Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of blackbo.dll


  • This topic is locked This topic is locked
18 replies to this topic

#1 weierich

weierich

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 16 April 2009 - 06:42 PM

I recently had issues with multiple viruses. I use McAfee SecurityCenter for virus protection, firewall, etc. Somehow my protection was turned off, no idea how or why, which I believe allowed the viruses/malware access. I ran a virus scan and it cleaned up all but 4 viruses and told me to rescan upon reboot. I rescanned and it cleaned up all but blackbo.dll. I was told to scan upon reboot again, but it was still unable to remove. I've booted in safemode with networking and been able to do a "regsvr32 /u blackbo.dll", but can't seem to delete blackbo.dll from my machine. I can not launch internet explorer, except when I am in safe mode with networking. I've tried fixing with HijackThis with a delete on start up, but no success.


DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Mark Weierich at 16:11:05.98 on Thu 04/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.551 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mark Weierich\Local Settings\Temporary Internet Files\Content.IE5\FTFKLVSB\dds[1].scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b6d39e75-6054-4cf3-b197-ffdbf3378846} - c:\windows\system32\blackbo.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic 7\SMSystemAnalyzer.exe"
mRun: [SystemGuardAlerter] c:\program files\iolo\system mechanic 7\SystemGuardAlerter.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - c:\program files\hello\PicasaCapture.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/33.06/uploader2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://us-download.mcafee.com/products/protected/mvt/mvt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://www.yougamers.com/systeminfo/MSC3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 lwopveqo;lwopveqo;c:\windows\system32\drivers\lwopveqo.sys [2002-8-29 23424]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-7 201320]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
S2 0196861239149226mcinstcleanup;McAfee Application Installer Cleanup (0196861239149226);c:\docume~1\markwe~1\locals~1\temp\019686~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\markwe~1\locals~1\temp\019686~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-1-15 566120]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-1-15 566120]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-7 359248]
S2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-4-7 144704]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-25 24652]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2003-5-14 148352]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-7 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-7 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-7 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-7 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-7 40488]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2005-5-6 32000]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2005-5-6 21081]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-16 14:56 <DIR> --d----- c:\program files\Trend Micro
2009-04-15 13:12 <DIR> a-dshr-- C:\cmdcons
2009-04-15 13:10 161,792 a------- c:\windows\SWREG.exe
2009-04-15 13:10 98,816 a------- c:\windows\sed.exe
2009-04-12 04:36 2,713 ---sh--- c:\windows\system32\yefapuza.exe
2009-04-09 23:18 155 a------- c:\windows\system32\SelfDel.bat
2009-04-09 22:43 <DIR> --d----- c:\docume~1\markwe~1\applic~1\pidle
2009-04-09 22:33 97,280 a------- c:\windows\system32\blackbo.dll
2009-04-07 17:13 9,989 a------- c:\windows\system32\Config.MPF
2009-04-07 17:12 143,360 a------- c:\windows\system32\dunzip32.dll
2009-04-07 17:07 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-07 17:07 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-07 17:07 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-07 17:07 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-07 17:07 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-07 17:07 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-07 17:06 <DIR> --d----- c:\program files\McAfee.com
2009-04-07 17:05 <DIR> --d----- c:\program files\common files\McAfee
2009-04-07 17:05 <DIR> --d----- c:\program files\McAfee
2009-04-05 12:13 <DIR> --d----- c:\program files\Audacity
2009-04-04 13:54 204 a------- C:\Plugins
2009-04-04 13:54 <DIR> --d----- c:\program files\Pando Networks
2009-03-30 17:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-30 17:14 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-04-13 20:30 51,200 a--sh--- c:\windows\system32\mejiyuwo.exe
2009-04-13 08:30 51,200 a--sh--- c:\windows\system32\robejaku.exe
2009-04-12 16:36 51,200 a--sh--- c:\windows\system32\wivekogu.exe
2009-04-11 10:34 51,200 a--sh--- c:\windows\system32\mubodigi.exe
2009-04-10 22:34 51,200 a--sh--- c:\windows\system32\luyusowa.exe
2009-04-10 10:36 51,200 a--sh--- c:\windows\system32\nupotuku.exe
2009-04-09 22:33 51,200 a--sh--- c:\windows\system32\vetiwuno.exe
2009-04-09 22:33 124,928 a--sh--- c:\windows\system32\bajawupo.exe
2008-05-24 08:34 0 a------- c:\program files\uninstall.dat
2008-03-04 09:40 61,480 a------- c:\documents and settings\mark weierich\GoToAssistDownloadHelper.exe
2005-05-07 10:44 32 ac---r-- c:\documents and settings\all users\hash.dat
2004-03-27 12:48 18,607 ac------ c:\program files\setuplog.txt

============= FINISH: 16:11:59.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 17 April 2009 - 12:48 PM

Hi weierich,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 17 April 2009 - 01:03 PM

I got your reply and will take no further action on my machine until you direct me to. Thanks m0le!!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 19 April 2009 - 09:54 AM

Hi weierich,

Firstly we have to remove all the elements of Combofix from its previous run.

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Now redownload it and run it again. Instructions below.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 19 April 2009 - 09:10 PM

Thanks m0le. Here's the log from ComboFix:

ComboFix 09-04-20.02 - Mark Weierich 04/19/2009 18:53.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.590 [GMT -7:00]
Running from: c:\documents and settings\Mark Weierich\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-16 21:56 . 2009-04-16 21:56 -------- d-----w c:\program files\Trend Micro
2009-04-12 18:29 . 2009-04-12 18:29 -------- d-----w c:\documents and settings\Administrator\Application Data\iolo
2009-04-12 11:36 . 2009-04-12 11:36 2713 --sh--w c:\windows\system32\yefapuza.exe
2009-04-10 06:18 . 2009-04-10 06:18 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-10 05:43 . 2009-04-11 00:50 -------- d-----w c:\documents and settings\Mark Weierich\Application Data\pidle
2009-04-10 05:33 . 2006-10-19 05:47 97280 ----a-w c:\windows\system32\blackbo.dll
2009-04-08 00:13 . 2009-04-19 16:10 9989 ----a-w c:\windows\system32\Config.MPF
2009-04-08 00:12 . 2006-03-03 15:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-08 00:07 . 2007-11-22 13:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-08 00:07 . 2007-12-02 19:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-08 00:07 . 2007-11-22 13:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-08 00:07 . 2007-11-22 13:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-08 00:07 . 2007-11-22 13:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-08 00:07 . 2007-07-13 13:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-08 00:06 . 2009-04-08 00:06 -------- d-----w c:\program files\McAfee.com
2009-04-08 00:05 . 2009-04-08 00:07 -------- d-----w c:\program files\Common Files\McAfee
2009-04-08 00:05 . 2009-04-08 00:13 -------- d-----w c:\program files\McAfee
2009-04-05 19:13 . 2009-04-06 20:30 -------- d-----w c:\program files\Audacity
2009-04-04 20:54 . 2009-04-06 20:31 -------- d-----w c:\documents and settings\Mark Weierich\Local Settings\Application Data\PMB Files
2009-04-04 20:54 . 2009-04-04 20:54 204 ----a-w C:\Plugins
2009-04-04 20:54 . 2009-04-04 20:54 -------- d-----w c:\program files\Pando Networks
2009-03-31 00:14 . 2009-04-02 02:41 54156 ---ha-w c:\windows\QTFont.qfn
2009-03-31 00:14 . 2009-03-31 00:14 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:07 . 2008-09-21 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-10 23:32 . 2008-05-02 04:20 -------- d-----w c:\program files\GameSpy Arcade
2009-04-10 05:33 . 2009-01-10 05:33 124928 --sha-w c:\windows\SYSTEM32\bajawupo.exe
2009-04-10 05:30 . 2003-05-27 22:36 1704102 ----a-w C:\hpfr5550.log
2009-04-10 05:30 . 2004-07-30 17:18 0 ----a-w C:\hpfr5550.xml
2009-04-08 20:48 . 2003-05-06 15:19 -------- d-----w c:\program files\QUICKENW
2009-04-08 00:13 . 2008-03-05 04:09 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-06 22:06 . 2005-12-02 05:27 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 22:03 . 2005-12-02 05:27 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 15:11 . 2008-12-19 19:36 -------- d-----w c:\program files\Cheat Engine
2009-03-05 05:48 . 2007-10-05 19:21 -------- d-----w c:\documents and settings\Mark Weierich\Application Data\Move Networks
2009-02-26 11:00 . 2008-11-29 00:37 -------- d-----w c:\program files\Microsoft Silverlight
2008-06-19 18:16 . 2003-05-14 23:21 75048 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-24 15:34 . 2008-05-24 15:34 0 ----a-w c:\program files\uninstall.dat
2008-03-04 16:40 . 2008-03-04 16:40 61480 ----a-w c:\documents and settings\Mark Weierich\GoToAssistDownloadHelper.exe
2005-05-07 17:44 . 2005-07-06 17:44 32 -c--a-r c:\documents and settings\All Users\hash.dat
2005-01-03 19:02 . 2005-01-03 19:02 136 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\fusioncache.dat
2004-03-27 19:48 . 2004-03-27 19:48 18607 -c--a-w c:\program files\setuplog.txt
2003-05-06 15:16 . 2003-08-24 23:14 12328 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-08-29 10:00 . 2004-04-01 17:40 21504 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\93484916620480.exe
.

------- Sigcheck -------

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2002-11-01 22:26 528896 68E1F4EF02DF52CA9C5E157045D23582 c:\windows\$NtUninstallKB824141$\user32.dll
[7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2002-08-29 10:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtUninstallQ328310$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\SYSTEM32\user32.dll

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2002-08-29 10:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtUninstallKB820291$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6D39E75-6054-4CF3-B197-FFDBF3378846}]
2006-10-19 05:47 97280 ----a-w c:\windows\system32\blackbo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 764776]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 7\SystemGuardAlerter.exe" [2008-05-06 487784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-6 24576]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-2-13 278528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 19:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Mark Weierich\Application Data\iolo

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Weierich^Start Menu^Programs^Startup^Benadryl Allergy Alert Tool.lnk]
path=c:\documents and settings\Mark Weierich\Start Menu\Programs\Startup\Benadryl Allergy Alert Tool.lnk
backup=c:\windows\pss\Benadryl Allergy Alert Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1149390363\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\1149390363\\ee\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-29 51440]
R2 0307031239935280mcinstcleanup;McAfee Application Installer Cleanup (0307031239935280); [x]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 3dfxvs;3dfxvs;c:\windows\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
R3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\Drivers\pixmcvc.sys [2002-09-28 32000]
R3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\Drivers\pixmcvv.sys [2002-11-28 21081]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S0 lwopveqo;lwopveqo;c:\windows\system32\drivers\lwopveqo.sys [2002-08-29 23424]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - DCFS2K

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2cccf2-b28b-11dc-9335-000bdb2a1dc6}]
\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2003-06-27 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-PackardDeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 23:12]

2009-04-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 16:38]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 20:32]

2009-04-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 20:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 19:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-20 19:05
ComboFix-quarantined-files.txt 2009-04-20 02:04
ComboFix2.txt 2009-04-16 22:33

Pre-Run: 15,075,610,624 bytes free
Post-Run: 15,058,710,528 bytes free

213 --- E O F --- 2009-04-15 21:11

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 20 April 2009 - 02:32 PM

Hi weierich,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\SYSTEM32\user32.dll
c:\windows\explorer.exe
c:\windows\SYSTEM32\spoolsv.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 20 April 2009 - 04:16 PM

OK, I've run the scans. Here are the scans in order. BTW, I did not mention that I can not open an internet explorer window unless I go into safe mode with networking:

c:\windows\SYSTEM32\user32.dll

Scan taken on 20 Apr 2009 21:05:44 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\windows\explorer.exe:

File: explorer.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 97bd6515465659ff8f3b7be375b2ea87
Packers detected: -

Scanner results
Scan taken on 20 Apr 2009 21:09:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

c:\windows\SYSTEM32\spoolsv.exe:

File: spoolsv.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: da81ec57acd4cdc3d4c51cf3d409af9f
Packers detected: -

Scanner results
Scan taken on 20 Apr 2009 21:13:48 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 21 April 2009 - 07:13 PM

Hi weierich,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/219975/cant-get-rid-of-blackbodll/?p=1230702

Driver::
lwopveqo

Collect::
c:\windows\system32\drivers\lwopveqo.sys
c:\documents and settings\Mark Weierich\Local Settings\Application Data\93484916620480.exe
c:\windows\SYSTEM32\bajawupo.exe
c:\windows\system32\yefapuza.exe
c:\windows\system32\SelfDel.bat
c:\windows\system32\blackbo.dll

Folder::
c:\documents and settings\Mark Weierich\Application Data\pidle

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6D39E75-6054-4CF3-B197-FFDBF3378846}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please can you also run DDS again and post the new logs.

Edited by kahdah, 21 April 2009 - 10:09 PM.

Posted Image
m0le is a proud member of UNITE

#9 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 22 April 2009 - 01:36 AM

I did as you instructed, however, when ComboFix automatically rebooted, McAfee activated the firewall again and I did not get a log from ComboFix. I re-ran ComboFix and got the following log. BTW, I can, for the first time since I got the virus, launch an IE window without being in safe mode!!

ComboFix 09-04-22.05 - Mark Weierich 04/21/2009 22:54.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.441 [GMT -7:00]
Running from: c:\documents and settings\Mark Weierich\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Weierich\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Mark Weierich\Application Data\pidle
c:\documents and settings\Mark Weierich\Local Settings\Application Data\93484916620480.exe
c:\windows\SYSTEM32\bajawupo.exe
c:\windows\system32\blackbo.dll
c:\windows\system32\drivers\lwopveqo.sys
c:\windows\system32\SelfDel.bat
c:\windows\system32\yefapuza.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LWOPVEQO
-------\Service_lwopveqo
-------\Legacy_LWOPVEQO


((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-16 21:56 . 2009-04-16 21:56 -------- d-----w c:\program files\Trend Micro
2009-04-12 18:29 . 2009-04-12 18:29 -------- d-----w c:\documents and settings\Administrator\Application Data\iolo
2009-04-08 00:13 . 2009-04-22 06:04 10021 ----a-w c:\windows\system32\Config.MPF
2009-04-08 00:12 . 2006-03-03 15:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-08 00:07 . 2007-11-22 13:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-08 00:07 . 2007-12-02 19:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-08 00:07 . 2007-11-22 13:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-08 00:07 . 2007-11-22 13:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-08 00:07 . 2007-11-22 13:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-08 00:07 . 2007-07-13 13:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-08 00:06 . 2009-04-08 00:06 -------- d-----w c:\program files\McAfee.com
2009-04-08 00:05 . 2009-04-08 00:07 -------- d-----w c:\program files\Common Files\McAfee
2009-04-08 00:05 . 2009-04-08 00:13 -------- d-----w c:\program files\McAfee
2009-04-05 19:13 . 2009-04-06 20:30 -------- d-----w c:\program files\Audacity
2009-04-04 20:54 . 2009-04-06 20:31 -------- d-----w c:\documents and settings\Mark Weierich\Local Settings\Application Data\PMB Files
2009-04-04 20:54 . 2009-04-04 20:54 204 ----a-w C:\Plugins
2009-04-04 20:54 . 2009-04-04 20:54 -------- d-----w c:\program files\Pando Networks
2009-03-31 00:14 . 2009-04-02 02:41 54156 ---ha-w c:\windows\QTFont.qfn
2009-03-31 00:14 . 2009-03-31 00:14 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 05:27 . 2002-08-29 10:00 23424 ----a-w c:\windows\system32\drivers\nbtuwrif.sys
2009-04-21 22:34 . 2008-09-21 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-10 23:32 . 2008-05-02 04:20 -------- d-----w c:\program files\GameSpy Arcade
2009-04-10 05:30 . 2003-05-27 22:36 1704102 ----a-w C:\hpfr5550.log
2009-04-10 05:30 . 2004-07-30 17:18 0 ----a-w C:\hpfr5550.xml
2009-04-08 20:48 . 2003-05-06 15:19 -------- d-----w c:\program files\QUICKENW
2009-04-08 00:13 . 2008-03-05 04:09 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-06 22:06 . 2005-12-02 05:27 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 22:03 . 2005-12-02 05:27 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 15:11 . 2008-12-19 19:36 -------- d-----w c:\program files\Cheat Engine
2009-03-05 05:48 . 2007-10-05 19:21 -------- d-----w c:\documents and settings\Mark Weierich\Application Data\Move Networks
2009-02-26 11:00 . 2008-11-29 00:37 -------- d-----w c:\program files\Microsoft Silverlight
2008-06-19 18:16 . 2003-05-14 23:21 75048 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-24 15:34 . 2008-05-24 15:34 0 ----a-w c:\program files\uninstall.dat
2008-03-04 16:40 . 2008-03-04 16:40 61480 ----a-w c:\documents and settings\Mark Weierich\GoToAssistDownloadHelper.exe
2005-05-07 17:44 . 2005-07-06 17:44 32 -c--a-r c:\documents and settings\All Users\hash.dat
2005-01-03 19:02 . 2005-01-03 19:02 136 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\fusioncache.dat
2004-03-27 19:48 . 2004-03-27 19:48 18607 -c--a-w c:\program files\setuplog.txt
2003-05-06 15:16 . 2003-08-24 23:14 12328 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 764776]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 7\SystemGuardAlerter.exe" [2008-05-06 487784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-6 24576]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-2-13 278528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 19:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Mark Weierich\Application Data\iolo

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Weierich^Start Menu^Programs^Startup^Benadryl Allergy Alert Tool.lnk]
path=c:\documents and settings\Mark Weierich\Start Menu\Programs\Startup\Benadryl Allergy Alert Tool.lnk
backup=c:\windows\pss\Benadryl Allergy Alert Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1149390363\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\1149390363\\ee\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=

R2 0307031239935280mcinstcleanup;McAfee Application Installer Cleanup (0307031239935280); [x]
R3 3dfxvs;3dfxvs;c:\windows\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
R3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\Drivers\pixmcvc.sys [2002-09-28 32000]
R3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\Drivers\pixmcvv.sys [2002-11-28 21081]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-29 51440]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2cccf2-b28b-11dc-9335-000bdb2a1dc6}]
\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2003-06-27 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-PackardDeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 23:12]

2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 16:38]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 20:32]

2009-04-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 20:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3556)
c:\program files\iolo\Common\Lib\sguard.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\iolo\System Mechanic 7\IoloSGCtrl.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\UAService7.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-22 23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 06:19
ComboFix2.txt 2009-04-20 02:05
ComboFix3.txt 2009-04-16 22:33

Pre-Run: 14,109,560,832 bytes free
Post-Run: 14,088,790,016 bytes free

222 --- E O F --- 2009-04-15 21:11


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mark Weierich at 23:30:31.34 on Tue 04/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.483 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic 7\SystemGuardAlerter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Weierich\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic 7\SMSystemAnalyzer.exe"
mRun: [SystemGuardAlerter] c:\program files\iolo\system mechanic 7\SystemGuardAlerter.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRunOnce: [SMRequiresRestart]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - c:\program files\hello\PicasaCapture.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/33.06/uploader2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://us-download.mcafee.com/products/protected/mvt/mvt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://www.yougamers.com/systeminfo/MSC3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-7 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-1-15 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-1-15 566120]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-7 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-4-7 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-25 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-7 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-7 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-7 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-7 40488]
S2 0307031239935280mcinstcleanup;McAfee Application Installer Cleanup (0307031239935280);c:\windows\temp\030703~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\030703~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2003-5-14 148352]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-7 33832]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2005-5-6 32000]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2005-5-6 21081]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-21 22:26 98,816 a------- c:\windows\sed.exe
2009-04-19 18:52 161,792 a------- c:\windows\SWREG.exe
2009-04-16 14:56 <DIR> --d----- c:\program files\Trend Micro
2009-04-15 13:12 <DIR> a-dshr-- C:\cmdcons
2009-04-07 17:13 10,021 a------- c:\windows\system32\Config.MPF
2009-04-07 17:12 143,360 a------- c:\windows\system32\dunzip32.dll
2009-04-07 17:07 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-07 17:07 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-07 17:07 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-07 17:07 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-07 17:07 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-07 17:07 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-07 17:06 <DIR> --d----- c:\program files\McAfee.com
2009-04-07 17:05 <DIR> --d----- c:\program files\common files\McAfee
2009-04-07 17:05 <DIR> --d----- c:\program files\McAfee
2009-04-05 12:13 <DIR> --d----- c:\program files\Audacity
2009-04-04 13:54 204 a------- C:\Plugins
2009-04-04 13:54 <DIR> --d----- c:\program files\Pando Networks
2009-03-30 17:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-30 17:14 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-04-21 22:27 23,424 a------- c:\windows\system32\drivers\nbtuwrif.sys
2008-05-24 08:34 0 a------- c:\program files\uninstall.dat
2008-03-04 09:40 61,480 a------- c:\documents and settings\mark weierich\GoToAssistDownloadHelper.exe
2005-05-07 10:44 32 ac---r-- c:\documents and settings\all users\hash.dat
2004-03-27 12:48 18,607 ac------ c:\program files\setuplog.txt

============= FINISH: 23:31:50.64 ===============

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 22 April 2009 - 09:47 AM

Hi weierich,

I can, for the first time since I got the virus, launch an IE window without being in safe mode!!

Good news!! We still have some things to do though so...

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

GameSpy 3D
GameSpy Arcade


Additional instructions can be found here if needed.


Next...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/top...ml#entry1230702
Driver::
nbtuwrif

Collect::
c:\windows\system32\drivers\nbtuwrif.sys

Folder::
C:\program files\GameSpy Arcade


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 22 April 2009 - 12:45 PM

OK, did as you told me. I do use Gamespy, but can always download it again...

ComboFix 09-04-22.A23 - Mark Weierich 04/22/2009 8:20.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.441 [GMT -7:00]
Running from: c:\documents and settings\Mark Weierich\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Weierich\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\nbtuwrif.sys

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-16 21:56 . 2009-04-16 21:56 -------- d-----w c:\program files\Trend Micro
2009-04-12 18:29 . 2009-04-12 18:29 -------- d-----w c:\documents and settings\Administrator\Application Data\iolo
2009-04-08 00:13 . 2009-04-22 15:14 10021 ----a-w c:\windows\system32\Config.MPF
2009-04-08 00:12 . 2006-03-03 15:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-08 00:07 . 2007-11-22 13:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-08 00:07 . 2007-12-02 19:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-08 00:07 . 2007-11-22 13:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-08 00:07 . 2007-11-22 13:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-08 00:07 . 2007-11-22 13:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-08 00:07 . 2007-07-13 13:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-08 00:06 . 2009-04-08 00:06 -------- d-----w c:\program files\McAfee.com
2009-04-08 00:05 . 2009-04-08 00:07 -------- d-----w c:\program files\Common Files\McAfee
2009-04-08 00:05 . 2009-04-08 00:13 -------- d-----w c:\program files\McAfee
2009-04-05 19:13 . 2009-04-06 20:30 -------- d-----w c:\program files\Audacity
2009-04-04 20:54 . 2009-04-06 20:31 -------- d-----w c:\documents and settings\Mark Weierich\Local Settings\Application Data\PMB Files
2009-04-04 20:54 . 2009-04-04 20:54 204 ----a-w C:\Plugins
2009-04-04 20:54 . 2009-04-04 20:54 -------- d-----w c:\program files\Pando Networks
2009-03-31 00:14 . 2009-04-02 02:41 54156 ---ha-w c:\windows\QTFont.qfn
2009-03-31 00:14 . 2009-03-31 00:14 1409 ----a-w c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 15:08 . 2008-05-02 04:28 -------- d-----w c:\program files\GameSpy
2009-04-21 22:34 . 2008-09-21 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-10 05:30 . 2003-05-27 22:36 1704102 ----a-w C:\hpfr5550.log
2009-04-10 05:30 . 2004-07-30 17:18 0 ----a-w C:\hpfr5550.xml
2009-04-08 20:48 . 2003-05-06 15:19 -------- d-----w c:\program files\QUICKENW
2009-04-08 00:13 . 2008-03-05 04:09 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-06 22:06 . 2005-12-02 05:27 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 22:03 . 2005-12-02 05:27 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 15:11 . 2008-12-19 19:36 -------- d-----w c:\program files\Cheat Engine
2009-03-05 05:48 . 2007-10-05 19:21 -------- d-----w c:\documents and settings\Mark Weierich\Application Data\Move Networks
2009-02-26 11:00 . 2008-11-29 00:37 -------- d-----w c:\program files\Microsoft Silverlight
2008-06-19 18:16 . 2003-05-14 23:21 75048 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-24 15:34 . 2008-05-24 15:34 0 ----a-w c:\program files\uninstall.dat
2008-03-04 16:40 . 2008-03-04 16:40 61480 ----a-w c:\documents and settings\Mark Weierich\GoToAssistDownloadHelper.exe
2005-05-07 17:44 . 2005-07-06 17:44 32 -c--a-r c:\documents and settings\All Users\hash.dat
2005-01-03 19:02 . 2005-01-03 19:02 136 -c--a-w c:\documents and settings\Mark Weierich\Local Settings\Application Data\fusioncache.dat
2004-03-27 19:48 . 2004-03-27 19:48 18607 -c--a-w c:\program files\setuplog.txt
2003-05-06 15:16 . 2003-08-24 23:14 12328 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2002-11-01 22:26 528896 68E1F4EF02DF52CA9C5E157045D23582 c:\windows\$NtUninstallKB824141$\user32.dll
[7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2002-08-29 10:00 560128 DD9269230C21EE8FB7FD3FCCC3B1CFCB c:\windows\$NtUninstallQ328310$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\SYSTEM32\user32.dll

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2002-08-29 10:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtUninstallKB820291$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 764776]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 7\SystemGuardAlerter.exe" [2008-05-06 487784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-03-04 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-6 24576]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-2-13 278528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 19:41 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Mark Weierich\Application Data\iolo"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Weierich^Start Menu^Programs^Startup^Benadryl Allergy Alert Tool.lnk]
path=c:\documents and settings\Mark Weierich\Start Menu\Programs\Startup\Benadryl Allergy Alert Tool.lnk
backup=c:\windows\pss\Benadryl Allergy Alert Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1149390363\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\1149390363\\ee\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=

R2 0307031239935280mcinstcleanup;McAfee Application Installer Cleanup (0307031239935280); [x]
R3 3dfxvs;3dfxvs;c:\windows\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
R3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\Drivers\pixmcvc.sys [2002-09-28 32000]
R3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\Drivers\pixmcvv.sys [2002-11-28 21081]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-29 51440]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2cccf2-b28b-11dc-9335-000bdb2a1dc6}]
\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2003-06-27 c:\windows\Tasks\FRU Task 2002-06-04 23:12ewlett-PackardDeskjet4E8BF07F6DE51996434C1696D032A924550.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-06-04 23:12]

2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 16:38]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 20:32]

2009-04-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 20:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 08:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-22 8:32
ComboFix-quarantined-files.txt 2009-04-22 15:31
ComboFix2.txt 2009-04-22 06:22
ComboFix3.txt 2009-04-20 02:05
ComboFix4.txt 2009-04-16 22:33

Pre-Run: 14,124,875,776 bytes free
Post-Run: 14,104,416,256 bytes free

206 --- E O F --- 2009-04-15 21:11

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 22 April 2009 - 07:14 PM

Hi weierich,

Game Spy is marked as an adware carrier. Using them carries the risk that malware will be downloaded with the program and this can lead to the same kinds of infections that we have just removed.

Use Windows Explorer to find and delete this folder:

c:\program files\GameSpy

If any other folders starting Game Spy.. still exist please delete these also.

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


How is the PC running?

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Please also post a new DDS log.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 23 April 2009 - 04:01 PM

I can't express in words how much I appreciate your help! This has been fantastic!!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 19:39:28
Records in database: 2072930
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 139001
Threat name: 3
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 02:54:42


File name / Threat name / Threats count
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-145754-956.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-153954-481.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-154013-688.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-155035-465.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-155056-623.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-155448-885.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-155604-326.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-155613-647.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-164940-163.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090416-165445-797.dll Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Qoobox\Quarantine\[4]-Submit_2009-04-22@22.27.zip Infected: Rootkit.Win32.Podnuha.ccc 1
C:\Qoobox\Quarantine\[4]-Submit_2009-04-22@22.27.zip Infected: Trojan.Win32.BHO.ext 1
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\clkw.exe Infected: Trojan-Downloader.Win32.AutoIt.jl 1

The selected area was scanned.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Mark Weierich at 13:54:41.21 on Thu 04/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.456 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Weierich\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic 7\SMSystemAnalyzer.exe"
mRun: [SystemGuardAlerter] c:\program files\iolo\system mechanic 7\SystemGuardAlerter.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUman000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - c:\program files\hello\PicasaCapture.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/33.06/uploader2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://us-download.mcafee.com/products/protected/mvt/mvt.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1240505295461&h=9c5ff0236286ddf37165feb7fdef503d/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://www.yougamers.com/systeminfo/MSC3.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-7 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-1-15 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-1-15 566120]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-7 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-4-7 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-25 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-7 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-7 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-7 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-7 40488]
S2 0307031239935280mcinstcleanup;McAfee Application Installer Cleanup (0307031239935280);c:\windows\temp\030703~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\030703~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2003-5-14 148352]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-7 33832]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2005-5-6 32000]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2005-5-6 21081]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-23 09:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-23 09:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-22 08:18 98,816 a------- c:\windows\sed.exe
2009-04-19 18:52 161,792 a------- c:\windows\SWREG.exe
2009-04-16 14:56 <DIR> --d----- c:\program files\Trend Micro
2009-04-15 13:12 <DIR> a-dshr-- C:\cmdcons
2009-04-07 17:13 10,271 a------- c:\windows\system32\Config.MPF
2009-04-07 17:12 143,360 a------- c:\windows\system32\dunzip32.dll
2009-04-07 17:07 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-07 17:07 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-07 17:07 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-07 17:07 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-07 17:07 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-07 17:07 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-07 17:06 <DIR> --d----- c:\program files\McAfee.com
2009-04-07 17:05 <DIR> --d----- c:\program files\common files\McAfee
2009-04-07 17:05 <DIR> --d----- c:\program files\McAfee
2009-04-05 12:13 <DIR> --d----- c:\program files\Audacity
2009-04-04 13:54 204 a------- C:\Plugins
2009-04-04 13:54 <DIR> --d----- c:\program files\Pando Networks
2009-03-30 17:14 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-30 17:14 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-05-24 08:34 0 a------- c:\program files\uninstall.dat
2008-03-04 09:40 61,480 a------- c:\documents and settings\mark weierich\GoToAssistDownloadHelper.exe
2005-05-07 10:44 32 ac---r-- c:\documents and settings\all users\hash.dat
2004-03-27 12:48 18,607 ac------ c:\program files\setuplog.txt

============= FINISH: 13:56:20.25 ===============

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:57 PM

Posted 23 April 2009 - 06:44 PM

Hey weierich,

Nearly there...

We need a sample of some of the malware.

Please click Here then navigate to this location C:\Qoobox\Quarantine\[4]-Submit_2009-04-22@22.27.zip and then upload that submit.zip

Next...

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Use Windows Explorer to find and delete this file

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\clkw.exe

folder:

C:\Program Files\Trend Micro\HijackThis\backups

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Post back when you've done all those things. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 weierich

weierich
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 23 April 2009 - 11:31 PM

Hey m0le!
I did the following:
1. Sent in the zip file for the malware submission
2. Deleted the backup folder
3. When I went in to delete the exe file (C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\clkw.exe), before I could delete it, it disappeared and I got a message that a trojan had tried to access my machine - with that file name- and the message disappeared. So, not sure if McAfee deleted it for me or if I need to take action? :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users