Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
30 replies to this topic

#1 Schranic

Schranic

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 27 May 2009 - 08:36 PM

Hello, I'm writing because ever since the other morning I was bombared with error messages and my McAfee was turned off somehow. These messages include 'dsca.exe has stopped working'. 'digital line detection has stopped working'. 'mcafee network agent has stopped working'. and 'on-access scanner service has stopped working'. I'm not exactly sure what is causing this problem. I don't remember installing anything that would affect this. All I know is that I am unable to use Mcafee at all now, (when I select scan, the error 'Scanning has encountered a problem from which it cannot recover. Here are the problem details: - Scan failed to start; result=-2147467259 when finished, you will return to the home window.'). Of course this being disable raised my suspicions, but I ran a lot of free programs online and they didn't really detect anything. Perhaps there's something I missed in my log below. If you could help me out I would greatly appreciate it, thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:07 PM, on 5/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\FixCamera.exe
C:\Windows\tsnp2std.exe
C:\Windows\vsnp2std.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FixCamera] C:\Windows\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\Windows\vsnp2std.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: cms.psu.edu
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...627/mcfscan.cab
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9386 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 08 June 2009 - 07:47 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 13 June 2009 - 11:14 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Schranic

Schranic
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 13 June 2009 - 10:48 PM

Hello, yes I am still having the same problem. My DDS log is posted below. Any assistance would be greatly appreciated, thanks!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Nick at 23:48:53.92 on Sat 06/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1021.209 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\FixCamera.exe
C:\Windows\tsnp2std.exe
C:\Windows\vsnp2std.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\wscript.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: psu.edu\cms
DPF: {00000130-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/ACELPACM.CAB
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5627/mcfscan.cab

============= SERVICES / DRIVERS ===============

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-12-7 73728]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [2007-3-22 92288]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2007-3-22 92288]
R3 NWDellPort2;Dell Wireless Mobile Broadband Status2 Port Driver;c:\windows\system32\drivers\nwdelser2.sys [2007-3-22 92288]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-10-26 7424]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-10-26 179712]
S3 NW001NDIS;Dell Wireless Network Adapter Service;c:\windows\system32\drivers\nw01ndis.sys [2007-3-22 210432]

=============== Created Last 30 ================

2009-06-13 01:47 161,477 a------- C:\Readme.htm
2009-06-13 01:47 157,145 a------- C:\mpf.chm
2009-06-13 01:47 2,234 a------- C:\subst.inf
2009-06-13 01:47 1,280 a------- C:\instLD.inf
2009-06-13 01:47 887 a------- C:\mpfHelp.inf
2009-06-13 01:47 1,049,088 a------- C:\mccobres.dll
2009-06-13 01:47 117,968 a------- C:\mscinres.dll
2009-06-13 01:47 22,330 a------- C:\oemcfg.dat
2009-06-13 01:47 1,241 a------- C:\nmcsubst.inf
2009-06-13 01:47 1,129 a------- C:\mscpstLD.inf
2009-06-13 01:47 1,105 a------- C:\mscdfoem.inf
2009-06-13 01:47 1,054 a------- C:\mscLD.inf
2009-06-08 16:56 <DIR> --d----- c:\programdata\KingsIsle Entertainment
2009-06-08 16:56 <DIR> --d----- c:\progra~2\KingsIsle Entertainment
2009-06-04 13:46 16,117 a------- c:\windows\system32\Config.MPF
2009-06-04 13:33 5,320 a------- C:\mscLI.inf
2009-05-27 18:21 <DIR> --d----- c:\program files\Trend Micro
2009-05-27 00:39 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-05-27 00:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-27 00:39 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-05-27 00:34 <DIR> --d----- c:\windows\pss
2009-05-26 15:27 <DIR> --d----- C:\AOL OCP
2009-05-26 02:14 8,212 a------- c:\windows\mfebcdata
2009-05-22 16:16 <DIR> --d----- c:\users\nick\appdata\roaming\WebSentinel
2009-05-22 16:14 <DIR> --d----- c:\program files\Webassessor Sentinel
2009-05-22 16:04 94,208 a------- c:\windows\amcap.exe
2009-05-22 16:04 20,480 a------- c:\windows\FixCamera.exe
2009-05-22 16:04 344,064 a------- c:\windows\vsnp2std.exe
2009-05-22 16:04 270,336 a------- c:\windows\tsnp2std.exe
2009-05-22 16:04 15,497 a------- c:\windows\snp2std.ini
2009-05-22 16:04 13,022 a------- c:\windows\snp2std.src
2009-05-22 16:04 12,212,864 a------- c:\windows\system32\drivers\snp2sxp.sys
2009-05-22 16:04 25,472 a------- c:\windows\system32\drivers\sncamd.sys
2009-05-22 16:04 151,552 a------- c:\windows\system32\rsnp2std.dll
2009-05-22 16:04 73,728 a------- c:\windows\system32\vsnp2std.dll
2009-05-22 16:04 77,824 a------- c:\windows\system32\csnp2std.dll
2009-05-22 16:04 <DIR> --d----- c:\program files\common files\snp2std

==================== Find3M ====================

2009-06-13 23:41 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-13 23:41 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-12 23:52 41,952 a------- c:\programdata\nvModes.dat
2009-06-12 23:52 41,952 a------- c:\progra~2\nvModes.dat
2009-05-22 16:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-22 16:05 86,016 a------- c:\windows\inf\infstor.dat
2009-05-22 16:05 51,200 a------- c:\windows\inf\infpub.dat
2009-05-22 00:31 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-06 18:08 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-03-25 18:55 33,280 a------- c:\windows\system32\identprv.dll
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2008-11-09 03:45 41,192 a------- c:\users\nick\appdata\roaming\nvModes.dat
2008-08-04 16:28 159,528 a------- c:\users\nick\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-06-10 23:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-22 17:44 174 a--sh--- c:\program files\desktop.ini
2008-03-05 03:49 61,480 a------- c:\users\nick\GoToAssistDownloadHelper.exe
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-10-26 06:43 76 ---shr-- c:\windows\CT4CET.bin
2008-01-10 20:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008011020080111\index.dat
2007-10-26 14:27 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 23:53:15.15 ===============

Attached Files


Edited by Schranic, 13 June 2009 - 11:03 PM.


#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 14 June 2009 - 08:27 AM

Hello.

Please run MBAM and a GMER scan for me.

After that, please take a new DDS run and post back with both logs.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop. Right-click and run as administrator if you are using Vista
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image

  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Schranic

Schranic
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 14 June 2009 - 01:55 PM

I can't seem to download MalwareBytes Anti-Malware properly, when it's just about done installing I get an error messsage that says 'Run-time error '48': File not found: SHFolder.dll'.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 14 June 2009 - 07:59 PM

Hello.

Continue with GMER then.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Schranic

Schranic
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 14 June 2009 - 08:24 PM

I tried GMER, it gets probably halfway through the scan and then an error comes up and makes me close the program. Also there is a blue screen of death that says windows has to shutdown. It reboots and on the desktop it says windows has recovered from an unexpected error.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 17 June 2009 - 05:12 PM

Hello.

We'll start off with Combofix.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Schranic

Schranic
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 17 June 2009 - 07:47 PM

ComboFix 09-06-17.02 - Nick 06/17/2009 20:11.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1021.308 [GMT -4:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 00:18 . 2009-06-18 00:18 -------- d-----w- c:\users\Nick\AppData\Local\temp
2009-06-17 23:59 . 2009-01-10 04:43 22330 ----a-w- C:\oemcfg.dat
2009-06-17 23:59 . 2009-01-10 04:43 1049088 ----a-w- C:\mccobres.dll
2009-06-17 23:59 . 2009-01-10 04:43 117968 ----a-w- C:\mscinres.dll
2009-06-08 20:56 . 2009-06-08 20:56 -------- d-----w- c:\programdata\KingsIsle Entertainment
2009-06-04 17:55 . 2009-06-04 17:55 49152 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-06-04 17:55 . 2009-06-04 17:55 49152 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-05-27 22:21 . 2009-05-27 22:21 -------- d-----w- c:\program files\Trend Micro
2009-05-27 06:27 . 2009-05-27 10:49 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-27 04:39 . 2009-05-27 06:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-05-27 04:39 . 2009-05-27 06:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-26 19:27 . 2009-05-26 19:27 -------- d-----w- C:\AOL OCP
2009-05-22 20:16 . 2009-05-22 23:26 -------- d-----w- c:\users\Nick\AppData\Roaming\WebSentinel
2009-05-22 20:14 . 2009-05-22 20:14 9326 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{C6922A77-C165-4C48-84A0-AA102E57685F}\_D4FDF8DB06743D700C19D1.exe
2009-05-22 20:14 . 2009-05-22 20:14 9326 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{C6922A77-C165-4C48-84A0-AA102E57685F}\_C2AE4A4F63A0ED68ACC09E.exe
2009-05-22 20:14 . 2009-05-22 20:14 9326 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{C6922A77-C165-4C48-84A0-AA102E57685F}\_6FEFF9B68218417F98F549.exe
2009-05-22 20:14 . 2009-05-22 20:14 9326 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{C6922A77-C165-4C48-84A0-AA102E57685F}\_21F3885A18D238E15AAE81.exe
2009-05-22 20:14 . 2009-05-27 06:01 -------- d-----w- c:\program files\Webassessor Sentinel
2009-05-22 20:04 . 2007-08-20 15:10 94208 ----a-w- c:\windows\amcap.exe
2009-05-22 20:04 . 2007-07-11 20:09 20480 ----a-w- c:\windows\FixCamera.exe
2009-05-22 20:04 . 2007-09-28 20:32 344064 ----a-w- c:\windows\vsnp2std.exe
2009-05-22 20:04 . 2007-05-10 21:05 270336 ----a-w- c:\windows\tsnp2std.exe
2009-05-22 20:04 . 2007-09-05 17:48 12212864 ----a-w- c:\windows\system32\drivers\snp2sxp.sys
2009-05-22 20:04 . 2007-01-25 22:48 25472 ----a-w- c:\windows\system32\drivers\sncamd.sys
2009-05-22 20:04 . 2007-02-05 19:25 151552 ----a-w- c:\windows\system32\rsnp2std.dll
2009-05-22 20:04 . 2007-05-31 14:28 73728 ----a-w- c:\windows\system32\vsnp2std.dll
2009-05-22 20:04 . 2006-11-16 19:57 77824 ----a-w- c:\windows\system32\csnp2std.dll
2009-05-22 20:04 . 2009-05-22 20:04 -------- d-----w- c:\program files\Common Files\snp2std
2009-05-22 20:03 . 2009-05-22 20:03 -------- d-----w- c:\users\Nick\AppData\Roaming\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 23:59 . 2008-10-15 01:03 -------- d-----w- c:\program files\McAfee
2009-06-17 23:52 . 2007-11-02 01:38 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-06-17 23:52 . 2007-11-01 04:57 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-06-17 01:20 . 2008-10-28 02:18 -------- d-----w- c:\programdata\Google Updater
2009-06-16 03:48 . 2008-11-16 00:53 41952 ----a-w- c:\programdata\nvModes.dat
2009-06-08 21:40 . 2007-10-26 10:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-29 19:48 . 2007-10-26 11:00 -------- d-----w- c:\programdata\McAfee
2009-05-22 04:31 . 2006-12-02 06:37 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-05-19 03:21 . 2009-03-01 06:19 -------- d-----w- c:\program files\Coupons
2009-05-15 05:51 . 2007-11-03 04:03 -------- d-----w- c:\program files\Google
2009-05-13 04:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-06 22:08 . 2007-11-02 01:39 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-04-29 06:00 . 2009-04-29 06:00 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-27 18:51 . 2007-12-01 19:11 8268 ----a-w- c:\users\Nick\AppData\Local\d3d9caps.dat
2009-04-08 03:09 . 2009-04-08 03:09 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-25 22:55 . 2008-01-22 01:43 33280 ----a-w- c:\windows\system32\identprv.dll
2009-03-25 15:06 . 2008-10-15 01:03 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2008-10-15 01:03 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:06 . 2008-10-15 01:03 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2008-06-27 10:08 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:05 . 2008-10-15 00:57 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2007-10-26 10:43 . 2007-10-26 10:43 76 --sh--r- c:\windows\CT4CET.bin
2007-10-26 18:27 . 2007-10-26 18:20 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-03 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-03 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-03 96800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-05-10 270336]
"snp2std"="c:\windows\vsnp2std.exe" [2007-09-28 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-26 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2007-11-5 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D07B6956-EEF9-40CC-B255-136E63598417}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{E2F1FC7A-348C-40AB-96B7-3A9D9139CB02}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{CD09DA47-3584-4DBB-BDFA-3ED2BF42A9B0}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{7F4A5D82-0F3D-4830-A2FC-D5AC990E687E}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{DBAC809A-C5B2-4BF0-94A4-7B90397B15E0}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{9B377A7D-C546-4FCF-9119-3C396BDE794D}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{5546A587-AA4A-4302-93DE-2F3BE137D218}c:\\program files\\turbine\\asheron's call - throne of destiny\\aclauncher.exe"= UDP:c:\program files\turbine\asheron's call - throne of destiny\aclauncher.exe:AC Launcher
"UDP Query User{8B4B1B0B-AE4A-42EE-9051-38C0204E5F51}c:\\program files\\turbine\\asheron's call - throne of destiny\\aclauncher.exe"= TCP:c:\program files\turbine\asheron's call - throne of destiny\aclauncher.exe:AC Launcher
"TCP Query User{84E11D9D-D4E7-4D7D-94BF-9431A6D85171}c:\\program files\\turbine\\asheron's call - throne of destiny\\acclient.exe"= UDP:c:\program files\turbine\asheron's call - throne of destiny\acclient.exe:acclient
"UDP Query User{AA87B1FD-BFA2-4845-A307-9A85DF4633F3}c:\\program files\\turbine\\asheron's call - throne of destiny\\acclient.exe"= TCP:c:\program files\turbine\asheron's call - throne of destiny\acclient.exe:acclient
"TCP Query User{28771163-26E6-4B46-BD7C-37BC64A9E046}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{75BAA5B4-B479-4480-A8A6-6BDFF1FC6171}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"TCP Query User{6CAA9402-5B20-4C35-9C9F-44CC4D2802BB}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{91C8B39F-FB07-4C69-BE5B-F1172A505CA0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C729CF76-6208-4C94-BBDD-DE544B2D1738}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{9ECEC23F-1F33-49CB-BC00-BC86232E8B93}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{4FD2BAB5-C4F3-49A0-9CB3-A9155D8B8EB5}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BD7223A0-A4DC-41B5-8BC3-915C4BC15AF7}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CFCB538F-433D-4F15-9961-197145500E29}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{0B5446D7-10B8-4A73-ACD8-39C5D9C5C34C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DA99FCCF-9927-42E4-8004-0E4AB2DD4B15}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F39D04DF-C3F5-4D88-A9A3-5D3F0FEBF309}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C75E6A79-CAF6-44C5-BC7B-9A9068407BF3}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DBB800E3-BB70-4B2E-B58A-EFA9C9C288C5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9661108E-3C15-4E01-B198-D2A1222CD2C8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{B02861B0-2532-48AE-A3CB-0AEAD0574266}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{E9790FE0-01F4-45E4-9F6F-FC91AA48850B}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [12/7/2007 12:47 AM 73728]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\System32\drivers\nwdelmdm.sys [3/22/2007 2:12 PM 92288]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\System32\drivers\nwdelser.sys [3/22/2007 2:12 PM 92288]
R3 NWDellPort2;Dell Wireless Mobile Broadband Status2 Port Driver;c:\windows\System32\drivers\nwdelser2.sys [3/22/2007 2:12 PM 92288]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/10/2007 6:03 PM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [10/26/2007 2:28 PM 7424]
S2 0293051245283166mcinstcleanup;McAfee Application Installer Cleanup (0293051245283166);c:\windows\TEMP\029305~1.EXE c:\windows\TEMP\{B24EE~1.INI -cleanup -nolog -service --> c:\windows\TEMP\029305~1.EXE c:\windows\TEMP\{B24EE~1.INI -cleanup -nolog -service [?]
S2 0293371245283176mcinstcleanup;McAfee Application Installer Cleanup (0293371245283176);c:\windows\TEMP\029337~1.EXE c:\windows\TEMP\{DF297~1.INI -cleanup -nolog -service --> c:\windows\TEMP\029337~1.EXE c:\windows\TEMP\{DF297~1.INI -cleanup -nolog -service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [10/26/2007 2:28 PM 179712]
S3 NW001NDIS;Dell Wireless Network Adapter Service;c:\windows\System32\drivers\nw01ndis.sys [3/22/2007 2:12 PM 210432]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/19/2008 2:02 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-28 04:03]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 14:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: psu.edu\cms
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 20:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-18 20:19
ComboFix-quarantined-files.txt 2009-06-18 00:19

Pre-Run: 39,378,726,912 bytes free
Post-Run: 39,832,039,424 bytes free

200 --- E O F --- 2009-05-22 04:49

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 17 June 2009 - 08:00 PM

Hello.

Combofix log does not look complete. Are you sure that's the complete log? If not, please post the complete log.

Otherwise, please re-run Combofix again and post the log once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Schranic

Schranic
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 17 June 2009 - 08:12 PM

No, that was the complete log. I've attached it to this post as well.

Attached Files



#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 18 June 2009 - 09:10 PM

Hello.

Please run MBAM and GMER (please refer to my previous post). Post those log in your next reply once they are done.

If there were any problems, please let me know.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Schranic

Schranic
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 18 June 2009 - 09:49 PM

Still having the same problems with these two scans; Malwarebytes when installing comes up with the run-time error '48': file not found: shfolder. GMER says this program has stopped working halfway through the scan.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 AM

Posted 20 June 2009 - 04:39 PM

Hello.

I have seen that error before. Let's first do a registry search and some other scans.

Download and Run RegSearch
We need to do a registry search.

Please download RegSearch and save it to your desktop.
  • Extract the folder regsearch onto your desktop
  • Double-click on regsearch folder and then find regsearch.exe and double click it
  • A Security Window will open please select Run.
  • The Registry Search window will appear please make sure under the Search everything is checked.
  • At the top of the Regsearch where it says: "Enter Search string (case independent) and click Ok..." please input:

shfolder
  • After inputing the name, please click Ok
  • It will begin searching, once it is finished notepad will open with the log.
  • Please post the contents of that log in your next reply.
Download and run RootRepeal CR

Please download RootRepeal to your desktop
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL SIX
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the log here in your reply.
Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    shfolder
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Download and Run SUPERAntiSpyware
We will run a scan with SuperAntiSpyware.
  • Download SUPERAntiSpyware to your desktop.
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation. Delete the installer after use.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download and unzip them from here.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive (or whatever drive your system is installed on).
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
  • Make sure everything has a checkmark next to it and click Next.
  • A notification will appear saying that "Quarantine and Removal is Complete". Click OK and then click the Finish button to return to the main menu.
  • If asked if you want to reboot, click Yes.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Post back with:
-RegSearch log
-RootRepeal log
-SystemLookup log
-SAS log

Also, let me know how your computer is running any what problems/symptoms you may still have.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users