Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to open any anti-virus website and Microsoft.com


  • This topic is locked This topic is locked
46 replies to this topic

#1 Rhazes

Rhazes

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 20 October 2009 - 02:07 AM

Hi there! I really need your help when my laptop having these symptoms :-
- I cannot open any antivirus sites and update it
- I cannot open Windows related sites and update it
-Security Centre would disable everytime I start or reboot my laptop


DDS (Ver_09-10-13.01) - NTFSx86
Run by Administrator at 13:07:08.25 on Tue 10/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.216 [GMT 8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6145\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\DOCUME~1\ADMINI~1.FAK\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\TUProgSt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator.FAKHRUR\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6145\SiteAdv.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptcl.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6145\SiteAdv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6145\SiteAdv.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184072933625
DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} - hxxp://202.71.104.89/ibrowser/cibrowser_1_1_1_130.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6145\SiteAdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.fak\applic~1\mozilla\firefox\profiles\n2174u33.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\administrator.fakhrur\application data\mozilla\plugins\npPxPlay.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-10-18 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-10-18 59664]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-2-17 603904]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-11-4 14336]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-10 602392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-10-18 33552]
S2 oyftmmkyu;Time Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-8-11 7680]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-11 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-11 8320]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-7-10 43008]
S3 WPEServ;WPEServ;c:\program files\common files\wpe\wpeserv.exe [2008-1-15 65536]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-8-11 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-8-11 104960]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-10-18 23:26 3,394 a------- c:\windows\system32\Config.MPF
2009-10-18 23:22 <DIR> --d----- c:\program files\SiteAdvisor
2009-10-18 23:22 <DIR> --d----- c:\docume~1\admini~1.fak\applic~1\SiteAdvisor
2009-10-18 23:21 143,360 a------- c:\windows\system32\dunzip32.dll
2009-10-18 23:19 32,008 a------- c:\windows\system32\drivers\mferkdk.sys
2009-10-18 23:19 37,480 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-10-18 23:19 34,184 a------- c:\windows\system32\drivers\mfebopk.sys
2009-10-18 23:19 170,408 a------- c:\windows\system32\drivers\mfehidk.sys
2009-10-18 23:19 71,496 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-10-18 23:19 109,608 a------- c:\windows\system32\drivers\Mpfp.sys
2009-10-18 23:18 <DIR> --d----- c:\program files\McAfee.com
2009-10-18 23:18 <DIR> --d----- c:\program files\common files\McAfee
2009-10-18 23:18 <DIR> --d----- c:\program files\McAfee
2009-10-18 03:36 59,664 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-10-18 03:36 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-10-18 03:36 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-10-18 03:36 <DIR> --d----- c:\program files\ThreatFire
2009-10-18 03:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-17 22:19 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-10-17 22:19 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-10-08 23:27 <DIR> --dsh--- C:\found.001
2009-09-26 18:47 <DIR> --dsh--- c:\documents and settings\administrator.fakhrur\Phone Browser
2009-09-26 15:44 5,632 a------- c:\windows\system32\ptpusb.dll
2009-09-26 15:44 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2004-08-03 23:56 165,826 a--shr-- c:\windows\system32\zplxj.dll

============= FINISH: 13:09:38.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 PM

Posted 21 October 2009 - 02:37 PM

Hello Rhazes :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I would like for you to run another ARK scan:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.




Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 02:36 AM

Thanks thewall.

Is there any problem if I'd scanned while connecting to Internet?

#4 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 04:22 AM

Hi thewall,

I cant post the log as this notice appeared
`Sorry, your post was too long, please reduce it.'

What should I do now? Should I post it as an attachment?

Thanks.

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 PM

Posted 22 October 2009 - 09:03 AM

It was OK that you scanned while connected and yes go ahead and make it an attachment.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 09:32 AM

Hi thewall..

I also cant attach the log, although it just 979KB text file.. So how?

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 PM

Posted 22 October 2009 - 09:39 AM

For the time being just copy and paste some of the top and the bottom of the log. It might be that we have to run it differently but let's see first.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 10:23 AM

Hi! Here's the 1st part

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-22 15:38:39
Windows 5.1.2600 Service Pack 2
Running: 73ezwq8y.exe; Driver: C:\DOCUME~1\ADMINI~1.FAK\LOCALS~1\Temp\kfrdypow.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF72ADA1C]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF72ADC10]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF72ADCB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF72AD90C]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF72ADE52]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xF72AFB30]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xBA29957D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xBA2995A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xBA2995D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xBA299591]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xBA299527]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xBA2995E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xBA2995BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503DBC 7 Bytes JMP BA2995BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [1B, 71]
.text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 01AF9DD2
.text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[172] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [34, 71] {XOR AL, 0x71}
.text C:\WINDOWS\System32\svchost.exe[172] kernel32.dll!DeviceIoControl 7C801625 6 Bytes JMP 7098000A
.text C:\WINDOWS\System32\svchost.exe[172] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02EC0FEF
.text C:\WINDOWS\System32\svchost.exe[172] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02EC0F26

Edited by thewall, 22 October 2009 - 11:15 PM.


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 PM

Posted 22 October 2009 - 10:41 AM

I see that you are running both McAfee and ThreatFire at the same time. I am concerned about a conflict between the two so please disable the ThreatFire per the instructions below:

I also see you have MalwareBytes already on your computer. Did it show any signs of infections when you ran it and can you tell me the approximate date these troubles started?






Right click on ThreatFire's icon near the clock (it's an orange flame) and select Suspend.

When you see that the icon has turned from an orange flame to a blue icon with an orange strip in the middle, ThreatFire has been disabled temporarily.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 04:31 PM

Ok, I've disable the ThreatFire.

MalwareBytes, it did show a sign of infection but i'd forgot what type of infection was that since i ran for the 1st time approx 2 months ago.
All the troubles started since then, plus my antivirus was expired till today because I cant update it.

I'll post you next series of the log, but do you think it's better for me to just email you then?

#11 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 09:10 PM

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] oyftmmkyu <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@DisplayName Time Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyftmmkyu\Parameters@ServiceDll C:\WINDOWS\system32\zplxj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@DisplayName Time Manager
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu@Description Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\oyftmmkyu\Parameters@ServiceDll C:\WINDOWS\system32\zplxj.dll

---- EOF - GMER 1.0.15 ----

Edited by thewall, 22 October 2009 - 11:07 PM.


#12 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 October 2009 - 10:47 PM

Hi thewall!

I've found the logs of Malwarebytes' Anti-Malware that I'd run for my laptop. I attached here for your reference.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/12/2009 1:23:24 PM
mbam-log-2009-09-12 (13-23-01).txt

Scan type: Quick Scan
Objects scanned: 145066
Time elapsed: 1 hour(s), 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/12/2009 1:24:06 PM
mbam-log-2009-09-12 (13-24-06).txt

Scan type: Quick Scan
Objects scanned: 145066
Time elapsed: 1 hour(s), 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/12/2009 3:41:24 PM
mbam-log-2009-09-12 (15-41-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 282643
Time elapsed: 1 hour(s), 15 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\NLDRV\056\lvds.sys (Rootkit.Rustock) -> No action taken.
C:\WINDOWS\NLDRV\056\ns2501.sys (Rootkit.Rustock) -> No action taken.
C:\WINDOWS\NLDRV\056\ns387.sys (Rootkit.Rustock) -> No action taken.
C:\WINDOWS\NLDRV\056\sii164.sys (Rootkit.Rustock) -> No action taken.
C:\WINDOWS\NLDRV\056\th164.sys (Rootkit.Rustock) -> No action taken.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/13/2009 10:00:59 PM
mbam-log-2009-09-13 (22-00-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 283002
Time elapsed: 1 hour(s), 14 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Following these scans, I also run other scans but nothing detected. Although that, I'm still can't update my antivirus, open antivirus website or update my Windows.

Thanks.

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 PM

Posted 22 October 2009 - 11:19 PM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 23 October 2009 - 02:59 AM

My laptop is still hang.
The blue screen still show

`Preparing Log Report.
Do not run any programs until ComboFix has finished.'

Should I wait till the log prepared?

#15 Rhazes

Rhazes
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 23 October 2009 - 03:25 AM

Ok, I've got it.

ComboFix 09-10-21.02 - Administrator 10/23/2009 14:32.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.143 [GMT 8:00]
Running from: c:\documents and settings\Administrator.FAKHRUR\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\clrviddc.dll
c:\windows\system32\logs
c:\windows\system32\logs\Events.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-18 15:22 . 2009-10-18 15:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2009-10-18 15:22 . 2009-10-18 15:22 -------- d-----w- c:\program files\SiteAdvisor
2009-10-18 15:22 . 2009-10-22 21:24 -------- d-----w- c:\documents and settings\Administrator.FAKHRUR\Application Data\SiteAdvisor
2009-10-18 15:21 . 2006-03-03 03:07 143360 ----a-w- c:\windows\system32\dunzip32.dll
2009-10-18 15:19 . 2006-12-22 08:02 32008 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-18 15:19 . 2006-12-22 08:02 37480 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-18 15:19 . 2006-12-22 08:02 34184 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-18 15:19 . 2006-12-22 08:02 170408 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-18 15:19 . 2006-12-22 08:02 71496 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-18 15:19 . 2007-03-02 06:16 109608 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-18 15:18 . 2009-10-18 15:18 -------- d-----w- c:\program files\McAfee.com
2009-10-18 15:18 . 2009-10-18 15:20 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-18 15:18 . 2009-10-19 11:25 -------- d-----w- c:\program files\McAfee
2009-10-17 19:36 . 2009-09-23 00:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-10-17 19:36 . 2009-09-23 00:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-10-17 19:36 . 2009-09-23 00:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-10-17 19:36 . 2009-10-17 19:36 -------- d-----w- c:\program files\ThreatFire
2009-10-17 19:36 . 2009-10-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-08 15:27 . 2009-10-08 15:27 -------- d-----w- C:\found.001
2009-10-06 15:02 . 2009-10-06 15:02 204608 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 15:02 . 2009-10-06 15:02 -------- d-----w- c:\documents and settings\Guest\Application Data\Vodafone
2009-10-06 15:02 . 2009-10-06 15:02 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2009-09-26 10:47 . 2009-09-26 10:48 -------- d-sh--w- c:\documents and settings\Administrator.FAKHRUR\Phone Browser
2009-09-26 07:44 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-26 07:44 . 2004-08-03 16:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 11:20 . 2009-07-18 10:54 385488 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-18 15:23 . 2008-07-21 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-18 15:22 . 2009-07-31 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-10-17 18:57 . 2009-09-10 15:50 -------- d-----w- c:\program files\F-Secure Internet Security
2009-10-17 18:53 . 2008-04-08 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-17 14:19 . 2009-10-17 14:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-10-17 14:19 . 2009-10-17 14:19 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-10-17 14:18 . 2009-07-11 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-09-13 14:00 . 2009-09-12 04:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 04:08 . 2009-07-13 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-12 04:07 . 2009-09-12 04:07 -------- d-----w- c:\documents and settings\Administrator.FAKHRUR\Application Data\Malwarebytes
2009-09-12 04:07 . 2009-09-12 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-12 03:40 . 2009-09-12 03:40 -------- d-----w- c:\program files\Trend Micro
2009-09-12 02:23 . 2009-09-12 02:23 -------- d-----w- c:\program files\MSXML 6.0
2009-09-10 15:49 . 2008-04-08 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-09-10 06:54 . 2009-09-12 04:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 06:53 . 2009-09-12 04:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 07:12 . 2009-08-08 18:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-16 04:20 . 2008-07-05 04:09 204608 ----a-w- c:\documents and settings\Administrator.FAKHRUR\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-08-03 15:56 . 2004-08-03 15:56 165826 --sha-r- c:\windows\system32\zplxj.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\sfcfiles.dll
[-] 2007-07-03 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-30 68856]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-17 707344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-02 185872]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"SiteAdvisor"="c:\program files\SiteAdvisor\6145\SiteAdv.exe" [2007-06-21 36640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-01-19 1082920]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-05-17 16342528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-28 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-12-20 124928]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\KAV\\KIS70\\English\\setup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8369:TCP"= 8369:TCP:seikbyzl

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [10/18/2009 3:36 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [10/18/2009 3:36 AM 59664]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2/17/2009 10:57 PM 603904]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [11/4/2008 11:39 AM 14336]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [10/18/2009 3:36 AM 33552]
S2 oyftmmkyu;Time Manager;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 11:56 PM 14336]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [8/11/2009 7:39 PM 7680]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [7/11/2009 4:36 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [7/11/2009 4:36 PM 8320]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [7/10/2007 7:39 PM 43008]
S3 WPEServ;WPEServ;c:\program files\Common Files\WPE\wpeserv.exe [1/15/2008 10:02 PM 65536]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [8/11/2009 7:40 PM 110080]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [8/11/2009 7:40 PM 104960]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
oyftmmkyu
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-18 10:02]

2009-10-18 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-18 10:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {66488456-A200-4C53-97A4-DDF016672331} = 58.71.136.10 58.71.132.10
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} - hxxp://202.71.104.89/ibrowser/cibrowser_1_1_1_130.cab
FF - ProfilePath - c:\documents and settings\Administrator.FAKHRUR\Application Data\Mozilla\Firefox\Profiles\n2174u33.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Administrator.FAKHRUR\Application Data\Mozilla\plugins\npPxPlay.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 15:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oyftmmkyu]
"ServiceDll"="c:\windows\system32\zplxj.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-527237240-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(1440)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-10-23 16:10
ComboFix-quarantined-files.txt 2009-10-23 08:09

Pre-Run: 11,174,305,792 bytes free
Post-Run: 12,295,393,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2B88543D24E81C7C198C9760E7C6E583




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users