Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Suite


  • This topic is locked This topic is locked
17 replies to this topic

#1 sdcurry1

sdcurry1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 06 August 2009 - 11:50 AM

The problem began a couple of weeks ago. McAfee appeared to be installed on system but wouldn't open. Spoke with tech support and eventually fixed the problem enough that McAfee is now up and running. However, the browser is still redirected to Gala.com and similar sites. Computer has slowed down even more within the last two days.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 12:33:41.62 on Thu 08/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.557 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Owner\Desktop\dds.scr
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\ssmyst.scr
C:\WINDOWS\system32\notepad.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {169fd043-2350-46bf-86ac-78780907f2d5} - c:\windows\system32\rezakaju.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {CD292324-974F-4224-D074-CACA427AA030} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [WT GameChannel] c:\program files\wildtangent\apps\GameChannel.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [vubawagedi] Rundll32.exe "c:\windows\system32\fogiguzu.dll",s
mRun: [CPM03537aaa] Rundll32.exe "c:\windows\system32\kinahoke.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215526830500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215527201109
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.38/ttinst.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5493/mcfscan.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\lotehafa.dll,c:\windows\system32\jogihuju.dll c:\windows\system32\kinahoke.dll,c:\windows\system32\lubiniyo.dll,c:\windows\system32\reveneko.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kinahoke.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\kinahoke.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\lotehafa.dll c:\windows\system32\jogihuju.dll c:\windows\system32\lubiniyo.dll c:\windows\system32\reveneko.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-29 210216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-29 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-29 34248]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2009-08-05 17:57 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-05 17:42 <DIR> a-dshr-- C:\cmdcons
2009-08-05 17:33 219,648 a------- c:\windows\PEV.exe
2009-08-05 17:33 161,792 a------- c:\windows\SWREG.exe
2009-08-05 17:33 98,816 a------- c:\windows\sed.exe
2009-08-05 09:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-03 18:40 <DIR> --d----- c:\program files\iPod
2009-08-03 18:40 <DIR> --d----- c:\program files\iTunes
2009-08-02 15:58 <DIR> --d----- c:\program files\Trend Micro
2009-08-02 15:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-02 15:48 <DIR> --d----- c:\windows\Downloaded Installations
2009-08-02 15:31 129,520 -------- c:\windows\system32\pxafs.dll
2009-08-02 15:31 122,864 -------- c:\windows\system32\pxinsi64.exe
2009-08-02 15:31 120,816 -------- c:\windows\system32\pxcpyi64.exe
2009-08-02 15:31 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-08-02 15:31 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-30 20:37 <DIR> --d----- C:\ProgramData
2009-07-30 20:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-07-29 20:23 10,593 a------- c:\windows\system32\Config.MPF
2009-07-29 20:08 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-07-29 20:08 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-07-29 20:08 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-07-29 20:08 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-07-29 20:07 <DIR> --d----- c:\program files\common files\McAfee
2009-07-29 20:07 <DIR> --d----- c:\program files\McAfee.com
2009-07-29 20:06 <DIR> --d----- c:\program files\McAfee
2009-07-29 19:59 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-07-29 16:59 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-29 16:58 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 16:58 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 16:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-28 17:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-28 17:12 <DIR> --d----- c:\program files\Citrix
2009-07-28 17:12 61,224 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2009-07-28 15:13 <DIR> --d----- c:\program files\MSECache
2009-07-28 11:13 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-07-28 10:50 <DIR> --d----- c:\program files\AVG
2009-07-28 10:28 <DIR> --d----- c:\program files\AskBarDis
2009-07-21 20:12 33,272 a---h--- c:\windows\system32\mlfcache.dat
2009-07-20 13:51 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\7180dc5
2009-07-14 10:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-08 16:51 <DIR> --d----- c:\docume~1\owner\applic~1\Neopets Toolbar
2009-07-08 10:25 <DIR> --d----- c:\program files\Disney

==================== Find3M ====================

2009-08-06 11:17 50,176 a--sh--- c:\windows\system32\huforupa.dll
2009-08-06 11:16 84,480 a--sh--- c:\windows\system32\kinahoke.dll
2009-08-06 11:16 38,912 a--sh--- c:\windows\system32\gatosisu.dll
2009-08-05 23:15 84,992 a--sh--- c:\windows\system32\duzileru.dll
2009-08-05 23:15 38,400 a--sh--- c:\windows\system32\wusifage.dll
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-29 12:12 78,336 -------- c:\windows\system32\ieencode.dll
2009-06-23 10:47 249,856 -------- c:\windows\Setup1.exe
2009-06-23 10:47 73,216 a------- c:\windows\ST6UNST.EXE
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-09 01:14 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2008-07-11 19:49 0 ac------ c:\program files\temp01
2008-07-08 15:14 24,439 ac------ c:\program files\updatejpegprocessing.docx
2009-05-06 11:21 50,176 a--sh--- c:\windows\system32\fogiguzu.dll
2009-05-06 11:21 50,176 a--sh--- c:\windows\system32\lotehafa.dll
2009-05-06 11:21 50,176 a--sh--- c:\windows\system32\rezakaju.dll

============= FINISH: 12:36:42.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 15 August 2009 - 03:31 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Then, please run RootRepeal:

Download and run RootRepeal CR

Please download RootRepeal to your desktop
Alternative Download Link 2
Alternative Download Link 3
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Descriiption fo any remaining problems you may still have.


Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 sdcurry1

sdcurry1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 15 August 2009 - 08:20 PM

There still seems to be something wrong with my desktop (FAMILY) and my laptop (LAPTOP), things still seem funny. The internet is very slow and there's still issues with the virus protection. One second the computer is supposedly protected and then the next I get a warning to check the status. The same thing is happening with my laptop, too. The only difference is that sometimes the browser settings change automatically. I've included logs for both.

BTW, no need to apologize for taking so long, I'm just happy for the help. Otherwise, my HDD would be wiped clean and I would be in the long process of reinstalling everything.

FAMILY

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 18:40:37.62 on Sat 08/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.543 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\DOCUME~1\Owner\Desktop\dds.scr
C:\WINDOWS\system32\notepad.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: FCToolbarURLSearchHook Class: {7f559c93-2b3f-4ad7-8b03-ed64f0b1a494} - c:\program files\windstream toolbar\Helper.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {CD292324-974F-4224-D074-CACA427AA030} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Freecause Toolbar BHO: {f3ca88ff-f62f-4edf-a42b-e0cb0159ea02} - c:\program files\windstream toolbar\Toolbar.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Windstream Toolbar: {31a42398-1cd9-4fb9-8451-bee871afd7c3} - c:\program files\windstream toolbar\Toolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [WT GameChannel] c:\program files\wildtangent\apps\GameChannel.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215526830500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215527201109
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.38/ttinst.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5493/mcfscan.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\jogihuju.dll ,c:\windows\system32\lubiniyo.dll,c:\windows\system32\reveneko.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\jogihuju.dll c:\windows\system32\lubiniyo.dll c:\windows\system32\reveneko.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-29 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-29 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-29 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-29 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-29 40552]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2009-08-12 22:47 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-06 17:54 <DIR> --d----- c:\program files\Windstream Toolbar
2009-08-06 13:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 13:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 17:57 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-05 17:42 <DIR> a-dshr-- C:\cmdcons
2009-08-05 17:33 219,648 a------- c:\windows\PEV.exe
2009-08-05 17:33 161,792 a------- c:\windows\SWREG.exe
2009-08-05 17:33 98,816 a------- c:\windows\sed.exe
2009-08-05 09:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-03 18:40 <DIR> --d----- c:\program files\iPod
2009-08-03 18:40 <DIR> --d----- c:\program files\iTunes
2009-08-02 15:58 <DIR> --d----- c:\program files\Trend Micro
2009-08-02 15:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-02 15:48 <DIR> --d----- c:\windows\Downloaded Installations
2009-08-02 15:31 129,520 -------- c:\windows\system32\pxafs.dll
2009-08-02 15:31 122,864 -------- c:\windows\system32\pxinsi64.exe
2009-08-02 15:31 120,816 -------- c:\windows\system32\pxcpyi64.exe
2009-08-02 15:31 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-08-02 15:31 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-30 20:37 <DIR> --d----- C:\ProgramData
2009-07-30 20:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-07-29 20:23 11,207 a------- c:\windows\system32\Config.MPF
2009-07-29 20:08 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-07-29 20:08 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-07-29 20:08 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-07-29 20:08 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-07-29 20:07 <DIR> --d----- c:\program files\common files\McAfee
2009-07-29 20:07 <DIR> --d----- c:\program files\McAfee.com
2009-07-29 20:06 <DIR> --d----- c:\program files\McAfee
2009-07-29 19:59 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-07-29 16:59 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-29 16:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-29 03:02 1,104,769 a------- c:\windows\setupapi.log.2.old
2009-07-28 17:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-28 17:12 <DIR> --d----- c:\program files\Citrix
2009-07-28 17:12 61,224 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2009-07-28 15:13 <DIR> --d----- c:\program files\MSECache
2009-07-28 11:13 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-07-28 10:50 <DIR> --d----- c:\program files\AVG
2009-07-28 10:28 <DIR> --d----- c:\program files\AskBarDis
2009-07-21 20:12 33,272 a---h--- c:\windows\system32\mlfcache.dat
2009-07-20 13:51 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\7180dc5
2009-07-17 15:01 58,880 -c------ c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-29 12:12 78,336 -------- c:\windows\system32\ieencode.dll
2009-06-23 10:47 249,856 -------- c:\windows\Setup1.exe
2009-06-23 10:47 73,216 a------- c:\windows\ST6UNST.EXE
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-07-11 19:49 0 ac------ c:\program files\temp01
2008-07-08 15:14 24,439 ac------ c:\program files\updatejpegprocessing.docx

============= FINISH: 18:42:47.29 ===============


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/15 19:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED1AF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79A7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC3BA000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\mcafee_8mndwnorbdnupyq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_08vypntbww4nehp
Status: Allocation size mismatch (API: 4096, Raw: 0)

==EOF==

Attached Files


Edited by extremeboy, 16 August 2009 - 05:06 PM.
Remove "Laptop" logs.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 16 August 2009 - 09:10 AM

Hello.

Sorry, but we can't deal with two systems at the same time. This will cause too much confusion.

For your other comptuers, I suggest you start a new topic until someone can get to you.

--

Therefore, please tell me, which logs you wish me to look over. The FAMILY one or the LAPTOP one?

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 sdcurry1

sdcurry1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 16 August 2009 - 10:06 AM

Please take a look at FAMILY. One question about the laptop, though. Is there anyway it could have become infected even though it was turned off? They were, at one point in time, on the same home network.

Thanks!

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 16 August 2009 - 05:08 PM

Hello.

Machines cannot be infected if they are off.

Please complete the following on the "family" computer.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 sdcurry1

sdcurry1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 17 August 2009 - 06:34 PM

Here's the ComboFix log.

ComboFix 09-08-10.06 - Owner 08/17/2009 15:38.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.452 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 19:56 . 2009-08-17 19:56 -------- d-sh--w- C:\found.000
2009-08-06 21:54 . 2009-08-06 21:55 -------- d-----w- c:\program files\Windstream Toolbar
2009-08-06 17:17 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 17:17 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 13:36 . 2009-08-05 13:36 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 22:40 . 2009-08-03 22:40 -------- d-----w- c:\program files\iPod
2009-08-03 22:40 . 2009-08-03 22:42 -------- d-----w- c:\program files\iTunes
2009-08-03 22:28 . 2009-08-03 22:28 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-02 20:06 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-08-02 19:58 . 2009-08-02 19:58 -------- d-----w- c:\program files\Trend Micro
2009-08-02 19:55 . 2009-08-02 19:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-02 19:49 . 2009-08-02 19:52 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-02 19:49 . 2009-08-02 19:49 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-08-02 19:48 . 2009-08-02 19:48 -------- d-----w- c:\windows\Downloaded Installations
2009-08-02 19:31 . 2008-07-09 23:09 129520 ------w- c:\windows\system32\pxafs.dll
2009-08-02 19:31 . 2008-06-16 19:55 122864 ------w- c:\windows\system32\pxinsi64.exe
2009-08-02 19:31 . 2008-04-02 08:00 120816 ------w- c:\windows\system32\pxcpyi64.exe
2009-08-02 19:31 . 2008-03-12 10:00 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-08-02 19:31 . 2008-03-12 10:00 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-31 01:09 . 2009-07-31 01:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-07-31 01:06 . 2009-07-31 01:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-07-31 01:00 . 2009-07-31 01:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-07-31 00:37 . 2009-08-03 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-31 00:37 . 2009-07-31 00:37 -------- d-----w- C:\ProgramData
2009-07-30 00:13 . 2009-07-30 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-30 00:08 . 2009-05-14 03:25 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-30 00:08 . 2009-05-14 03:25 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-30 00:08 . 2009-05-14 03:25 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-30 00:08 . 2009-04-09 18:23 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-30 00:07 . 2009-07-30 00:08 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-30 00:07 . 2009-07-30 00:08 -------- d-----w- c:\program files\McAfee.com
2009-07-30 00:06 . 2009-08-04 20:09 -------- d-----w- c:\program files\McAfee
2009-07-29 23:59 . 2009-05-14 03:24 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-29 20:59 . 2009-07-29 20:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-29 20:58 . 2009-08-06 17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 20:58 . 2009-07-29 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-29 19:30 . 2009-07-30 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-28 21:16 . 2009-07-28 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-07-28 21:12 . 2009-07-28 21:12 -------- d-----w- c:\program files\Citrix
2009-07-28 21:12 . 2009-07-28 21:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2009-07-28 21:12 . 2009-07-28 21:12 61224 ----a-w- c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
2009-07-28 20:42 . 2009-07-28 20:42 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-07-28 20:42 . 2009-07-28 20:42 49152 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-07-28 19:13 . 2009-07-28 19:13 -------- d-----w- c:\program files\MSECache
2009-07-28 15:13 . 2009-07-28 15:13 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-07-28 14:50 . 2009-07-28 14:50 -------- d-----w- c:\program files\AVG
2009-07-28 14:28 . 2009-07-28 14:28 -------- d-----w- c:\program files\AskBarDis
2009-07-27 22:19 . 2009-07-29 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-27 22:19 . 2009-07-29 07:09 -------- d-----w- c:\program files\NOS
2009-07-22 01:02 . 2009-07-22 01:02 -------- d-----w- c:\program files\Windows Defender
2009-07-22 00:12 . 2009-08-02 14:48 33272 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-20 20:37 . 2009-07-20 20:38 -------- d-----w- c:\program files\Safari
2009-07-20 20:25 . 2009-07-20 20:25 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-07-20 17:51 . 2009-07-23 05:48 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7180dc5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 21:04 . 2008-09-27 21:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-05 13:40 . 2003-10-11 10:51 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 22:40 . 2009-06-08 13:57 -------- d-----w- c:\program files\Common Files\Apple
2009-08-02 19:49 . 2003-10-11 11:20 -------- d-----w- c:\program files\HP
2009-08-02 19:36 . 2008-07-07 23:11 -------- d-----w- c:\program files\Yahoo!
2009-08-02 19:15 . 2003-10-11 12:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Sonic
2009-07-31 13:59 . 2008-09-24 01:27 -------- d-----w- c:\program files\HiWired
2009-07-31 01:46 . 2008-07-08 15:31 -------- d-----w- c:\program files\RealArcade
2009-07-28 20:33 . 2008-07-11 23:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-28 19:14 . 2008-07-07 20:44 37768 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-27 20:48 . 2008-07-25 00:44 -------- d-----w- c:\program files\Kids Cam Sticker Factory
2009-07-25 09:23 . 2009-07-14 14:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 22:30 . 2009-06-08 14:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-07-18 13:24 . 2009-06-23 00:23 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2009-07-17 19:01 . 2008-07-07 22:42 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 14:16 . 2009-07-14 14:16 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-14 03:43 . 2003-10-11 10:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 20:51 . 2009-07-08 20:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Neopets Toolbar
2009-07-08 14:25 . 2009-07-08 14:25 -------- d-----w- c:\program files\Disney
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 07:01 . 2009-07-05 07:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 16:12 . 2008-07-07 21:52 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-07-07 22:42 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-25 13:51 . 2009-06-25 13:20 -------- d-----w- c:\program files\RegistryPatrol3.0
2009-06-25 13:06 . 2009-06-21 22:44 -------- d-----w- c:\program files\Norton Security Scan
2009-06-25 13:06 . 2009-06-21 22:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-23 15:10 . 2009-06-23 15:10 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-23 15:10 . 2003-10-11 12:07 -------- d-----w- c:\program files\Common Files\Real
2009-06-23 15:05 . 2003-10-11 12:07 -------- d-----w- c:\program files\Real
2009-06-23 14:51 . 2009-06-23 14:51 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealOne Player\setup\AU_setup.exe
2009-06-23 14:47 . 2009-06-23 14:47 249856 ------w- c:\windows\Setup1.exe
2009-06-23 14:47 . 2009-06-23 14:47 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-06-23 00:23 . 2009-06-23 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-06-23 00:22 . 2009-06-23 00:22 -------- d-----w- c:\program files\Microsoft Picture It! 7
2009-06-23 00:21 . 2009-06-23 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN Messenger 5.0.0544
2009-06-23 00:19 . 2009-06-23 00:19 -------- d-----w- c:\program files\MSN Messenger
2009-06-23 00:04 . 2009-06-23 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-06-21 19:13 . 2009-06-21 19:13 -------- d-----w- c:\program files\Windows Resource Kits
2009-06-20 02:17 . 2009-06-20 02:17 -------- d-----w- c:\program files\MSBuild
2009-06-20 02:17 . 2009-06-20 02:17 -------- d-----w- c:\program files\Reference Assemblies
2009-06-16 14:36 . 2008-07-07 22:43 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-07-07 21:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-10-11 10:06 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2008-07-07 22:42 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2008-07-07 22:44 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-07-07 21:52 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2003-05-30 23:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-07-11 23:49 . 2008-07-11 23:49 0 -c--a-w- c:\program files\temp01
2008-07-08 19:14 . 2008-07-08 19:14 24439 -c--a-w- c:\program files\updatejpegprocessing.docx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7f559c93-2b3f-4ad7-8b03-ed64f0b1a494}"= "c:\program files\Windstream Toolbar\Helper.dll" [2009-08-06 201216]

[HKEY_CLASSES_ROOT\clsid\{7f559c93-2b3f-4ad7-8b03-ed64f0b1a494}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{DECE53AA-244F-427E-8935-3A093D249E4C}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 19:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3CA88FF-F62F-4EDF-A42B-E0CB0159EA02}]
2009-08-06 21:55 1338368 ----a-w- c:\program files\Windstream Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{31A42398-1CD9-4FB9-8451-BEE871AFD7C3}"= "c:\program files\Windstream Toolbar\Toolbar.dll" [2009-08-06 1338368]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{31a42398-1cd9-4fb9-8451-bee871afd7c3}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E90A8C7D-65EB-4102-95F8-1037AEA4D353}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
"{31A42398-1CD9-4FB9-8451-BEE871AFD7C3}"= "c:\program files\Windstream Toolbar\Toolbar.dll" [2009-08-06 1338368]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{31a42398-1cd9-4fb9-8451-bee871afd7c3}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{E90A8C7D-65EB-4102-95F8-1037AEA4D353}]
[HKEY_CLASSES_ROOT\FCTB000059851.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2003-08-19 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"WT GameChannel"="c:\program files\WildTangent\Apps\GameChannel.exe" [2003-04-30 184784]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-23 198160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-15 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WildTangent\\Apps\\ddcmigrate.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Windstream Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\Windstream Toolbar\\ToolbarUpdate.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/29/2009 8:13 PM 210216]
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-30 12:57]

2009-08-17 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-30 12:57]

2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 16:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\McAfee\SiteAdvisor\saHook.dll

- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\netdde.exe
c:\windows\system32\dllhost.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\msdtc.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\system32\hpzipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\locator.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-08-17 16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 20:10
ComboFix2.txt 2009-08-05 21:59

Pre-Run: 58,911,391,744 bytes free
Post-Run: 58,850,963,456 bytes free

307 --- E O F --- 2009-08-16 04:20

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 17 August 2009 - 09:25 PM

Hello.

Combofix ran twice. I would like to see the contents of everything Combofix quarantined however.

Please navigate to the Qoobox folder.

C:\QooBox <- This folder

In that folder, there should be a log file called Add-Remove Programs.txt

Please post the contents of that log file in your next reply.

--

You can also run a scan with Malwarebytes.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterwards and post back with both the DDS and Attach logs please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 21 August 2009 - 07:59 AM

Hello.

Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 sdcurry1

sdcurry1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 21 August 2009 - 04:17 PM

Sorry for the delay. I've copied the Malwarebytes file followed by the ComboFix Add/Remove. FYI: I ran a prior scan about a week ago and it discovered over 600 items. Let me know if that might help, too.

Malwarebytes' Anti-Malware 1.40
Database version: 2672
Windows 5.1.2600 Service Pack 3

8/21/2009 5:11:00 PM
mbam-log-2009-08-21 (17-11-00).txt

Scan type: Quick Scan
Objects scanned: 119407
Time elapsed: 21 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Combo Fix Add/Remove

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 7.0
Adobe Shockwave Player 11.5
AiO_Scan
AIOMinimal
AiOSoftware
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bonjour
Bounce Symphony from Compaq (remove only)
Collapse! Crunch
Collapse! Deluxe
Compaq Connections
Compaq Instant Support
Compaq Organize
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Diamond Detective
Director
Disney's Toontown Online
Disney Toontown Online
DocProc
Excavation from Compaq (remove only)
Fax
Five Card Frenzy from Compaq (remove only)
Free Realms Installer
Glary Registry Repair 3.0
Hardwood Hearts
Hardwood Spades
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Deskjet Preloaded Printer Drivers
HP Photo & Imaging 3.1
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Product Detection
HP PSC & OfficeJet 3.0
HP Software Update
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 15
KBD
Kids Cam Sticker Factory
Malwarebytes' Anti-Malware
McAfee Active Protection
McAfee SecurityCenter
McAfee Virtual Technician
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Learning and Research Plus Support Files
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Standard Edition 2003
Microsoft Picture It! Express 7.0
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
MobileMe Control Panel
MSN Internet Software
MSN Messenger 5.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PrintScreen
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickBooks Simple Start 2009
QuickProjects
QuickTime
Rainforest Adventure
Readme
RealArcade
RealPlayer
RecordNow!
Safari
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shockwave
SkinsHP1
SkinsHP2
Slyder from Compaq (remove only)
Sonic Update Manager
Super Collapse
Super Collapse! 3
Super Collapse! II
SupportSoft Assisted Service
TrayApp
U.B. Funkeys
Uninstall Dual Mode Camera
Unload
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player (Remove Only)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
WebReg
WildGames
WildTangent GameChannel (remove only)
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
Windstream Toolbar
Word Mojo Deluxe
Zone Deluxe Games

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 21 August 2009 - 04:29 PM

Hello.

Made a minor error on my side.

Please navigate to the C:\qoobox folder again.

IN there, there should be a text document called Combofix-quarantined-files.txt. Post the contents of that log in your next reply please.

Give me an update of the condition of your machine as well.


Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 sdcurry1

sdcurry1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 21 August 2009 - 04:30 PM

Oops. Here's the DDS files, too.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 17:21:25.02 on Fri 08/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.476 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.windstream.net/wind/portal/index.aspx
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: FCToolbarURLSearchHook Class: {7f559c93-2b3f-4ad7-8b03-ed64f0b1a494} - c:\program files\windstream toolbar\Helper.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {CD292324-974F-4224-D074-CACA427AA030} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Freecause Toolbar BHO: {f3ca88ff-f62f-4edf-a42b-e0cb0159ea02} - c:\program files\windstream toolbar\Toolbar.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Windstream Toolbar: {31a42398-1cd9-4fb9-8451-bee871afd7c3} - c:\program files\windstream toolbar\Toolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CamMonitor] c:\program files\hp\digital imaging\unload\hpqcmon.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [WT GameChannel] c:\program files\wildtangent\apps\GameChannel.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215526830500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215527201109
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.38/ttinst.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5493/mcfscan.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-29 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-29 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-29 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-29 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-29 40552]

============== File Associations ===============

vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2009-08-21 16:39 <DIR> --d----- c:\windows\Intuit
2009-08-17 20:10 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-17 15:56 <DIR> --dsh--- C:\found.000
2009-08-12 22:47 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-06 17:54 <DIR> --d----- c:\program files\Windstream Toolbar
2009-08-06 13:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 13:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 17:57 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-05 17:42 <DIR> a-dshr-- C:\cmdcons
2009-08-05 17:33 216,064 a------- c:\windows\PEV.exe
2009-08-05 17:33 161,792 a------- c:\windows\SWREG.exe
2009-08-05 17:33 98,816 a------- c:\windows\sed.exe
2009-08-05 09:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-03 18:40 <DIR> --d----- c:\program files\iPod
2009-08-03 18:40 <DIR> --d----- c:\program files\iTunes
2009-08-02 15:58 <DIR> --d----- c:\program files\Trend Micro
2009-08-02 15:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-02 15:48 <DIR> --d----- c:\windows\Downloaded Installations
2009-08-02 15:31 129,520 -------- c:\windows\system32\pxafs.dll
2009-08-02 15:31 122,864 -------- c:\windows\system32\pxinsi64.exe
2009-08-02 15:31 120,816 -------- c:\windows\system32\pxcpyi64.exe
2009-08-02 15:31 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-08-02 15:31 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-30 20:37 <DIR> --d----- C:\ProgramData
2009-07-30 20:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-07-29 20:23 11,335 a------- c:\windows\system32\Config.MPF
2009-07-29 20:08 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-07-29 20:08 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-07-29 20:08 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-07-29 20:08 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-07-29 20:07 <DIR> --d----- c:\program files\common files\McAfee
2009-07-29 20:07 <DIR> --d----- c:\program files\McAfee.com
2009-07-29 20:06 <DIR> --d----- c:\program files\McAfee
2009-07-29 19:59 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-07-29 16:59 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-29 16:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 16:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-29 03:02 1,104,769 a------- c:\windows\setupapi.log.2.old
2009-07-28 17:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-28 17:12 <DIR> --d----- c:\program files\Citrix
2009-07-28 17:12 61,224 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2009-07-28 15:13 <DIR> --d----- c:\program files\MSECache
2009-07-28 11:13 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-07-28 10:50 <DIR> --d----- c:\program files\AVG

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-02 10:48 33,272 a---h--- c:\windows\system32\mlfcache.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 03:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-29 12:12 78,336 -------- c:\windows\system32\ieencode.dll
2009-06-23 10:47 249,856 -------- c:\windows\Setup1.exe
2009-06-23 10:47 73,216 a------- c:\windows\ST6UNST.EXE
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-07-11 19:49 0 ac------ c:\program files\temp01
2008-07-08 15:14 24,439 ac------ c:\program files\updatejpegprocessing.docx

============= FINISH: 17:22:53.27 ===============

Attached Files



#13 sdcurry1

sdcurry1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 21 August 2009 - 04:37 PM

Here's the quarantined files:

2009-08-05 21:57:46 . 2009-08-05 21:57:46 183 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-EA Core.reg.dat
2009-08-05 21:55:11 . 2002-09-11 07:02:32 45 ----a-w- C:\Qoobox\Quarantine\D\Autorun.inf.vir
2009-08-05 21:51:57 . 2009-08-17 19:46:00 5,831 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-05 21:33:17 . 2009-08-17 19:26:13 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2003-10-14 13:32:41 . 2003-10-14 13:32:41 2,580,480 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1a7fb.msi.vir
2003-10-11 12:53:20 . 2003-10-11 12:53:21 11,905,536 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\20c97a.msi.vir
2003-10-11 12:16:40 . 2003-10-11 12:16:40 3,256,320 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\12e6c.msi.vir
2003-05-20 02:36:34 . 2003-05-20 02:36:34 2,250,240 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\12e5e.msi.vir

My computer is still very slow so I'm deleting all unnecesary programs, running defrag, etc. Hopefully that will help.

Are all the log files showing my computer as clean?

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 21 August 2009 - 04:51 PM

Hello.

The logs looks good so far.

Your computer being so can be due to several reasons. I know the McAfee is a resource hog from other's experience and especially since you don't have a lot of RAM or memory available left, it may cause computer to slow down. You may wish to install an alternative anti-virus software. Let me know if you do wish to do so.

Continue with the following:

Download and Run StartupLite

This program will identify startup entries that are unnecessary to be started at bootup. This will help free some memory.
  • Download StartupLite.exe by MalwareBytes to your desktop.
  • Double click on StartUpLite.exe to run it. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • A list of unecessary startup entries will be compiled.
  • Take a read at the description of each and for most of them you probably won't need it please make sure there is a checkmark next to Disable.
  • Leave all the items as Disabled and click Continue.
  • Restart your computer once it's done.
If that does not work/help, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.



Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 24 August 2009 - 02:53 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users