Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Artemis!EBE48FF792C6


  • This topic is locked This topic is locked
15 replies to this topic

#1 rcannella

rcannella

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 26 October 2009 - 09:19 AM

I have a virus (Artemis!EBE48FF792C6 as indicated by McAfee) that nothing seems to remove permanently. I have run Malwarebytes, Spybot , Spydoctor, and McAfee several times . After the first few times, Spybot and Malwarebytes came back clean. Spydoctor and McAfee would continue to remove the infection, but every time I run the scanners the infection re-appears for removal. Please help.

Thanks.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Ric at 9:41:13.81 on Mon 10/26/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ric\My Documents\Downloads\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RemoteControl] c:\windows\system32\rmctrl.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Malwarebytes Anti-Malware (reboot)] "g:\malwarebytes new folder\mbam.exe" /runcleanupscript
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: WapruinoVdm.Wapruino: {d80f6ce9-3dc2-4b8a-bf70-34f3afa8de55} - c:\windows\system32\wapruino.dll

============= SERVICES / DRIVERS ===============

R? 0293221256431346mcinstcleanup;McAfee Application Installer Cleanup (0293221256431346)
R? COMMONFX;COMMONFX
R? CTAUDFX;CTAUDFX
R? CTERFXFX.SYS;CTERFXFX.SYS
R? CTERFXFX;CTERFXFX
R? CTSBLFX;CTSBLFX
R? gupdate1c9cc27271c4608;Google Update Service (gupdate1c9cc27271c4608)
S? BRA_Scheduler;Brother BRAdminPro Scheduler
S? Browser Defender Update Service;Browser Defender Update Service
S? COMMONFX.SYS;COMMONFX.SYS
S? CTAUDFX.SYS;CTAUDFX.SYS
S? CTSBLFX.SYS;CTSBLFX.SYS
S? IntuitUpdateService;Intuit Update Service
S? PCTCore;PCTools KDS
S? pctgntdi;pctgntdi
S? pctplsg;pctplsg
S? sdAuxService;PC Tools Auxiliary Service
S? SeaPort;SeaPort
S? TfFsMon;TfFsMon
S? TfNetMon;TfNetMon
S? TfSysMon;TfSysMon
S? ThreatFire;ThreatFire
S? TomTomHOMEService;TomTomHOMEService
S? WENCRNT4;WENCRNT4

=============== Created Last 30 ================

2009-10-25 00:41:37 0 d-----w- c:\program files\common files\McAfee
2009-10-25 00:41:34 0 d-----w- c:\program files\McAfee.com
2009-10-24 19:03:58 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-10-24 19:02:58 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2009-10-24 19:01:58 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2009-10-24 19:00:59 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2009-10-24 18:59:59 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2009-10-24 18:59:57 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2009-10-24 18:59:54 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2009-10-24 18:59:54 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-10-24 18:59:51 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-10-24 18:59:11 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-10-24 18:59:08 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2009-10-24 18:59:05 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-10-24 18:59:03 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2009-10-24 18:59:00 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2009-10-24 18:57:58 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2009-10-24 18:57:55 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2009-10-24 18:57:52 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2009-10-24 18:57:46 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-10-24 18:57:46 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2009-10-24 18:57:43 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-10-24 18:57:09 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2009-10-24 18:57:07 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2009-10-24 18:57:04 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-10-24 18:57:02 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-10-24 18:57:01 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-10-24 18:55:55 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-10-24 18:54:59 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2009-10-24 18:53:58 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-10-24 18:52:59 33088 -c--a-w- c:\windows\system32\dllcache\n9i128v2.sys
2009-10-24 18:51:59 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-10-24 18:50:57 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2009-10-24 18:49:48 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2009-10-24 18:48:59 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-10-24 18:47:59 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-10-24 18:46:54 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-10-24 18:45:59 153631 -c--a-w- c:\windows\system32\dllcache\el90xnd5.sys
2009-10-24 18:44:59 25600 -c--a-w- c:\windows\system32\dllcache\dc210_32.dll
2009-10-24 18:43:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-10-24 18:42:56 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-10-23 14:54:47 0 d-----w- c:\docume~1\ric\applic~1\McAfee
2009-10-23 13:05:51 0 d-----w- c:\program files\Spybot
2009-10-22 16:33:12 0 d-----w- c:\program files\Spybot New Folder
2009-10-22 01:28:28 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 20:51:34 0 d-----w- c:\docume~1\ric\applic~1\LimeWire

==================== Find3M ====================

2009-10-11 12:10:09 236544 ----a-w- c:\windows\PEV.exe
2009-10-08 17:14:10 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2009-10-08 17:14:10 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2009-10-08 17:14:08 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2009-10-08 15:31:46 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 15:31:44 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 15:31:44 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 15:31:14 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 20:31:30 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-02 18:19:04 1152470 ----a-w- c:\windows\UDB.zip
2009-09-24 12:55:46 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-23 20:10:06 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-16 07:20:50 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 10:20:46 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 06:12:04 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 05:01:44 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 13:45:12 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:06:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020620090207\index.dat

============= FINISH: 9:44:18.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:32 PM

Posted 01 November 2009 - 06:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 02 November 2009 - 11:07 AM

Here' the latest information:

DDS:



DDS (Ver_09-10-26.01) - NTFSx86

Run by Ric at 7:47:57.06 on Mon 11/02/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.905 [GMT -5:00]



AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}



============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\RegCure\RegCure.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\rmctrl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Spybot\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Palm\Hotsync.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wentxp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Ric\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe



============== Pseudo HJT Report ===============



BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [SpybotSD TeaTimer] c:\program files\spybot\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [RemoteControl] c:\windows\system32\rmctrl.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe

mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ADOBEA~1.LNK -

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

WapruinoVdm



============= SERVICES / DRIVERS ===============





=============== Created Last 30 ================





==================== Find3M ====================



2009-02-06 06:06:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020620090207\index.dat



============= FINISH: 7:50:29.76 ===============



RootRepeal:


ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/11/02 07:54

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================



Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA7FC8000 Size: 98304 File Visible: No Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA656000 Size: 8192 File Visible: No Signed: -

Status: -



Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA6370000 Size: 49152 File Visible: No Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: c:\windows\temp\mcmsc_j2pvnygllgrd3tk

Status: Allocation size mismatch (API: 4096, Raw: 0)



SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "TfSysMon.sys" at address 0xb9e85a1c



#: 047 Function Name: NtCreateProcess

Status: Hooked by "PCTCore.sys" at address 0xb9eabcdc



#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "PCTCore.sys" at address 0xb9eabece



#: 063 Function Name: NtDeleteKey

Status: Hooked by "TfSysMon.sys" at address 0xb9e85c10



#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "TfSysMon.sys" at address 0xb9e85cb6



#: 119 Function Name: NtOpenKey

Status: Hooked by "TfSysMon.sys" at address 0xb9e8590c



#: 192 Function Name: NtRenameKey

Status: Hooked by "PCTCore.sys" at address 0xb9ecbd30



#: 247 Function Name: NtSetValueKey

Status: Hooked by "TfSysMon.sys" at address 0xb9e85e52



#: 257 Function Name: NtTerminateProcess

Status: Hooked by "TfSysMon.sys" at address 0xb9e87b30



==EOF==

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:32 PM

Posted 04 November 2009 - 11:06 AM

Hello rcannella :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Spyware Doctor with AntiVirus or McAfee VirusScan.








Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.










Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 04 November 2009 - 04:48 PM

The log file from combofix.

ComboFix 09-11-04.02 - Ric 11/04/2009 21:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1634 [GMT -5:00]
Running from: c:\documents and settings\Ric\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 01:24 . 2009-11-05 02:10 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-29 20:30 . 2009-10-29 20:33 -------- d-----w- C:\.Trash-999
2009-10-29 10:51 . 2009-10-29 14:04 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 00:42 . 2009-09-16 14:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-25 00:42 . 2009-09-16 14:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-25 00:42 . 2009-09-16 14:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-25 00:42 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-25 00:41 . 2009-10-25 00:42 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-25 00:41 . 2009-10-25 00:41 -------- d-----w- c:\program files\McAfee.com
2009-10-25 00:38 . 2009-09-16 14:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-25 00:19 . 2009-10-25 00:21 -------- dc-h--w- c:\windows\ie8
2009-10-24 20:30 . 2009-10-24 20:30 -------- d-----w- c:\documents and settings\Ric\Local Settings\Application Data\Threat Expert
2009-10-24 19:03 . 2001-08-18 02:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-10-24 19:02 . 2001-08-17 17:28 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2009-10-24 19:01 . 2001-08-17 18:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2009-10-24 19:00 . 2001-08-17 18:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2009-10-24 18:59 . 2001-08-18 02:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2009-10-24 18:59 . 2001-08-17 16:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2009-10-24 18:59 . 2008-04-13 17:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-10-24 18:59 . 2001-08-17 17:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2009-10-24 18:59 . 2001-08-17 17:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-10-24 18:59 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-10-24 18:59 . 2001-08-17 18:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2009-10-24 18:59 . 2001-08-17 16:12 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-10-24 18:59 . 2001-08-17 16:10 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2009-10-24 18:59 . 2001-08-17 16:12 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2009-10-24 18:57 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2009-10-24 18:57 . 2001-08-17 16:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2009-10-24 18:57 . 2001-08-17 17:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2009-10-24 18:57 . 2008-04-13 17:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2009-10-24 18:57 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-10-24 18:57 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-10-24 18:57 . 2001-08-17 17:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2009-10-24 18:57 . 2001-08-17 17:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2009-10-24 18:57 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-10-24 18:57 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-10-24 18:57 . 2008-04-13 17:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-10-24 18:55 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-10-24 18:54 . 2001-08-17 18:07 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2009-10-24 18:53 . 2001-08-17 18:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-10-24 18:52 . 2001-08-17 16:50 33088 -c--a-w- c:\windows\system32\dllcache\n9i128v2.sys
2009-10-24 18:51 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-10-24 18:50 . 2001-08-17 16:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2009-10-24 18:49 . 2001-08-18 02:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2009-10-24 18:48 . 2001-08-17 17:28 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-10-24 18:47 . 2001-08-17 17:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-10-24 18:46 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-10-24 18:45 . 2001-08-17 16:11 153631 -c--a-w- c:\windows\system32\dllcache\el90xnd5.sys
2009-10-24 18:44 . 2001-08-18 02:36 25600 -c--a-w- c:\windows\system32\dllcache\dc210_32.dll
2009-10-24 18:43 . 2001-08-17 17:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-10-24 18:42 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-10-23 14:55 . 2009-09-30 16:11 288096 ----a-r- c:\documents and settings\Ric\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-10-23 14:54 . 2009-10-23 14:54 -------- d-----w- c:\documents and settings\Ric\Application Data\McAfee
2009-10-23 13:05 . 2009-10-23 13:06 -------- d-----w- c:\program files\Spybot
2009-10-22 16:39 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 16:39 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 16:33 . 2009-10-22 16:35 -------- d-----w- c:\program files\Spybot New Folder
2009-10-22 01:28 . 2009-10-22 01:28 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 21:15 . 2009-10-21 23:47 120 ----a-w- c:\windows\Czixiyalo.dat
2009-10-21 21:15 . 2009-10-21 21:15 0 ----a-r- c:\windows\Qmoqokaxuwe.bin
2009-10-21 21:15 . 2009-10-22 02:35 -------- d-----w- c:\documents and settings\Ric\Local Settings\Application Data\{7A7BA28F-AE03-423B-AE40-D604575D2EC0}
2009-10-21 21:08 . 2009-10-22 02:35 -------- d-----w- C:\Rosetta Stone
2009-10-21 20:51 . 2009-10-21 21:07 -------- d-----w- c:\documents and settings\Ric\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 02:02 . 2009-05-03 13:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 12:42 . 2009-08-25 19:10 -------- d-----w- c:\documents and settings\Ric\Application Data\SolSuite
2009-10-28 12:58 . 2009-06-25 19:51 -------- d-----w- c:\program files\Java
2009-10-28 12:55 . 2009-08-05 01:55 152576 ----a-w- c:\documents and settings\Ric\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-26 20:15 . 2009-08-25 19:37 -------- d-----w- c:\documents and settings\Ric\Application Data\MahJong Suite
2009-10-25 00:46 . 2009-02-06 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-25 00:45 . 2009-07-27 16:17 -------- d-----w- c:\program files\McAfee
2009-10-24 19:29 . 2009-05-03 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-23 13:06 . 2009-07-26 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 03:27 . 2009-07-26 13:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 21:09 . 2009-10-22 01:16 170870 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-10-21 11:55 . 2009-07-10 18:52 -------- d-----w- c:\program files\RegCure
2009-10-11 15:15 . 2009-08-25 19:09 -------- d-----w- c:\program files\SolSuite
2009-09-29 23:13 . 2009-05-17 13:19 -------- d-----w- c:\program files\Common Files\Remote Control Software Common
2009-09-25 20:57 . 2009-09-25 20:56 -------- d-----w- c:\program files\PS3 Media Server
2009-09-16 15:34 . 2009-09-16 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-16 14:44 . 2009-09-16 14:42 -------- d-----w- c:\program files\Rhapsody
2009-09-16 14:44 . 2009-09-16 14:44 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:44 . 2009-09-16 14:44 -------- d-----w- c:\documents and settings\Ric\Application Data\Yahoo!
2009-09-16 14:43 . 2009-09-16 14:43 -------- d-----w- c:\program files\Common Files\Real
2009-09-16 14:22 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 13:16 . 2009-09-16 13:09 -------- d-----w- c:\documents and settings\Ric\Application Data\BearShareTb
2009-09-16 13:09 . 2009-09-16 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\2D2BF
2009-09-16 13:09 . 2009-09-16 13:09 -------- d-----w- c:\program files\BearShareTb
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 13:28 . 2009-09-07 13:26 -------- d-----w- c:\program files\UDPixel
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}]
2009-08-10 14:06 91576 ----a-w- c:\program files\BearShareTb\BearShareDx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\program files\BearShareTb\BearShareDx.dll" [2009-08-10 91576]

[HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-12 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-12 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-12 138008]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"RemoteControl"="c:\windows\system32\rmctrl.exe" [2000-10-16 32768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-27 19456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D80F6CE9-3DC2-4B8A-BF70-34F3AFA8DE55}"= "c:\windows\system32\wapruino.dll" [2007-03-31 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R2 WENCRNT4;WENCRNT4;c:\windows\system32\drivers\WENCRNT4.sys [6/12/2009 8:10 PM 122368]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 0293221256431346mcinstcleanup;McAfee Application Installer Cleanup (0293221256431346); [x]
S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [6/25/2009 1:14 PM 65536]
S2 gupdate1c9cc27271c4608;Google Update Service (gupdate1c9cc27271c4608);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2009 2:41 PM 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\FolderTaskUserS-1-5-21-448539723-299502267-839522115-1003.job
- c:\windows\system32\Foldezip.exe [2009-06-13 01:30]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 19:41]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 19:41]

2009-10-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-25 16:22]

2009-10-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-25 16:22]

2009-11-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-05 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-10-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-299502267-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-05 21:21
ComboFix-quarantined-files.txt 2009-11-05 02:21
ComboFix2.txt 2009-10-22 20:02

Pre-Run: 85,558,231,040 bytes free
Post-Run: 85,624,889,344 bytes free

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:32 PM

Posted 04 November 2009 - 05:22 PM

This can take awhile to run sometimes so you just have to be patient with it. The infected file ComboFix found was a big plus for us. That one can give you all kinds of problems.


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 04 November 2009 - 10:21 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 4, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, November 05, 2009 00:23:59
Records in database: 3133328
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 111119
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:41:32


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_dgsetup32_.dll.zip Infected: Trojan.Win32.Agent.czrh 1
C:\WINDOWS\system32\tdlwsp.dll Infected: Packed.Win32.TDSS.z 1
F:\Program Files\ComcastToolbar\comcasttoolbar.dll Infected: not-a-virus:AdWare.Win32.BHO.aaj 1

Selected area has been scanned.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:32 PM

Posted 04 November 2009 - 10:44 PM

The two Qoobox files are from the quarantined area of ComboFix. The will be gone when we do a uninstall of the program.


Due to the nature of the file we are deleting you should consider the security on your computer to be compromised. I would strongly advise you to use a known clean computer to change any passwords to financial institutions and the like. This would hold true for any other passwords you use also.

The Comcast file below is not a virus but it is considered adware and not desirable. However if you want to keep it just do not include that line in the script when you run it.

Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\tdlwsp.dll
F:\Program Files\ComcastToolbar\comcasttoolbar.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 05 November 2009 - 07:11 AM

The latest from ComboFix

ComboFix 09-11-04.05 - Ric 11/05/2009 7:03.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1366 [GMT -5:00]
Running from: c:\documents and settings\Ric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ric\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\tdlwsp.dll"
"f:\program files\ComcastToolbar\comcasttoolbar.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tdlwsp.dll
f:\program files\ComcastToolbar\comcasttoolbar.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-10-29 20:30 . 2009-10-29 20:33 -------- d-----w- C:\.Trash-999
2009-10-29 10:51 . 2009-10-29 14:04 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 00:42 . 2009-09-16 14:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-25 00:42 . 2009-09-16 14:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-25 00:42 . 2009-09-16 14:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-25 00:42 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-25 00:41 . 2009-10-25 00:42 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-25 00:41 . 2009-10-25 00:41 -------- d-----w- c:\program files\McAfee.com
2009-10-25 00:38 . 2009-09-16 14:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-25 00:19 . 2009-10-25 00:21 -------- dc-h--w- c:\windows\ie8
2009-10-24 20:30 . 2009-10-24 20:30 -------- d-----w- c:\documents and settings\Ric\Local Settings\Application Data\Threat Expert
2009-10-24 19:03 . 2001-08-18 02:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-10-24 19:02 . 2001-08-17 17:28 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2009-10-24 19:01 . 2001-08-17 18:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2009-10-24 19:00 . 2001-08-17 18:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2009-10-24 18:59 . 2001-08-18 02:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2009-10-24 18:59 . 2001-08-17 16:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2009-10-24 18:59 . 2008-04-13 17:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-10-24 18:59 . 2001-08-17 17:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2009-10-24 18:59 . 2001-08-17 17:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-10-24 18:59 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-10-24 18:59 . 2001-08-17 18:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2009-10-24 18:59 . 2001-08-17 16:12 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-10-24 18:59 . 2001-08-17 16:10 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2009-10-24 18:59 . 2001-08-17 16:12 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2009-10-24 18:57 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2009-10-24 18:57 . 2001-08-17 16:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2009-10-24 18:57 . 2001-08-17 17:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2009-10-24 18:57 . 2008-04-13 17:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2009-10-24 18:57 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-10-24 18:57 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-10-24 18:57 . 2001-08-17 17:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2009-10-24 18:57 . 2001-08-17 17:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2009-10-24 18:57 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-10-24 18:57 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-10-24 18:57 . 2008-04-13 17:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-10-24 18:55 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-10-24 18:54 . 2001-08-17 18:07 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2009-10-24 18:53 . 2001-08-17 18:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-10-24 18:52 . 2001-08-17 16:50 33088 -c--a-w- c:\windows\system32\dllcache\n9i128v2.sys
2009-10-24 18:51 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-10-24 18:50 . 2001-08-17 16:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2009-10-24 18:49 . 2001-08-18 02:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2009-10-24 18:48 . 2001-08-17 17:28 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-10-24 18:47 . 2001-08-17 17:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-10-24 18:46 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-10-24 18:45 . 2001-08-17 16:11 153631 -c--a-w- c:\windows\system32\dllcache\el90xnd5.sys
2009-10-24 18:44 . 2001-08-18 02:36 25600 -c--a-w- c:\windows\system32\dllcache\dc210_32.dll
2009-10-24 18:43 . 2001-08-17 17:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-10-24 18:42 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-10-23 14:55 . 2009-09-30 16:11 288096 ----a-r- c:\documents and settings\Ric\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-10-23 14:54 . 2009-10-23 14:54 -------- d-----w- c:\documents and settings\Ric\Application Data\McAfee
2009-10-23 13:05 . 2009-10-23 13:06 -------- d-----w- c:\program files\Spybot
2009-10-22 16:39 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 16:39 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 16:33 . 2009-10-22 16:35 -------- d-----w- c:\program files\Spybot New Folder
2009-10-22 01:28 . 2009-10-22 01:28 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-21 21:15 . 2009-10-21 23:47 120 ----a-w- c:\windows\Czixiyalo.dat
2009-10-21 21:15 . 2009-10-21 21:15 0 ----a-r- c:\windows\Qmoqokaxuwe.bin
2009-10-21 21:15 . 2009-10-22 02:35 -------- d-----w- c:\documents and settings\Ric\Local Settings\Application Data\{7A7BA28F-AE03-423B-AE40-D604575D2EC0}
2009-10-21 21:08 . 2009-10-22 02:35 -------- d-----w- C:\Rosetta Stone
2009-10-21 20:51 . 2009-10-21 21:07 -------- d-----w- c:\documents and settings\Ric\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 03:16 . 2009-08-25 19:10 -------- d-----w- c:\documents and settings\Ric\Application Data\SolSuite
2009-11-05 02:02 . 2009-05-03 13:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 12:58 . 2009-06-25 19:51 -------- d-----w- c:\program files\Java
2009-10-28 12:55 . 2009-08-05 01:55 152576 ----a-w- c:\documents and settings\Ric\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-26 20:15 . 2009-08-25 19:37 -------- d-----w- c:\documents and settings\Ric\Application Data\MahJong Suite
2009-10-25 00:46 . 2009-02-06 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-25 00:45 . 2009-07-27 16:17 -------- d-----w- c:\program files\McAfee
2009-10-24 19:29 . 2009-05-03 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-23 13:06 . 2009-07-26 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 03:27 . 2009-07-26 13:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 21:09 . 2009-10-22 01:16 170870 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-10-21 11:55 . 2009-07-10 18:52 -------- d-----w- c:\program files\RegCure
2009-10-11 15:15 . 2009-08-25 19:09 -------- d-----w- c:\program files\SolSuite
2009-09-29 23:13 . 2009-05-17 13:19 -------- d-----w- c:\program files\Common Files\Remote Control Software Common
2009-09-25 20:57 . 2009-09-25 20:56 -------- d-----w- c:\program files\PS3 Media Server
2009-09-16 15:34 . 2009-09-16 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-16 14:44 . 2009-09-16 14:42 -------- d-----w- c:\program files\Rhapsody
2009-09-16 14:44 . 2009-09-16 14:44 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:44 . 2009-09-16 14:44 -------- d-----w- c:\documents and settings\Ric\Application Data\Yahoo!
2009-09-16 14:43 . 2009-09-16 14:43 -------- d-----w- c:\program files\Common Files\Real
2009-09-16 14:22 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 13:16 . 2009-09-16 13:09 -------- d-----w- c:\documents and settings\Ric\Application Data\BearShareTb
2009-09-16 13:09 . 2009-09-16 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\2D2BF
2009-09-16 13:09 . 2009-09-16 13:09 -------- d-----w- c:\program files\BearShareTb
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 13:28 . 2009-09-07 13:26 -------- d-----w- c:\program files\UDPixel
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}]
2009-08-10 14:06 91576 ----a-w- c:\program files\BearShareTb\BearShareDx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\program files\BearShareTb\BearShareDx.dll" [2009-08-10 91576]

[HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-12 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-12 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-12 138008]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"RemoteControl"="c:\windows\system32\rmctrl.exe" [2000-10-16 32768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-27 19456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D80F6CE9-3DC2-4B8A-BF70-34F3AFA8DE55}"= "c:\windows\system32\wapruino.dll" [2007-03-31 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R2 WENCRNT4;WENCRNT4;c:\windows\system32\drivers\WENCRNT4.sys [6/12/2009 8:10 PM 122368]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 0293221256431346mcinstcleanup;McAfee Application Installer Cleanup (0293221256431346); [x]
S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [6/25/2009 1:14 PM 65536]
S2 gupdate1c9cc27271c4608;Google Update Service (gupdate1c9cc27271c4608);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2009 2:41 PM 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 7:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 7:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 7:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 7:21 PM 566296]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\FolderTaskUserS-1-5-21-448539723-299502267-839522115-1003.job
- c:\windows\system32\Foldezip.exe [2009-06-13 01:30]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 19:41]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 19:41]

2009-10-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-25 16:22]

2009-10-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-25 16:22]

2009-11-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-05 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 07:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-299502267-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-05 7:08
ComboFix-quarantined-files.txt 2009-11-05 12:08
ComboFix2.txt 2009-11-05 02:21
ComboFix3.txt 2009-10-22 20:02

Pre-Run: 85,552,857,088 bytes free
Post-Run: 85,605,068,800 bytes free

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:32 PM

Posted 05 November 2009 - 09:44 AM

You're a few versions behind on your Java, they just released another update to take care of some security issues so let's get that updated and then let me know how your computer is running.


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 05 November 2009 - 10:49 AM

Ok, I have deleted the old Java and updated. At this point I'm waiting to see if anything is detected. McAfee was detecting and blocking fake alerts every 6 minutes a few days ago before I started doing what you asked. I haven't seen anything for a while now. I've got my fingers crossed. Any thing else you need me to check?


And thanks for the help so far. :(

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:32 PM

Posted 05 November 2009 - 12:33 PM

Why don't you let it run until tomorrow. If nothing is showing then we'll clean off our tools and I'll have some last suggestions for you. It is important though that you let me know and we perform the last part due to the nature ComboFix.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 06 November 2009 - 07:38 AM

McAfee did it's scheduled scan overnight and everything is good. Nothing was found.. :(

Edited by rcannella, 06 November 2009 - 08:25 AM.


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:32 PM

Posted 06 November 2009 - 11:28 AM

That is good news. I believe we can go ahead and wrap up then.


Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.



You can go ahead and delete GMER and DDS also since we won't need them anymore.





Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts fileNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :(


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 rcannella

rcannella
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 06 November 2009 - 06:02 PM

Took care of everything that you suggested.

Thanks again......




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users