18:42.56 on Sun 03/29/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.102 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\KGB\Mpk.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\cwjonesjr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e7532f79-dd2a-4c8b-aa95-140b5fe2bbfe} - c:\windows\system32\tinezevu.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [gebikajujo] Rundll32.exe "c:\windows\system32\hewalote.dll",s
mRun: [7c9e4de4] rundll32.exe "c:\windows\system32\medesewo.dll",b
mRun: [CPM7fad7e78] Rundll32.exe "c:\windows\system32\mulipiza.dll",a
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mExplorerRun: [Mpk.exe] c:\program files\kgb\Mpk.exe
StartupFolder: c:\docume~1\cwjone~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150568529703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/html - {6756aec7-442f-4ded-a87b-db41bd860595} - c:\windows\system32\mst123.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\sutiruku.dll c:\windows\system32\mulipiza.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mulipiza.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\mulipiza.dll
LSA: Notification Packages = scecli c:\windows\system32\sutiruku.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cwjone~1\applic~1\mozilla\firefox\profiles\djddqxs6.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-1-16 77312]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-29 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-29 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-29 108552]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-10 213640]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2005-1-16 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-29 298264]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-30 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-10 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-10 40552]
S2 nhksrv;Netropa NHK Server; [x]
S3 AvSynMgr;AVSync Manager;c:\program files\network associates\virusscan\Avsynmgr.exe [2001-11-26 155665]
S3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys --> c:\windows\system32\drivers\iteio.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-10 34216]

=============== Created Last 30 ================

2009-03-29 12:04 <DIR> --d----- c:\program files\Trend Micro
2009-03-29 11:03 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-29 11:03 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-29 11:03 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-29 11:02 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-29 11:02 <DIR> --d----- c:\docume~1\cwjone~1\applic~1\AVGTOOLBAR
2009-03-29 11:02 <DIR> --d----- c:\program files\AVG
2009-03-29 11:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-25 21:10 <DIR> --d----- c:\program files\Yahoo!
2009-03-23 20:10 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-03-29 10:26 89,088 a--sh--- c:\windows\system32\mulipiza.dll
2009-03-29 10:26 61,440 a--sh--- c:\windows\system32\papororo.exe
2009-03-29 10:26 80,896 a--sh--- c:\windows\system32\medesewo.dll
2009-03-28 22:26 61,440 a--sh--- c:\windows\system32\firupifo.exe
2009-03-28 22:26 89,088 a--sh--- c:\windows\system32\momewohu.dll
2009-03-28 22:26 81,408 -------- c:\windows\system32\famuhime.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2001-11-23 00:08 712,704 a----r-- c:\windows\inf\other\AUDIO3D.DLL
0000-00-00 00:00 49,152 a--sh--- c:\windows\system32\hewalote.dll
0000-00-00 00:00 49,152 a--sh--- c:\windows\system32\sutiruku.dll
0000-00-00 00:00 49,152 a--sh--- c:\windows\system32\tinezevu.dll
2008-10-28 17:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 12:21:01.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:31 AM

Posted 07 April 2009 - 12:32 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 10 April 2009 - 01:47 PM

Thank you very much for your response. I am still having the same issues with the pop ups and they are trying to scan even after being closed out. I have not done anything new since the last post. Here is my new DDS log and Attach file. Thanks again for your time.



DDS (Ver_09-03-16.01) - NTFSx86
Run by cwjonesjr at 14:30:21.26 on Fri 04/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.214 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\cwjonesjr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e7532f79-dd2a-4c8b-aa95-140b5fe2bbfe} - c:\windows\system32\hoyilaki.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [gebikajujo] Rundll32.exe "c:\windows\system32\mumifovo.dll",s
mRun: [7c9e4de4] rundll32.exe "c:\windows\system32\heyafiwo.dll",b
mRun: [CPM7fad7e78] Rundll32.exe "c:\windows\system32\fuyevevi.dll",a
mExplorerRun: [Mpk.exe] c:\program files\kgb\Mpk.exe
StartupFolder: c:\docume~1\cwjone~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150568529703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/html - {6756aec7-442f-4ded-a87b-db41bd860595} - c:\windows\system32\mst123.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\windows\system32\nehuvivi.dll c:\windows\system32\dehageja.dll c:\windows\system32\webigave.dll c:\windows\system32\fuyevevi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fuyevevi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fuyevevi.dll
LSA: Notification Packages = scecli c:\windows\system32\webigave.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cwjone~1\applic~1\mozilla\firefox\profiles\djddqxs6.default\

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-1-16 77312]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-10 213640]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2005-1-16 6656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-30 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-10 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-10 35272]
S2 nhksrv;Netropa NHK Server; [x]
S3 AvSynMgr;AVSync Manager;c:\program files\network associates\virusscan\Avsynmgr.exe [2001-11-26 155665]
S3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys --> c:\windows\system32\drivers\iteio.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-10 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-10 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-10 606736]

=============== Created Last 30 ================

2009-03-29 22:29 2,713 ---sh--- c:\windows\system32\bulimane.dll
2009-03-29 16:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-29 16:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-29 15:46 68 a------- C:\regconf.ini
2009-03-29 12:04 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 21:10 <DIR> --d----- c:\program files\Yahoo!
2009-03-23 20:10 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-04-10 10:32 63,488 a--sh--- c:\windows\system32\gowaloto.exe
2009-04-10 10:32 110,080 a--sh--- c:\windows\system32\fuyevevi.dll
2009-04-09 22:31 109,056 a--sh--- c:\windows\system32\soropipu.dll
2009-04-09 22:31 61,952 a--sh--- c:\windows\system32\watisulu.exe
2009-04-09 22:31 100,864 a--sh--- c:\windows\system32\heyafiwo.dll
2009-04-09 10:31 108,032 a--sh--- c:\windows\system32\hedituye.dll
2009-04-08 22:31 70,656 a--sh--- c:\windows\system32\mejakoto.dll
2009-04-08 22:31 108,544 a--sh--- c:\windows\system32\sureniya.dll
2009-04-08 10:31 109,056 a--sh--- c:\windows\system32\sugiyide.dll
2009-04-02 22:29 100,352 -------- c:\windows\system32\fewohite.dll
2009-03-31 10:28 50,688 a--sh--- c:\windows\system32\duvabova.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2001-11-23 00:08 712,704 a----r-- c:\windows\inf\other\AUDIO3D.DLL
2009-01-08 22:32 70,656 a--sh--- c:\windows\system32\hoyilaki.dll
2009-01-08 22:32 70,656 a--sh--- c:\windows\system32\mumifovo.dll
2009-01-08 22:32 70,656 a--sh--- c:\windows\system32\webigave.dll
2008-10-28 17:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 14:32:09.04 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 10 April 2009 - 03:27 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 12 April 2009 - 12:22 PM

Thank you Panda for your time. The only thing I have done to the computer is uninstall AVG because I was told I could not run it with MCAfee. McAfee has ran its daily scan and blocked a few register (?) changes. Still continue to get pop ups for everything from YouTube videos and college advertisements to the "scan your computer now" type stuff.
I am posting the new logs now, again thanks for your time.



ComboFix 09-04-12.03 - cwjonesjr 2009-04-12 12:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.121 [GMT -4:00]
Running from: c:\documents and settings\cwjonesjr\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\IE4 Error Log.txt
c:\windows\system32\duvabova.dll
c:\windows\system32\fewohite.dll
c:\windows\system32\fuyevevi.dll
c:\windows\system32\hedituye.dll
c:\windows\system32\heyafiwo.dll
c:\windows\system32\hoyilaki.dll
c:\windows\system32\luzoguso.dll
c:\windows\system32\mejakoto.dll
c:\windows\system32\nasokowo.dll
c:\windows\system32\owifayeh.ini
c:\windows\system32\sikizela.dll
c:\windows\system32\soropipu.dll
c:\windows\system32\sugiyide.dll
c:\windows\system32\sureniya.dll
c:\windows\system32\wojesahe.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-03-30 02:29 . 2009-03-30 02:29 2713 --sh--w c:\windows\system32\bulimane.dll
2009-03-29 20:28 . 2009-03-29 21:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 19:46 . 2009-03-29 19:46 68 ----a-w C:\regconf.ini
2009-03-26 02:05 . 2009-03-26 02:05 0 ----a-w c:\windows\nsreg.dat
2009-03-26 01:11 . 2009-03-26 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-26 01:10 . 2009-03-26 01:13 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 16:53 . 2009-03-24 00:10 -------- d-----w c:\program files\Common
2009-04-12 14:33 . 2009-01-12 14:33 64000 --sha-w c:\windows\system32\vapudabi.exe
2009-04-12 02:33 . 2009-01-12 02:33 62976 --sha-w c:\windows\system32\yiralujo.exe
2009-04-11 14:32 . 2009-01-11 14:32 62464 --sha-w c:\windows\system32\mujahoji.exe
2009-04-11 02:32 . 2009-01-11 02:32 61952 --sha-w c:\windows\system32\bunijufu.exe
2009-04-10 23:18 . 2008-12-23 05:49 -------- d-----w c:\program files\LimeWire
2009-04-10 14:32 . 2009-01-10 14:31 63488 --sha-w c:\windows\system32\gowaloto.exe
2009-04-10 02:31 . 2009-01-10 02:31 61952 --sha-w c:\windows\system32\watisulu.exe
2009-03-31 12:22 . 2008-11-12 23:47 -------- d-sh--w c:\program files\KGB
2009-03-31 05:49 . 2008-11-12 23:47 -------- d-sh--w c:\documents and settings\All Users\Application Data\MPK
2009-03-29 20:36 . 2009-03-29 20:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 16:04 . 2009-03-29 16:04 -------- d-----w c:\program files\Trend Micro
2009-03-29 15:27 . 2008-12-29 21:19 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-26 01:11 . 2009-03-26 01:10 -------- d-----w c:\program files\Yahoo!
2009-03-24 14:44 . 2008-04-10 15:26 -------- d-----w c:\program files\McAfee
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-03-30 02:29 . 2009-03-30 02:29 2713 --sh--w c:\windows\system32\bulimane.dll
2009-04-11 02:32 . 2009-01-11 02:32 61952 --sha-w c:\windows\system32\bunijufu.exe
2009-04-10 14:32 . 2009-01-10 14:31 63488 --sha-w c:\windows\system32\gowaloto.exe
2009-04-11 14:32 . 2009-01-11 14:32 62464 --sha-w c:\windows\system32\mujahoji.exe
2009-04-12 14:33 . 2009-01-12 14:33 64000 --sha-w c:\windows\system32\vapudabi.exe
2009-04-10 02:31 . 2009-01-10 02:31 61952 --sha-w c:\windows\system32\watisulu.exe
2009-04-12 02:33 . 2009-01-12 02:33 62976 --sha-w c:\windows\system32\yiralujo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2009-01-08 20:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
--a------ 2002-03-17 08:39 151552 c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 06:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-25 17:56 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2003-05-21 16:35 4608 c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 08:33 49152 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2004-01-29 23:23 135168 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\KGB\\MpkView.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

R2 nhksrv;Netropa NHK Server; [x]
R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-11-26 155665]
R3 iteio;iteio; [x]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-30 77312]
S1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
Contents of the 'Scheduled Tasks' folder

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e7532f79-dd2a-4c8b-aa95-140b5fe2bbfe} - c:\windows\system32\hoyilaki.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-gebikajujo - c:\windows\system32\mumifovo.dll
HKLM-Explorer_Run-Mpk.exe - c:\program files\KGB\Mpk.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\cwjonesjr\Application Data\Mozilla\Firefox\Profiles\djddqxs6.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 12:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3640)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\LimeWire\LimeWire.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-12 13:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-12 17:02

Pre-Run: 66,389,204,992 bytes free
Post-Run: 66,707,767,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

195 --- E O F --- 2009-03-18 07:02





GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-12 13:12:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEBF0444A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEBF043F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEBF0440C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEBF0448A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEBF043D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEBF043E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEBF0445E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEBF04436]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEBF04422]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEBF044B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEBF044A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEBF04474]
Code \??\C:\DOCUME~1\CWJONE~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 12 April 2009 - 12:47 PM

Hello.

Let's see what we can do.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire/b]). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\bulimane.dll
    c:\windows\system32\vapudabi.exe
    c:\windows\system32\yiralujo.exe
    c:\windows\system32\mujahoji.exe
    c:\windows\system32\bunijufu.exe
    c:\windows\system32\gowaloto.exe
    c:\windows\system32\watisulu.exe
    c:\windows\system32\bunijufu.exe
    c:\windows\system32\gowaloto.exe
    c:\windows\system32\mujahoji.exe
    c:\windows\system32\vapudabi.exe
    c:\windows\system32\watisulu.exe
    c:\windows\system32\yiralujo.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from [b]here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
Give me an update on the symptoms after.

With Regards,
The Panda

#7 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 12 April 2009 - 05:17 PM

Okay I have the two new logs below... Thanks for the info on Limewire, my husband needed to hear it from someone besides me. LMFAO! Malwarebytes' had me q five things I think. I'll do something online and see if there are any changes to report. Thanks again for your time.

ComboFix 09-04-13.06 - cwjonesjr 2009-04-12 17:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.194 [GMT -4:00]
Running from: c:\documents and settings\cwjonesjr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cwjonesjr\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\bulimane.dll
c:\windows\system32\bunijufu.exe
c:\windows\system32\gowaloto.exe
c:\windows\system32\mujahoji.exe
c:\windows\system32\vapudabi.exe
c:\windows\system32\watisulu.exe
c:\windows\system32\yiralujo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bulimane.dll
c:\windows\system32\bunijufu.exe
c:\windows\system32\gowaloto.exe
c:\windows\system32\mujahoji.exe
c:\windows\system32\vapudabi.exe
c:\windows\system32\watisulu.exe
c:\windows\system32\yiralujo.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-03-29 20:28 . 2009-03-29 21:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 19:46 . 2009-03-29 19:46 68 ----a-w C:\regconf.ini
2009-03-26 02:05 . 2009-03-26 02:05 0 ----a-w c:\windows\nsreg.dat
2009-03-26 02:05 . 2009-03-26 02:05 -------- d-----w c:\documents and settings\cwjonesjr\Local Settings\Application Data\Mozilla
2009-03-26 01:13 . 2009-03-26 01:13 -------- d-----w c:\documents and settings\cwjonesjr\Local Settings\Application Data\Yahoo
2009-03-26 01:11 . 2009-03-26 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-26 01:11 . 2009-03-26 01:11 -------- d-----w c:\documents and settings\cwjonesjr\Application Data\Yahoo!
2009-03-26 01:10 . 2009-03-26 01:13 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-23 13:32 . 2009-03-23 13:32 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 16:53 . 2009-03-24 00:10 -------- d-----w c:\program files\Common
2009-04-11 02:33 . 2008-10-31 00:50 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-10 23:18 . 2008-12-23 05:49 -------- d-----w c:\program files\LimeWire
2009-03-31 12:22 . 2008-11-12 23:47 -------- d-sh--w c:\program files\KGB
2009-03-31 05:49 . 2008-11-12 23:47 -------- d-sh--w c:\documents and settings\All Users\Application Data\MPK
2009-03-29 20:36 . 2009-03-29 20:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 16:04 . 2009-03-29 16:04 -------- d-----w c:\program files\Trend Micro
2009-03-29 15:27 . 2008-12-29 21:19 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-26 01:11 . 2009-03-26 01:10 -------- d-----w c:\program files\Yahoo!
2009-03-24 14:44 . 2008-04-10 15:26 -------- d-----w c:\program files\McAfee
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2008-10-31 21:42 . 2005-01-18 01:14 20264 ----a-w c:\documents and settings\cwjonesjr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-01-17 00:05 . 2005-01-17 00:05 132 ----a-w c:\documents and settings\cwjonesjr\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_12.59.39.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-16 13:05 . 2009-04-12 16:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-16 13:05 . 2009-04-12 21:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-16 13:05 . 2009-04-12 21:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-16 13:05 . 2009-04-12 16:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]

c:\documents and settings\cwjonesjr\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-06-21 159744]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2009-01-08 20:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
--a------ 2002-03-17 08:39 151552 c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 06:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-25 17:56 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2003-05-21 16:35 4608 c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 08:33 49152 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
-ra------ 2004-01-29 23:23 135168 c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\KGB\\MpkView.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

R2 nhksrv;Netropa NHK Server; [x]
R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-11-26 155665]
R3 iteio;iteio; [x]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-30 77312]
S1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj
.
Contents of the 'Scheduled Tasks' folder

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\cwjonesjr\Application Data\Mozilla\Firefox\Profiles\djddqxs6.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-13 17:50
ComboFix-quarantined-files.txt 2009-04-13 21:50
ComboFix2.txt 2009-04-12 17:02

Pre-Run: 66,725,744,640 bytes free
Post-Run: 66,835,279,872 bytes free

156 --- E O F --- 2009-03-18 07:02






Malwarebytes' Anti-Malware 1.36
Database version: 1971
Windows 5.1.2600 Service Pack 3

4/13/2009 6:07:42 PM
mbam-log-2009-04-13 (18-07-42).txt

Scan type: Quick Scan
Objects scanned: 67066
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6756aec7-442f-4ded-a87b-db41bd860595} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mst123.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 12 April 2009 - 06:04 PM

Hello.

Looks better.

Kaspersky scan can be left to when the computer is free. It can take awhile.

Update Java to Version 6 Update 13
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please also include a new DDS.txt log.

With Regards,
The Panda

#9 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 13 April 2009 - 04:04 PM

Hello Panda, having some issues this time around. Last night everything went fine for an hour or so with no pop ups. Then my browser crashed and when I tried to get onto this thread to continue with my directions I could not. I am on the kids computer now and had no problem getting here.
So new to report my browser is crashing and I can not go to bleepingcomputer.com. I also can not get the dds to run, I had to download it again befcause I had deleted it, neither the scr or the pif file will work and the first link is a dead link. DDS trys to open dos screen but closes right away. I did uninstall all java and then downloaded and installed the new version. Also uninstalled Limewire and ran the Kaspersky. I am including the Kaspersky log in this post. Please let me know what to do about not being able to run the DDS.

Thanks in advance for your time.


KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 13, 2009 20:46:29
Records in database: 2041343


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 36021
Threat name 5
Infected objects 7
Suspicious objects 0
Duration of the scan 00:56:24

File name Threat name Threats count
C:\Documents and Settings\cwjonesjr\Local Settings\Application Data\Mozilla\Firefox\Profiles\djddqxs6.default\Cache\FA7DE7A1d01 Infected: Exploit.Win32.Pidief.apg 1

C:\Program Files\KGB\MpkNetInstall.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.i 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\bunijufu.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.edk 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\watisulu.exe.vir Infected: Packed.Win32.Mondera.c 1

C:\WINDOWS\system32\hewalote.dll.tmp Infected: Trojan.Win32.Monder.bzea 1

C:\WINDOWS\system32\sutiruku.dll.tmp Infected: Trojan.Win32.Monder.bzea 1

C:\WINDOWS\system32\tinezevu.dll.tmp Infected: Trojan.Win32.Monder.bzea 1

The selected area was scanned.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 13 April 2009 - 04:46 PM

Hello.

Please run ComboFix again and post back with that log.

Also take a new GMER log.

Might have a reinfection here.

With Regards,
The Panda

#11 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 14 April 2009 - 08:52 AM

Okay, the new logs from this morning are below. Thanks for your time...


ComboFix 09-04-14.09 - cwjonesjr 04/15/2009 9:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.172 [GMT -4:00]
Running from: c:\documents and settings\cwjonesjr\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 18:35 . 2009-04-14 18:35 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-13 22:01 . 2009-04-13 22:01 -------- d-----w c:\documents and settings\cwjonesjr\Application Data\Malwarebytes
2009-04-13 22:01 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 22:01 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 22:01 . 2009-04-13 22:01 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-29 20:28 . 2009-03-29 21:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 19:46 . 2009-03-29 19:46 68 ----a-w C:\regconf.ini
2009-03-26 02:05 . 2009-03-26 02:05 0 ----a-w c:\windows\nsreg.dat
2009-03-26 02:05 . 2009-03-26 02:05 -------- d-----w c:\documents and settings\cwjonesjr\Local Settings\Application Data\Mozilla
2009-03-26 01:13 . 2009-03-26 01:13 -------- d-----w c:\documents and settings\cwjonesjr\Local Settings\Application Data\Yahoo
2009-03-26 01:11 . 2009-03-26 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-26 01:11 . 2009-03-26 01:11 -------- d-----w c:\documents and settings\cwjonesjr\Application Data\Yahoo!
2009-03-26 01:10 . 2009-03-26 01:13 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-23 13:32 . 2009-03-23 13:32 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 11:15 . 2009-04-13 22:15 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-04-14 20:43 . 2008-12-23 05:49 -------- d-----w c:\program files\LimeWire
2009-04-14 18:35 . 2008-12-25 21:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-14 18:16 . 2008-05-29 13:17 -------- d-----w c:\program files\Java
2009-04-13 22:01 . 2009-04-13 22:01 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 16:53 . 2009-03-24 00:10 -------- d-----w c:\program files\Common
2009-04-11 02:33 . 2008-10-31 00:50 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-31 12:22 . 2008-11-12 23:47 -------- d-sh--w c:\program files\KGB
2009-03-31 05:49 . 2008-11-12 23:47 -------- d-sh--w c:\documents and settings\All Users\Application Data\MPK
2009-03-29 20:36 . 2009-03-29 20:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 16:04 . 2009-03-29 16:04 -------- d-----w c:\program files\Trend Micro
2009-03-29 15:27 . 2008-12-29 21:19 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-26 01:11 . 2009-03-26 01:10 -------- d-----w c:\program files\Yahoo!
2009-03-24 14:44 . 2008-04-10 15:26 -------- d-----w c:\program files\McAfee
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2008-10-31 21:42 . 2005-01-18 01:14 20264 ----a-w c:\documents and settings\cwjonesjr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-01-17 00:05 . 2005-01-17 00:05 132 ----a-w c:\documents and settings\cwjonesjr\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_12.59.39.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 13:34 . 2009-04-15 13:34 16384 c:\windows\Temp\Perflib_Perfdata_138.dat
+ 2009-04-13 22:01 . 2009-04-06 19:32 38496 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-04-13 22:01 . 2009-04-06 19:32 15504 c:\windows\system32\drivers\mbam.sys
+ 2009-04-13 22:15 . 2009-04-15 11:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-01-16 13:05 . 2009-04-12 16:48 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-01-16 13:05 . 2009-04-12 16:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-16 13:05 . 2009-04-15 11:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-16 13:05 . 2009-04-15 11:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-16 13:05 . 2009-04-12 16:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-14 18:35 . 2009-04-14 18:35 148888 c:\windows\system32\javaws.exe
- 2008-12-25 21:56 . 2008-12-25 21:56 148888 c:\windows\system32\javaws.exe
- 2008-12-25 21:56 . 2008-12-25 21:56 144792 c:\windows\system32\javaw.exe
+ 2009-04-14 18:35 . 2009-04-14 18:35 144792 c:\windows\system32\javaw.exe
+ 2009-04-14 18:35 . 2009-04-14 18:35 144792 c:\windows\system32\java.exe
- 2008-12-25 21:56 . 2008-12-25 21:56 144792 c:\windows\system32\java.exe
- 2008-12-25 21:56 . 2008-12-25 21:56 410984 c:\windows\system32\deploytk.dll
+ 2008-12-25 21:56 . 2009-04-14 18:35 410984 c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 148888]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-01-09 00:30 645328 ----a-w c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
2002-03-17 12:39 151552 ----a-w c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w c:\windows\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-14 18:35 148888 ----a-w c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 20:35 4608 ----a-w c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-01-15 12:33 49152 ----a-r c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
2004-01-30 03:23 135168 ----a-r c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\KGB\\MpkView.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

R2 nhksrv;Netropa NHK Server; [x]
R3 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-11-26 155665]
R3 iteio;iteio; [x]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-31 77312]
S1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 6656]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-04-10 14:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-04-10 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bleepingcomputer.com\www
FF - ProfilePath - c:\documents and settings\cwjonesjr\Application Data\Mozilla\Firefox\Profiles\djddqxs6.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 09:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1792)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-15 13:42
ComboFix2.txt 2009-04-13 21:50
ComboFix3.txt 2009-04-12 17:02

Pre-Run: 66,770,407,424 bytes free
Post-Run: 66,841,923,584 bytes free

162 --- E O F --- 2009-03-18 07:02





GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-15 09:46:17
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEFC2C44A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEFC2C3F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEFC2C40C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEFC2C48A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEFC2C3D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEFC2C3E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEFC2C45E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEFC2C436]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEFC2C422]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEFC2C4B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEFC2C4A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEFC2C474]
Code \??\C:\DOCUME~1\CWJONE~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 14 April 2009 - 10:42 AM

Hello.

No reinfection :thumbup2: .

Please download a new copy of DDS and try to run it. I don't see why it won't run.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    C:\WINDOWS\system32\hewalote.dll.tmp
    C:\WINDOWS\system32\sutiruku.dll.tmp
    C:\WINDOWS\system32\tinezevu.dll.tmp
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Any problems at the moment?

With Regards,
The Panda

#13 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 14 April 2009 - 01:45 PM

Glad to hear that I have not got myself into something new. :thumbup2: Okay, somehow I was able to get right on bleepingcomputer.com today and download and run the DDS.scr with out any issues. I am attaching the zipped attach file and pasting the DDS.txt
No problem with the other programs either, the cleaner ran and said it freed up space. The OTMoveIt ran and did have to shut down but it came up with the notepad that I pasted below. I am trying not to surf with this one so nothing new to report, except I have not had any pop ups so far this morning.


DDS (Ver_09-03-16.01) - NTFSx86
Run by cwjonesjr at 14:16:42.23 on Wed 04/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.170 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\cwjonesjr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bleepingcomputer.com\www
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150568529703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cwjone~1\applic~1\mozilla\firefox\profiles\djddqxs6.default\

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-1-16 77312]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-10 213640]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2005-1-16 6656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-30 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-10 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-10 35272]
S2 nhksrv;Netropa NHK Server; [x]
S3 AvSynMgr;AVSync Manager;c:\program files\network associates\virusscan\Avsynmgr.exe [2001-11-26 155665]
S3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys --> c:\windows\system32\drivers\iteio.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-10 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-10 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-10 606736]

=============== Created Last 30 ================

2009-04-14 14:35 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-13 18:01 <DIR> --d----- c:\docume~1\cwjone~1\applic~1\Malwarebytes
2009-04-13 18:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 18:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 18:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-12 12:52 <DIR> a-dshr-- C:\cmdcons
2009-04-12 12:45 161,792 a------- c:\windows\SWREG.exe
2009-04-12 12:45 98,816 a------- c:\windows\sed.exe
2009-03-29 16:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-29 16:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-29 15:46 68 a------- C:\regconf.ini
2009-03-29 12:04 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 21:10 <DIR> --d----- c:\program files\Yahoo!
2009-03-23 20:10 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-04-14 14:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2001-11-23 00:08 712,704 a----r-- c:\windows\inf\other\AUDIO3D.DLL
2008-10-28 17:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 14:17:14.50 ===============



========== FILES ==========
C:\WINDOWS\system32\hewalote.dll.tmp moved successfully.
C:\WINDOWS\system32\sutiruku.dll.tmp moved successfully.
C:\WINDOWS\system32\tinezevu.dll.tmp moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\cwjonesjr\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcmsc_k1KQxzCH1gLl57w scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_138.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_gdNX7T1S8a6ytSf scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_S2rT7TZVEel7t9p scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_XzxPEZZayRAS1eU scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04152009_143042

Files moved on Reboot...
File C:\WINDOWS\temp\mcmsc_k1KQxzCH1gLl57w not found!
File C:\WINDOWS\temp\Perflib_Perfdata_138.dat not found!
File C:\WINDOWS\temp\sqlite_gdNX7T1S8a6ytSf not found!
File C:\WINDOWS\temp\sqlite_S2rT7TZVEel7t9p not found!
File C:\WINDOWS\temp\sqlite_XzxPEZZayRAS1eU not found!

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 14 April 2009 - 03:10 PM

Hello.

Looks good.

Let's leave this for a couple days. If all is well then, we'll do some final cleanup and finish off.

With Regards,
The Panda

#15 Usn2kids2

Usn2kids2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 14 April 2009 - 03:19 PM

Thanks Panda, I will do some surfing and see how it goes. Thanks so much for your time and have a great day! :thumbup2:

Edited by Usn2kids2, 14 April 2009 - 03:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users