Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware problems


  • This topic is locked This topic is locked
28 replies to this topic

#1 Neil F.

Neil F.

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 14 November 2009 - 07:59 AM

I started to get search engine redirection and found at times on site with multiple selections all of a sudden many of the selections were loading in new windows.

My McAfee started finding Generic Downloader and Artemis!... but that appears to have gone away. Defender keep hitting on Alueron.gen!U. I downloaded Avira and it is constantly coming up with Trojans TR/Crypt.PEPM.Gen, SPR/Tool.Hardoff.A, TR/Trash.Gen, HEUR/HTML., TR/Trash.Gen, TR/Vundo.Gen. Security Essentials keeps finding Alureon,gen!U.

I have also tried Malwarebytes and Windows Live but obviously it not clearing this.

Thanks

DDS (Ver_09-10-26.01) - NTFSx86
Run by Neil at 22:51:32.35 on Fri 11/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.364 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\DOCUME~1\Neil\LOCALS~1\Temp\clclean.0001
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Documents and Settings\Neil\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p10 /q c:\docume~1\neil\locals~1\temp\clclea~2.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\gn7pm79z\img_2_~1.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\1xbwylwx\adscan~2.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\motmxz2e\portal~1.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\motmxz2e\img_4_~1.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\1xbwylwx\ADS_3_~1.SH!
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe" /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper =
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX28.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {9675515D-0586-4017-BA23-5C46C9540216} = 208.67.220.220,208.67.222.222
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neil\applic~1\mozilla\firefox\profiles\c033dkgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\gradke~1\dbsign~1\lib\npDBsignWeb.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-13 207280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-4 108289]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-13 112592]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-4 92296]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-13 358600]

=============== Created Last 30 ================

2009-11-14 03:16:05 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-14 03:16:01 883 ----a-w- c:\windows\RegSDImport.xml
2009-11-14 03:16:01 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-14 03:16:01 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-14 03:16:01 131 ----a-w- c:\windows\IDB.zip
2009-11-14 03:16:00 1152470 ----a-w- c:\windows\UDB.zip
2009-11-14 03:15:58 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-14 03:15:57 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-14 03:11:01 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-14 03:11:00 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-14 03:09:41 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-14 03:09:40 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-14 03:09:40 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-14 03:09:40 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-14 03:08:36 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-14 03:08:35 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-14 03:06:41 0 d-----w- c:\program files\Trend Micro
2009-11-14 03:05:48 0 d-----w- c:\program files\common files\PC Tools
2009-11-14 03:05:47 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-14 03:05:46 0 d-----w- c:\program files\Spyware Doctor
2009-11-14 03:05:46 0 d-----w- c:\docume~1\neil\applic~1\PC Tools
2009-11-09 01:17:24 0 d-----w- c:\docume~1\neil\applic~1\Malwarebytes
2009-11-09 01:16:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 01:16:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 01:16:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 01:16:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 23:35:33 0 d-----w- c:\program files\Microsoft Security Essentials
2009-11-05 01:26:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-05 01:26:07 0 d-----w- c:\program files\Avira
2009-11-05 01:26:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-01 05:36:27 0 d-----w- c:\program files\Radialpoint
2009-10-17 23:41:09 48 ----a-w- c:\documents and settings\neil\768.tmp

==================== Find3M ====================

2009-11-06 05:42:37 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2008-05-09 04:35:21 0 -c--a-w- c:\program files\temp01
2008-10-01 23:53:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 22:55:26.33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:33 AM

Posted 22 November 2009 - 04:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 22 November 2009 - 07:47 PM

Thank you for getting back to me. The problem still exists. The symptions are still the same as the original post.

Avira pop up notification for 'TR/Crypt.ZPACK.Gen is occurring multiple times a day. It will pop up 4-5 times in a row the Security Essentials will hit on Win32/Alureon.CT. It changed from GenU a couple days ago.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Neil at 19:25:02.37 on Sun 11/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.210 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\Neil\LOCALS~1\Temp\clclean.0001
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Documents and Settings\Neil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p10 /q c:\docume~1\neil\locals~1\temp\clclea~2.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\gn7pm79z\img_2_~1.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\1xbwylwx\adscan~2.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\motmxz2e\portal~1.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\motmxz2e\img_4_~1.sh! c:\docume~1\neil\locals~1\tempor~1\content.ie5\1xbwylwx\ads_3_~1.sh! c:\docume~1\neil\locals~1\temp\CLCLEA~3.SH!
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe" /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper =
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX28.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neil\applic~1\mozilla\firefox\profiles\c033dkgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\gradke~1\dbsign~1\lib\npDBsignWeb.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-4 108289]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-4 92296]
S2 0233681258576876mcinstcleanup;McAfee Application Installer Cleanup (0233681258576876);c:\windows\temp\023368~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\023368~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-11-14 03:06:41 0 d-----w- c:\program files\Trend Micro
2009-11-09 01:17:24 0 d-----w- c:\docume~1\neil\applic~1\Malwarebytes
2009-11-09 01:16:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 01:16:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 01:16:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 01:16:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 23:35:33 0 d-----w- c:\program files\Microsoft Security Essentials
2009-11-05 01:26:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-05 01:26:07 0 d-----w- c:\program files\Avira
2009-11-05 01:26:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-11-01 05:36:27 0 d-----w- c:\program files\Radialpoint

==================== Find3M ====================

2009-11-06 05:42:37 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2008-05-09 04:35:21 0 -c--a-w- c:\program files\temp01
2008-10-01 23:53:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 19:28:17.20 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 23 November 2009 - 10:32 PM

Hello Neil F :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



OK, the very first thing that will be necessary for you to do in order for me to diagnose your problem is you have to get rid of all of those antivirus programs but one. Having all of those different ones can cause serious issues as they each try to access the computer. It can even cause the machine to lock down. So decide which you want to keep and uninstall the others.


When you have completed that please run the following and post the log it produces in your next reply.


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries










Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 25 November 2009 - 10:54 AM

All of the scan tool except for Macafee have been removed.

Depending when you get back to me, I might not be able to do anything more due to the holiday and ming not reply until Mon evening.

Thanks for the assistance.



GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 10:48:43
Windows 5.1.2600 Service Pack 3
Running: kvxoufhf.exe; Driver: C:\DOCUME~1\Neil\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF415B78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF415B821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF415B738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF415B74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF415B835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF415B861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF415B8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF415B8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF415B7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF415B8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF415B80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF415B710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF415B724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF415B79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF415B937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF415B8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF415B88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF415B84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF415B923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF415B90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF415B776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF415B762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF415B877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF415B7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF415B8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF415B7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF415B7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 [F73BEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F73BEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F73BEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [F73BEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F73BEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [F73BEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library c:\PROGRA~1\MID86E~1\shellext.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3092] 0x01100000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{00A2CCDC-4BE0-BECD-A563-A7145AE65077}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{00A2CCDC-4BE0-BECD-A563-A7145AE65077}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\ProgID@ script
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\DefaultIcon@ C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\VsaVb7rt.dll,1200
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\InProcServer32@ C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\VsaVb7rt.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\ProgID@ VsaVbRT.7
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\Programmable@
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\TypeLib@ {B87A08A1-143A-40a5-92CA-F0C8C9DC2F30}
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\Version@ 7.0
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\VersionIndependentProgID@ VsaVbRT
Reg HKLM\SOFTWARE\Classes\CLSID\{FF1BDCAA-8D1E-D22E-9984-C1036A48C5FE}\InProcServer32@ %SystemRoot%\System32\GPEdit.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FF1BDCAA-8D1E-D22E-9984-C1036A48C5FE}\InProcServer32@ThreadingModel Apartment

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 25 November 2009 - 12:59 PM

You.re welcome, when you get a chance do the following:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 01 December 2009 - 12:53 PM

Sorry for the delay. I had problems getting Combofix to download and running. I'm not sure if McAfee caused issues. I had it disabled and set to restart on computer restart. When combofix was running it rebooted and I'm not sure if McAfee restarted during the combofix reboot.

ComboFix 09-11-30.02 - Neil 12/01/2009 1:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.564 [GMT -5:00]
Running from: c:\documents and settings\Neil\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Neil\Application Data\Install.dat
C:\Microsoft
c:\microsoft\Internet Explorer\Quick Launch\Corel Paint Shop Pro X.lnk
C:\Thumbs.db
c:\windows\kb913800.exe
c:\windows\system32\_004143_.tmp.dll
c:\windows\system32\_004144_.tmp.dll
c:\windows\system32\_004145_.tmp.dll
c:\windows\system32\_004146_.tmp.dll
c:\windows\system32\_004152_.tmp.dll
c:\windows\system32\_004153_.tmp.dll
c:\windows\system32\_004154_.tmp.dll
c:\windows\system32\_004155_.tmp.dll
c:\windows\system32\_004156_.tmp.dll
c:\windows\system32\_004157_.tmp.dll
c:\windows\system32\_004158_.tmp.dll
c:\windows\system32\_004159_.tmp.dll
c:\windows\system32\_004160_.tmp.dll
c:\windows\system32\_004161_.tmp.dll
c:\windows\system32\_004162_.tmp.dll
c:\windows\system32\_004163_.tmp.dll
c:\windows\system32\_004164_.tmp.dll
c:\windows\system32\_004165_.tmp.dll
c:\windows\system32\_004166_.tmp.dll
c:\windows\system32\_004167_.tmp.dll
c:\windows\system32\_004169_.tmp.dll
c:\windows\system32\_004170_.tmp.dll
c:\windows\system32\_004172_.tmp.dll
c:\windows\system32\_004173_.tmp.dll
c:\windows\system32\_004177_.tmp.dll
c:\windows\system32\_004178_.tmp.dll
c:\windows\system32\_004180_.tmp.dll
c:\windows\system32\_004181_.tmp.dll
c:\windows\system32\_004182_.tmp.dll
c:\windows\system32\_004183_.tmp.dll
c:\windows\system32\_004184_.tmp.dll
c:\windows\system32\_004185_.tmp.dll
c:\windows\system32\_004187_.tmp.dll
c:\windows\system32\_004188_.tmp.dll
c:\windows\system32\_004189_.tmp.dll
c:\windows\system32\_004191_.tmp.dll
c:\windows\system32\_004192_.tmp.dll
c:\windows\system32\_004193_.tmp.dll
c:\windows\system32\_004194_.tmp.dll
c:\windows\system32\_004195_.tmp.dll
c:\windows\system32\_004196_.tmp.dll
c:\windows\system32\_004197_.tmp.dll
c:\windows\system32\_004198_.tmp.dll
c:\windows\system32\_004200_.tmp.dll
c:\windows\system32\_004201_.tmp.dll
c:\windows\system32\_004202_.tmp.dll
c:\windows\system32\_004203_.tmp.dll
c:\windows\system32\_004204_.tmp.dll
c:\windows\system32\_004206_.tmp.dll
c:\windows\system32\_004207_.tmp.dll
c:\windows\system32\_004208_.tmp.dll
c:\windows\system32\_004210_.tmp.dll
c:\windows\system32\_004211_.tmp.dll
c:\windows\system32\_004213_.tmp.dll
c:\windows\system32\_004214_.tmp.dll
c:\windows\system32\_004218_.tmp.dll
c:\windows\system32\_004219_.tmp.dll
c:\windows\system32\_004221_.tmp.dll
c:\windows\system32\_004224_.tmp.dll
c:\windows\system32\_004226_.tmp.dll
c:\windows\system32\_004227_.tmp.dll
c:\windows\system32\_004228_.tmp.dll
c:\windows\system32\_004229_.tmp.dll
c:\windows\system32\_004232_.tmp.dll
c:\windows\system32\_004233_.tmp.dll
c:\windows\system32\_004234_.tmp.dll
c:\windows\system32\_004235_.tmp.dll
c:\windows\system32\_004236_.tmp.dll
c:\windows\system32\_004241_.tmp.dll
c:\windows\system32\_004243_.tmp.dll
c:\windows\system32\_004244_.tmp.dll
c:\windows\system32\Data
c:\windows\system32\drivers\inetx26.img
c:\windows\system32\dumphive.exe
c:\windows\system32\SET40C.tmp
c:\windows\system32\SET576.tmp
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tdlcmd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_USBAAPL


((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 06:18 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-19 11:40 . 2009-11-19 11:40 -------- d-----w- c:\documents and settings\Angela\Application Data\Malwarebytes
2009-11-14 03:21 . 2009-11-14 03:21 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Threat Expert
2009-11-14 03:06 . 2009-11-14 03:06 -------- d-----w- c:\program files\Trend Micro
2009-11-10 02:21 . 2009-11-10 02:21 -------- d-----w- c:\documents and settings\Neil Jr\Application Data\Malwarebytes
2009-11-09 01:17 . 2009-11-09 01:17 -------- d-----w- c:\documents and settings\Neil\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-09 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-25 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 00:15 . 2009-11-08 00:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-05 01:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 06:25 . 2009-06-05 00:45 -------- d-----w- c:\program files\McAfee
2009-11-25 18:38 . 2009-02-11 21:54 -------- d-----w- c:\program files\eGames
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 03:10 . 2006-05-20 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 00:47 . 2008-05-09 04:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 00:14 . 2009-06-09 21:40 -------- d-----w- c:\program files\Coupons
2009-11-06 05:42 . 2006-06-28 22:33 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-06 04:56 . 2006-06-28 22:33 88 --sh--r- c:\windows\system32\240C7418F5.sys
2009-11-03 01:42 . 2009-10-03 03:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 00:57 . 2008-11-14 05:25 -------- d-----w- c:\documents and settings\Angela\Application Data\AdobeUM
2009-11-01 05:37 . 2006-06-24 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2009-11-01 05:37 . 2006-06-24 18:32 -------- d-----w- c:\program files\Verizon
2009-11-01 05:36 . 2009-11-01 05:36 1511184 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\Verizon_Servicepoint_Setup_SA.18467.exe.dir\Verizon_Servicepoint_Setup_SA.exe
2009-11-01 05:36 . 2009-11-01 05:36 -------- d-----w- c:\program files\Radialpoint
2009-11-01 05:36 . 2009-11-01 05:36 2345400 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\sa.41.exe.dir\sa.exe
2009-10-17 23:41 . 2009-10-17 23:41 48 ----a-w- c:\documents and settings\Neil\768.tmp
2009-10-14 23:38 . 2009-02-15 23:57 664 ----a-w- c:\documents and settings\Neil Jr\Local Settings\Application Data\d3d9caps.tmp
2009-10-04 03:53 . 2006-06-24 23:21 -------- d-----w- c:\program files\Common Files\PestPatrol
2009-10-04 03:45 . 2009-05-16 00:37 -------- d-----w- c:\program files\SSI
2009-10-04 03:43 . 2007-03-23 02:00 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:22 . 2009-06-05 00:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-06-05 00:41 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2008-08-31 00:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-08-16 08:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-05-09 04:35 . 2008-05-09 04:35 0 -c--a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2007-6-12 331776]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/4/2009 7:50 PM 93320]
S1 abcfyync;abcfyync;\??\c:\windows\system32\drivers\abcfyync.sys --> c:\windows\system32\drivers\abcfyync.sys [?]
S1 ahcbvfhh;ahcbvfhh;\??\c:\windows\system32\drivers\ahcbvfhh.sys --> c:\windows\system32\drivers\ahcbvfhh.sys [?]
S1 amdntzfj;amdntzfj;\??\c:\windows\system32\drivers\amdntzfj.sys --> c:\windows\system32\drivers\amdntzfj.sys [?]
S1 aqqemusx;aqqemusx;\??\c:\windows\system32\drivers\aqqemusx.sys --> c:\windows\system32\drivers\aqqemusx.sys [?]
S1 beqfflxn;beqfflxn;\??\c:\windows\system32\drivers\beqfflxn.sys --> c:\windows\system32\drivers\beqfflxn.sys [?]
S1 bfnhivvb;bfnhivvb;\??\c:\windows\system32\drivers\bfnhivvb.sys --> c:\windows\system32\drivers\bfnhivvb.sys [?]
S1 bvfwkozr;bvfwkozr;\??\c:\windows\system32\drivers\bvfwkozr.sys --> c:\windows\system32\drivers\bvfwkozr.sys [?]
S1 cdkqytmg;cdkqytmg;\??\c:\windows\system32\drivers\cdkqytmg.sys --> c:\windows\system32\drivers\cdkqytmg.sys [?]
S1 cetgyrju;cetgyrju;\??\c:\windows\system32\drivers\cetgyrju.sys --> c:\windows\system32\drivers\cetgyrju.sys [?]
S1 chsfmuqb;chsfmuqb;\??\c:\windows\system32\drivers\chsfmuqb.sys --> c:\windows\system32\drivers\chsfmuqb.sys [?]
S1 dkduysfb;dkduysfb;\??\c:\windows\system32\drivers\dkduysfb.sys --> c:\windows\system32\drivers\dkduysfb.sys [?]
S1 drcoqflm;drcoqflm;\??\c:\windows\system32\drivers\drcoqflm.sys --> c:\windows\system32\drivers\drcoqflm.sys [?]
S1 drvuqirn;drvuqirn;\??\c:\windows\system32\drivers\drvuqirn.sys --> c:\windows\system32\drivers\drvuqirn.sys [?]
S1 ewkvlarj;ewkvlarj;\??\c:\windows\system32\drivers\ewkvlarj.sys --> c:\windows\system32\drivers\ewkvlarj.sys [?]
S1 exdblohv;exdblohv;\??\c:\windows\system32\drivers\exdblohv.sys --> c:\windows\system32\drivers\exdblohv.sys [?]
S1 eynecijc;eynecijc;\??\c:\windows\system32\drivers\eynecijc.sys --> c:\windows\system32\drivers\eynecijc.sys [?]
S1 eztvroro;eztvroro;\??\c:\windows\system32\drivers\eztvroro.sys --> c:\windows\system32\drivers\eztvroro.sys [?]
S1 fbeebtln;fbeebtln;\??\c:\windows\system32\drivers\fbeebtln.sys --> c:\windows\system32\drivers\fbeebtln.sys [?]
S1 fbohxcrf;fbohxcrf;\??\c:\windows\system32\drivers\fbohxcrf.sys --> c:\windows\system32\drivers\fbohxcrf.sys [?]
S1 fdhxtbap;fdhxtbap;\??\c:\windows\system32\drivers\fdhxtbap.sys --> c:\windows\system32\drivers\fdhxtbap.sys [?]
S1 fgowqlzq;fgowqlzq;\??\c:\windows\system32\drivers\fgowqlzq.sys --> c:\windows\system32\drivers\fgowqlzq.sys [?]
S1 fjezadka;fjezadka;\??\c:\windows\system32\drivers\fjezadka.sys --> c:\windows\system32\drivers\fjezadka.sys [?]
S1 fnfydesp;fnfydesp;\??\c:\windows\system32\drivers\fnfydesp.sys --> c:\windows\system32\drivers\fnfydesp.sys [?]
S1 fryfmxlq;fryfmxlq;\??\c:\windows\system32\drivers\fryfmxlq.sys --> c:\windows\system32\drivers\fryfmxlq.sys [?]
S1 gdgnzfqz;gdgnzfqz;\??\c:\windows\system32\drivers\gdgnzfqz.sys --> c:\windows\system32\drivers\gdgnzfqz.sys [?]
S1 ghzrptkn;ghzrptkn;\??\c:\windows\system32\drivers\ghzrptkn.sys --> c:\windows\system32\drivers\ghzrptkn.sys [?]
S1 glotwjcr;glotwjcr;\??\c:\windows\system32\drivers\glotwjcr.sys --> c:\windows\system32\drivers\glotwjcr.sys [?]
S1 gsltkuvc;gsltkuvc;\??\c:\windows\system32\drivers\gsltkuvc.sys --> c:\windows\system32\drivers\gsltkuvc.sys [?]
S1 gssqtoot;gssqtoot;\??\c:\windows\system32\drivers\gssqtoot.sys --> c:\windows\system32\drivers\gssqtoot.sys [?]
S1 haffsaka;haffsaka;\??\c:\windows\system32\drivers\haffsaka.sys --> c:\windows\system32\drivers\haffsaka.sys [?]
S1 hececfby;hececfby;\??\c:\windows\system32\drivers\hececfby.sys --> c:\windows\system32\drivers\hececfby.sys [?]
S1 hgtnrdev;hgtnrdev;\??\c:\windows\system32\drivers\hgtnrdev.sys --> c:\windows\system32\drivers\hgtnrdev.sys [?]
S1 hlpwkmwx;hlpwkmwx;\??\c:\windows\system32\drivers\hlpwkmwx.sys --> c:\windows\system32\drivers\hlpwkmwx.sys [?]
S1 hpdaxvdw;hpdaxvdw;\??\c:\windows\system32\drivers\hpdaxvdw.sys --> c:\windows\system32\drivers\hpdaxvdw.sys [?]
S1 hqolxvrh;hqolxvrh;\??\c:\windows\system32\drivers\hqolxvrh.sys --> c:\windows\system32\drivers\hqolxvrh.sys [?]
S1 hwglewyj;hwglewyj;\??\c:\windows\system32\drivers\hwglewyj.sys --> c:\windows\system32\drivers\hwglewyj.sys [?]
S1 hzgcjwek;hzgcjwek;\??\c:\windows\system32\drivers\hzgcjwek.sys --> c:\windows\system32\drivers\hzgcjwek.sys [?]
S1 hzrdpcue;hzrdpcue;\??\c:\windows\system32\drivers\hzrdpcue.sys --> c:\windows\system32\drivers\hzrdpcue.sys [?]
S1 ihqlezvh;ihqlezvh;\??\c:\windows\system32\drivers\ihqlezvh.sys --> c:\windows\system32\drivers\ihqlezvh.sys [?]
S1 imvbrpnd;imvbrpnd;\??\c:\windows\system32\drivers\imvbrpnd.sys --> c:\windows\system32\drivers\imvbrpnd.sys [?]
S1 iwoavltw;iwoavltw;\??\c:\windows\system32\drivers\iwoavltw.sys --> c:\windows\system32\drivers\iwoavltw.sys [?]
S1 kayyvnft;kayyvnft;\??\c:\windows\system32\drivers\kayyvnft.sys --> c:\windows\system32\drivers\kayyvnft.sys [?]
S1 kpqkggws;kpqkggws;\??\c:\windows\system32\drivers\kpqkggws.sys --> c:\windows\system32\drivers\kpqkggws.sys [?]
S1 laswbkfg;laswbkfg;\??\c:\windows\system32\drivers\laswbkfg.sys --> c:\windows\system32\drivers\laswbkfg.sys [?]
S1 ljcdemch;ljcdemch;\??\c:\windows\system32\drivers\ljcdemch.sys --> c:\windows\system32\drivers\ljcdemch.sys [?]
S1 mgqbakra;mgqbakra;\??\c:\windows\system32\drivers\mgqbakra.sys --> c:\windows\system32\drivers\mgqbakra.sys [?]
S1 mhhbymah;mhhbymah;\??\c:\windows\system32\drivers\mhhbymah.sys --> c:\windows\system32\drivers\mhhbymah.sys [?]
S1 mkffxsvf;mkffxsvf;\??\c:\windows\system32\drivers\mkffxsvf.sys --> c:\windows\system32\drivers\mkffxsvf.sys [?]
S1 nhhaihuc;nhhaihuc;\??\c:\windows\system32\drivers\nhhaihuc.sys --> c:\windows\system32\drivers\nhhaihuc.sys [?]
S1 ntatbfaq;ntatbfaq;\??\c:\windows\system32\drivers\ntatbfaq.sys --> c:\windows\system32\drivers\ntatbfaq.sys [?]
S1 ofckhzoe;ofckhzoe;\??\c:\windows\system32\drivers\ofckhzoe.sys --> c:\windows\system32\drivers\ofckhzoe.sys [?]
S1 opuszwri;opuszwri;\??\c:\windows\system32\drivers\opuszwri.sys --> c:\windows\system32\drivers\opuszwri.sys [?]
S1 pajxducg;pajxducg;\??\c:\windows\system32\drivers\pajxducg.sys --> c:\windows\system32\drivers\pajxducg.sys [?]
S1 plbzxfcf;plbzxfcf;\??\c:\windows\system32\drivers\plbzxfcf.sys --> c:\windows\system32\drivers\plbzxfcf.sys [?]
S1 qjrqrybx;qjrqrybx;\??\c:\windows\system32\drivers\qjrqrybx.sys --> c:\windows\system32\drivers\qjrqrybx.sys [?]
S1 qmvhlxph;qmvhlxph;\??\c:\windows\system32\drivers\qmvhlxph.sys --> c:\windows\system32\drivers\qmvhlxph.sys [?]
S1 qvpybsri;qvpybsri;\??\c:\windows\system32\drivers\qvpybsri.sys --> c:\windows\system32\drivers\qvpybsri.sys [?]
S1 rcjgrfnd;rcjgrfnd;\??\c:\windows\system32\drivers\rcjgrfnd.sys --> c:\windows\system32\drivers\rcjgrfnd.sys [?]
S1 rvefqhaz;rvefqhaz;\??\c:\windows\system32\drivers\rvefqhaz.sys --> c:\windows\system32\drivers\rvefqhaz.sys [?]
S1 rvzbsnpv;rvzbsnpv;\??\c:\windows\system32\drivers\rvzbsnpv.sys --> c:\windows\system32\drivers\rvzbsnpv.sys [?]
S1 stwkxwjv;stwkxwjv;\??\c:\windows\system32\drivers\stwkxwjv.sys --> c:\windows\system32\drivers\stwkxwjv.sys [?]
S1 tafckzib;tafckzib;\??\c:\windows\system32\drivers\tafckzib.sys --> c:\windows\system32\drivers\tafckzib.sys [?]
S1 ubuwizvq;ubuwizvq;\??\c:\windows\system32\drivers\ubuwizvq.sys --> c:\windows\system32\drivers\ubuwizvq.sys [?]
S1 ukdkyjez;ukdkyjez;\??\c:\windows\system32\drivers\ukdkyjez.sys --> c:\windows\system32\drivers\ukdkyjez.sys [?]
S1 uokayfdu;uokayfdu;\??\c:\windows\system32\drivers\uokayfdu.sys --> c:\windows\system32\drivers\uokayfdu.sys [?]
S1 uupvefoo;uupvefoo;\??\c:\windows\system32\drivers\uupvefoo.sys --> c:\windows\system32\drivers\uupvefoo.sys [?]
S1 uytwsmjt;uytwsmjt;\??\c:\windows\system32\drivers\uytwsmjt.sys --> c:\windows\system32\drivers\uytwsmjt.sys [?]
S1 vmjhsenf;vmjhsenf;\??\c:\windows\system32\drivers\vmjhsenf.sys --> c:\windows\system32\drivers\vmjhsenf.sys [?]
S1 wtzyacpn;wtzyacpn;\??\c:\windows\system32\drivers\wtzyacpn.sys --> c:\windows\system32\drivers\wtzyacpn.sys [?]
S1 wvddympa;wvddympa;\??\c:\windows\system32\drivers\wvddympa.sys --> c:\windows\system32\drivers\wvddympa.sys [?]
S1 xcsjbsoq;xcsjbsoq;\??\c:\windows\system32\drivers\xcsjbsoq.sys --> c:\windows\system32\drivers\xcsjbsoq.sys [?]
S1 xdzqtkhi;xdzqtkhi;\??\c:\windows\system32\drivers\xdzqtkhi.sys --> c:\windows\system32\drivers\xdzqtkhi.sys [?]
S1 xjollobs;xjollobs;\??\c:\windows\system32\drivers\xjollobs.sys --> c:\windows\system32\drivers\xjollobs.sys [?]
S1 xorddnis;xorddnis;\??\c:\windows\system32\drivers\xorddnis.sys --> c:\windows\system32\drivers\xorddnis.sys [?]
S1 ydfcqujv;ydfcqujv;\??\c:\windows\system32\drivers\ydfcqujv.sys --> c:\windows\system32\drivers\ydfcqujv.sys [?]
S1 yjrqordz;yjrqordz;\??\c:\windows\system32\drivers\yjrqordz.sys --> c:\windows\system32\drivers\yjrqordz.sys [?]
S1 ytotmeei;ytotmeei;\??\c:\windows\system32\drivers\ytotmeei.sys --> c:\windows\system32\drivers\ytotmeei.sys [?]
S1 zsezxgzj;zsezxgzj;\??\c:\windows\system32\drivers\zsezxgzj.sys --> c:\windows\system32\drivers\zsezxgzj.sys [?]
S1 zvncwnvg;zvncwnvg;\??\c:\windows\system32\drivers\zvncwnvg.sys --> c:\windows\system32\drivers\zvncwnvg.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-01 c:\windows\Tasks\User_Feed_Synchronization-{016563C6-17B5-4326-B4D2-47987513EE8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\c033dkgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\GRADKE~1\DBSIGN~1\lib\npDBsignWeb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Sound Blaster Audigy ADVANCED MB Windows Drivers - c:\program files\Creative\SBAudigy\Program\CTZapxx.EXE ctsbmb.ini
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 12:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x871CDF61]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75c0f28
\Driver\ACPI -> ACPI.sys @ 0xf7453cb8
\Driver\atapi -> atapi.sys @ 0xf73e8b3a
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Dynex DX-E101 PCI Fast Ethernet Adapter (rev.F1) -> SendCompleteHandler -> NDIS.sys @ 0xf72dbbb0
PacketIndicateHandler -> NDIS.sys @ 0xf72caa0d
SendHandler -> NDIS.sys @ 0xf72deb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3330607417-1489096790-3342882160-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,66,ef,35,33,1f,40,04,d5,59,2e,c9,b9,2c,38,91,b2,2d,67,df,20,8b,19,
b8,8e,10,4c,83,b9,2b,41,ec,5a,b0,44,ef,7b,77,42,f7,32,ab,5c,db,1e,6f,0e,93,\
"??"=hex:68,79,cc,6e,24,e0,00,d9,12,cb,6a,5e,7c,e3,5a,1e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\Neil\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-01 12:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-01 17:40

Pre-Run: 25,372,516,352 bytes free
Post-Run: 25,700,540,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - FEA46C65DEEA6B4C36C94B970639297D

Edited by Neil F., 01 December 2009 - 12:57 PM.


#8 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 01 December 2009 - 03:49 PM

I ran it again.

ComboFix 09-11-30.02 - Neil 12/01/2009 14:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.578 [GMT -5:00]
Running from: c:\documents and settings\Neil\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 06:18 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-19 11:40 . 2009-11-19 11:40 -------- d-----w- c:\documents and settings\Angela\Application Data\Malwarebytes
2009-11-14 03:21 . 2009-11-14 03:21 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Threat Expert
2009-11-14 03:06 . 2009-11-14 03:06 -------- d-----w- c:\program files\Trend Micro
2009-11-10 02:21 . 2009-11-10 02:21 -------- d-----w- c:\documents and settings\Neil Jr\Application Data\Malwarebytes
2009-11-09 01:17 . 2009-11-09 01:17 -------- d-----w- c:\documents and settings\Neil\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-09 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-25 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 00:15 . 2009-11-08 00:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-05 01:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 06:25 . 2009-06-05 00:45 -------- d-----w- c:\program files\McAfee
2009-11-25 18:38 . 2009-02-11 21:54 -------- d-----w- c:\program files\eGames
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 03:10 . 2006-05-20 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 00:47 . 2008-05-09 04:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 00:14 . 2009-06-09 21:40 -------- d-----w- c:\program files\Coupons
2009-11-06 05:42 . 2006-06-28 22:33 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-06 04:56 . 2006-06-28 22:33 88 --sh--r- c:\windows\system32\240C7418F5.sys
2009-11-03 01:42 . 2009-10-03 03:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 00:57 . 2008-11-14 05:25 -------- d-----w- c:\documents and settings\Angela\Application Data\AdobeUM
2009-11-01 05:37 . 2006-06-24 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2009-11-01 05:37 . 2006-06-24 18:32 -------- d-----w- c:\program files\Verizon
2009-11-01 05:36 . 2009-11-01 05:36 1511184 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\Verizon_Servicepoint_Setup_SA.18467.exe.dir\Verizon_Servicepoint_Setup_SA.exe
2009-11-01 05:36 . 2009-11-01 05:36 -------- d-----w- c:\program files\Radialpoint
2009-11-01 05:36 . 2009-11-01 05:36 2345400 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\sa.41.exe.dir\sa.exe
2009-10-17 23:41 . 2009-10-17 23:41 48 ----a-w- c:\documents and settings\Neil\768.tmp
2009-10-14 23:38 . 2009-02-15 23:57 664 ----a-w- c:\documents and settings\Neil Jr\Local Settings\Application Data\d3d9caps.tmp
2009-10-04 03:53 . 2006-06-24 23:21 -------- d-----w- c:\program files\Common Files\PestPatrol
2009-10-04 03:45 . 2009-05-16 00:37 -------- d-----w- c:\program files\SSI
2009-10-04 03:43 . 2007-03-23 02:00 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:22 . 2009-06-05 00:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-06-05 00:41 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2008-08-31 00:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-08-16 08:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-05-09 04:35 . 2008-05-09 04:35 0 -c--a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2009-12-01_17.30.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-26 01:10 . 2009-12-01 17:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-26 01:10 . 2009-12-01 17:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-29 23:46 . 2009-12-01 17:27 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-29 23:46 . 2009-12-01 17:46 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2006-05-26 01:10 . 2009-12-01 17:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-26 01:10 . 2009-12-01 17:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2007-6-12 331776]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/4/2009 7:50 PM 93320]
S1 abcfyync;abcfyync;\??\c:\windows\system32\drivers\abcfyync.sys --> c:\windows\system32\drivers\abcfyync.sys [?]
S1 ahcbvfhh;ahcbvfhh;\??\c:\windows\system32\drivers\ahcbvfhh.sys --> c:\windows\system32\drivers\ahcbvfhh.sys [?]
S1 amdntzfj;amdntzfj;\??\c:\windows\system32\drivers\amdntzfj.sys --> c:\windows\system32\drivers\amdntzfj.sys [?]
S1 aqqemusx;aqqemusx;\??\c:\windows\system32\drivers\aqqemusx.sys --> c:\windows\system32\drivers\aqqemusx.sys [?]
S1 beqfflxn;beqfflxn;\??\c:\windows\system32\drivers\beqfflxn.sys --> c:\windows\system32\drivers\beqfflxn.sys [?]
S1 bfnhivvb;bfnhivvb;\??\c:\windows\system32\drivers\bfnhivvb.sys --> c:\windows\system32\drivers\bfnhivvb.sys [?]
S1 bvfwkozr;bvfwkozr;\??\c:\windows\system32\drivers\bvfwkozr.sys --> c:\windows\system32\drivers\bvfwkozr.sys [?]
S1 cdkqytmg;cdkqytmg;\??\c:\windows\system32\drivers\cdkqytmg.sys --> c:\windows\system32\drivers\cdkqytmg.sys [?]
S1 cetgyrju;cetgyrju;\??\c:\windows\system32\drivers\cetgyrju.sys --> c:\windows\system32\drivers\cetgyrju.sys [?]
S1 chsfmuqb;chsfmuqb;\??\c:\windows\system32\drivers\chsfmuqb.sys --> c:\windows\system32\drivers\chsfmuqb.sys [?]
S1 dkduysfb;dkduysfb;\??\c:\windows\system32\drivers\dkduysfb.sys --> c:\windows\system32\drivers\dkduysfb.sys [?]
S1 drcoqflm;drcoqflm;\??\c:\windows\system32\drivers\drcoqflm.sys --> c:\windows\system32\drivers\drcoqflm.sys [?]
S1 drvuqirn;drvuqirn;\??\c:\windows\system32\drivers\drvuqirn.sys --> c:\windows\system32\drivers\drvuqirn.sys [?]
S1 ewkvlarj;ewkvlarj;\??\c:\windows\system32\drivers\ewkvlarj.sys --> c:\windows\system32\drivers\ewkvlarj.sys [?]
S1 exdblohv;exdblohv;\??\c:\windows\system32\drivers\exdblohv.sys --> c:\windows\system32\drivers\exdblohv.sys [?]
S1 eynecijc;eynecijc;\??\c:\windows\system32\drivers\eynecijc.sys --> c:\windows\system32\drivers\eynecijc.sys [?]
S1 eztvroro;eztvroro;\??\c:\windows\system32\drivers\eztvroro.sys --> c:\windows\system32\drivers\eztvroro.sys [?]
S1 fbeebtln;fbeebtln;\??\c:\windows\system32\drivers\fbeebtln.sys --> c:\windows\system32\drivers\fbeebtln.sys [?]
S1 fbohxcrf;fbohxcrf;\??\c:\windows\system32\drivers\fbohxcrf.sys --> c:\windows\system32\drivers\fbohxcrf.sys [?]
S1 fdhxtbap;fdhxtbap;\??\c:\windows\system32\drivers\fdhxtbap.sys --> c:\windows\system32\drivers\fdhxtbap.sys [?]
S1 fgowqlzq;fgowqlzq;\??\c:\windows\system32\drivers\fgowqlzq.sys --> c:\windows\system32\drivers\fgowqlzq.sys [?]
S1 fjezadka;fjezadka;\??\c:\windows\system32\drivers\fjezadka.sys --> c:\windows\system32\drivers\fjezadka.sys [?]
S1 fnfydesp;fnfydesp;\??\c:\windows\system32\drivers\fnfydesp.sys --> c:\windows\system32\drivers\fnfydesp.sys [?]
S1 fryfmxlq;fryfmxlq;\??\c:\windows\system32\drivers\fryfmxlq.sys --> c:\windows\system32\drivers\fryfmxlq.sys [?]
S1 gdgnzfqz;gdgnzfqz;\??\c:\windows\system32\drivers\gdgnzfqz.sys --> c:\windows\system32\drivers\gdgnzfqz.sys [?]
S1 ghzrptkn;ghzrptkn;\??\c:\windows\system32\drivers\ghzrptkn.sys --> c:\windows\system32\drivers\ghzrptkn.sys [?]
S1 glotwjcr;glotwjcr;\??\c:\windows\system32\drivers\glotwjcr.sys --> c:\windows\system32\drivers\glotwjcr.sys [?]
S1 gsltkuvc;gsltkuvc;\??\c:\windows\system32\drivers\gsltkuvc.sys --> c:\windows\system32\drivers\gsltkuvc.sys [?]
S1 gssqtoot;gssqtoot;\??\c:\windows\system32\drivers\gssqtoot.sys --> c:\windows\system32\drivers\gssqtoot.sys [?]
S1 haffsaka;haffsaka;\??\c:\windows\system32\drivers\haffsaka.sys --> c:\windows\system32\drivers\haffsaka.sys [?]
S1 hececfby;hececfby;\??\c:\windows\system32\drivers\hececfby.sys --> c:\windows\system32\drivers\hececfby.sys [?]
S1 hgtnrdev;hgtnrdev;\??\c:\windows\system32\drivers\hgtnrdev.sys --> c:\windows\system32\drivers\hgtnrdev.sys [?]
S1 hlpwkmwx;hlpwkmwx;\??\c:\windows\system32\drivers\hlpwkmwx.sys --> c:\windows\system32\drivers\hlpwkmwx.sys [?]
S1 hpdaxvdw;hpdaxvdw;\??\c:\windows\system32\drivers\hpdaxvdw.sys --> c:\windows\system32\drivers\hpdaxvdw.sys [?]
S1 hqolxvrh;hqolxvrh;\??\c:\windows\system32\drivers\hqolxvrh.sys --> c:\windows\system32\drivers\hqolxvrh.sys [?]
S1 hwglewyj;hwglewyj;\??\c:\windows\system32\drivers\hwglewyj.sys --> c:\windows\system32\drivers\hwglewyj.sys [?]
S1 hzgcjwek;hzgcjwek;\??\c:\windows\system32\drivers\hzgcjwek.sys --> c:\windows\system32\drivers\hzgcjwek.sys [?]
S1 hzrdpcue;hzrdpcue;\??\c:\windows\system32\drivers\hzrdpcue.sys --> c:\windows\system32\drivers\hzrdpcue.sys [?]
S1 ihqlezvh;ihqlezvh;\??\c:\windows\system32\drivers\ihqlezvh.sys --> c:\windows\system32\drivers\ihqlezvh.sys [?]
S1 imvbrpnd;imvbrpnd;\??\c:\windows\system32\drivers\imvbrpnd.sys --> c:\windows\system32\drivers\imvbrpnd.sys [?]
S1 iwoavltw;iwoavltw;\??\c:\windows\system32\drivers\iwoavltw.sys --> c:\windows\system32\drivers\iwoavltw.sys [?]
S1 kayyvnft;kayyvnft;\??\c:\windows\system32\drivers\kayyvnft.sys --> c:\windows\system32\drivers\kayyvnft.sys [?]
S1 kpqkggws;kpqkggws;\??\c:\windows\system32\drivers\kpqkggws.sys --> c:\windows\system32\drivers\kpqkggws.sys [?]
S1 laswbkfg;laswbkfg;\??\c:\windows\system32\drivers\laswbkfg.sys --> c:\windows\system32\drivers\laswbkfg.sys [?]
S1 ljcdemch;ljcdemch;\??\c:\windows\system32\drivers\ljcdemch.sys --> c:\windows\system32\drivers\ljcdemch.sys [?]
S1 mgqbakra;mgqbakra;\??\c:\windows\system32\drivers\mgqbakra.sys --> c:\windows\system32\drivers\mgqbakra.sys [?]
S1 mhhbymah;mhhbymah;\??\c:\windows\system32\drivers\mhhbymah.sys --> c:\windows\system32\drivers\mhhbymah.sys [?]
S1 mkffxsvf;mkffxsvf;\??\c:\windows\system32\drivers\mkffxsvf.sys --> c:\windows\system32\drivers\mkffxsvf.sys [?]
S1 nhhaihuc;nhhaihuc;\??\c:\windows\system32\drivers\nhhaihuc.sys --> c:\windows\system32\drivers\nhhaihuc.sys [?]
S1 ntatbfaq;ntatbfaq;\??\c:\windows\system32\drivers\ntatbfaq.sys --> c:\windows\system32\drivers\ntatbfaq.sys [?]
S1 ofckhzoe;ofckhzoe;\??\c:\windows\system32\drivers\ofckhzoe.sys --> c:\windows\system32\drivers\ofckhzoe.sys [?]
S1 opuszwri;opuszwri;\??\c:\windows\system32\drivers\opuszwri.sys --> c:\windows\system32\drivers\opuszwri.sys [?]
S1 pajxducg;pajxducg;\??\c:\windows\system32\drivers\pajxducg.sys --> c:\windows\system32\drivers\pajxducg.sys [?]
S1 plbzxfcf;plbzxfcf;\??\c:\windows\system32\drivers\plbzxfcf.sys --> c:\windows\system32\drivers\plbzxfcf.sys [?]
S1 qjrqrybx;qjrqrybx;\??\c:\windows\system32\drivers\qjrqrybx.sys --> c:\windows\system32\drivers\qjrqrybx.sys [?]
S1 qmvhlxph;qmvhlxph;\??\c:\windows\system32\drivers\qmvhlxph.sys --> c:\windows\system32\drivers\qmvhlxph.sys [?]
S1 qvpybsri;qvpybsri;\??\c:\windows\system32\drivers\qvpybsri.sys --> c:\windows\system32\drivers\qvpybsri.sys [?]
S1 rcjgrfnd;rcjgrfnd;\??\c:\windows\system32\drivers\rcjgrfnd.sys --> c:\windows\system32\drivers\rcjgrfnd.sys [?]
S1 rvefqhaz;rvefqhaz;\??\c:\windows\system32\drivers\rvefqhaz.sys --> c:\windows\system32\drivers\rvefqhaz.sys [?]
S1 rvzbsnpv;rvzbsnpv;\??\c:\windows\system32\drivers\rvzbsnpv.sys --> c:\windows\system32\drivers\rvzbsnpv.sys [?]
S1 stwkxwjv;stwkxwjv;\??\c:\windows\system32\drivers\stwkxwjv.sys --> c:\windows\system32\drivers\stwkxwjv.sys [?]
S1 tafckzib;tafckzib;\??\c:\windows\system32\drivers\tafckzib.sys --> c:\windows\system32\drivers\tafckzib.sys [?]
S1 ubuwizvq;ubuwizvq;\??\c:\windows\system32\drivers\ubuwizvq.sys --> c:\windows\system32\drivers\ubuwizvq.sys [?]
S1 ukdkyjez;ukdkyjez;\??\c:\windows\system32\drivers\ukdkyjez.sys --> c:\windows\system32\drivers\ukdkyjez.sys [?]
S1 uokayfdu;uokayfdu;\??\c:\windows\system32\drivers\uokayfdu.sys --> c:\windows\system32\drivers\uokayfdu.sys [?]
S1 uupvefoo;uupvefoo;\??\c:\windows\system32\drivers\uupvefoo.sys --> c:\windows\system32\drivers\uupvefoo.sys [?]
S1 uytwsmjt;uytwsmjt;\??\c:\windows\system32\drivers\uytwsmjt.sys --> c:\windows\system32\drivers\uytwsmjt.sys [?]
S1 vmjhsenf;vmjhsenf;\??\c:\windows\system32\drivers\vmjhsenf.sys --> c:\windows\system32\drivers\vmjhsenf.sys [?]
S1 wtzyacpn;wtzyacpn;\??\c:\windows\system32\drivers\wtzyacpn.sys --> c:\windows\system32\drivers\wtzyacpn.sys [?]
S1 wvddympa;wvddympa;\??\c:\windows\system32\drivers\wvddympa.sys --> c:\windows\system32\drivers\wvddympa.sys [?]
S1 xcsjbsoq;xcsjbsoq;\??\c:\windows\system32\drivers\xcsjbsoq.sys --> c:\windows\system32\drivers\xcsjbsoq.sys [?]
S1 xdzqtkhi;xdzqtkhi;\??\c:\windows\system32\drivers\xdzqtkhi.sys --> c:\windows\system32\drivers\xdzqtkhi.sys [?]
S1 xjollobs;xjollobs;\??\c:\windows\system32\drivers\xjollobs.sys --> c:\windows\system32\drivers\xjollobs.sys [?]
S1 xorddnis;xorddnis;\??\c:\windows\system32\drivers\xorddnis.sys --> c:\windows\system32\drivers\xorddnis.sys [?]
S1 ydfcqujv;ydfcqujv;\??\c:\windows\system32\drivers\ydfcqujv.sys --> c:\windows\system32\drivers\ydfcqujv.sys [?]
S1 yjrqordz;yjrqordz;\??\c:\windows\system32\drivers\yjrqordz.sys --> c:\windows\system32\drivers\yjrqordz.sys [?]
S1 ytotmeei;ytotmeei;\??\c:\windows\system32\drivers\ytotmeei.sys --> c:\windows\system32\drivers\ytotmeei.sys [?]
S1 zsezxgzj;zsezxgzj;\??\c:\windows\system32\drivers\zsezxgzj.sys --> c:\windows\system32\drivers\zsezxgzj.sys [?]
S1 zvncwnvg;zvncwnvg;\??\c:\windows\system32\drivers\zvncwnvg.sys --> c:\windows\system32\drivers\zvncwnvg.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-01 c:\windows\Tasks\User_Feed_Synchronization-{016563C6-17B5-4326-B4D2-47987513EE8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\c033dkgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\GRADKE~1\DBSIGN~1\lib\npDBsignWeb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 15:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3330607417-1489096790-3342882160-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,66,ef,35,33,1f,40,04,d5,59,2e,c9,b9,2c,38,91,b2,2d,67,df,20,8b,19,
b8,8e,10,4c,83,b9,2b,41,ec,5a,b0,44,ef,7b,77,42,f7,32,ab,5c,db,1e,6f,0e,93,\
"??"=hex:68,79,cc,6e,24,e0,00,d9,12,cb,6a,5e,7c,e3,5a,1e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\Neil\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-01 15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-01 20:31
ComboFix2.txt 2009-12-01 17:40

Pre-Run: 25,683,877,888 bytes free
Post-Run: 25,635,037,184 bytes free

- - End Of File - - 1BEC294A53CF17A90C1D66EA6E0759ED

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 01 December 2009 - 03:51 PM

Thanks, hold up and don't run it anymore. Let me work with what you have.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 01 December 2009 - 05:09 PM

Please run GMER for again just like you did the last time and post the log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 01 December 2009 - 10:04 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 22:02:32
Windows 5.1.2600 Service Pack 3
Running: h4rh3iux.exe; Driver: C:\DOCUME~1\Neil\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF3CD878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF3CD8821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF3CD8738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF3CD874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF3CD8835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF3CD8861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF3CD88CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF3CD88B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF3CD87CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF3CD88FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF3CD880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF3CD8710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF3CD8724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF3CD879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF3CD8937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF3CD88A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF3CD888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF3CD884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF3CD8923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF3CD890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF3CD8776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF3CD8762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF3CD8877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF3CD87F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF3CD88E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF3CD87E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF3CD87B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B99E9D20
Device \FileSystem\Fastfat \Fat B9A01631

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040311900063D11C8EF10054038389C\Usage@HandWritingFiles 998351081
Reg HKLM\SOFTWARE\Classes\CLSID\{00A2CCDC-4BE0-BECD-A563-A7145AE65077}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{00A2CCDC-4BE0-BECD-A563-A7145AE65077}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{32C0D695-970E-464D-5B5C-F043F042CA9A}\ProgID@ script
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\DefaultIcon@ C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\VsaVb7rt.dll,1200
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\InProcServer32@ C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\VsaVb7rt.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\ProgID@ VsaVbRT.7
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\Programmable@
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\TypeLib@ {B87A08A1-143A-40a5-92CA-F0C8C9DC2F30}
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\Version@ 7.0
Reg HKLM\SOFTWARE\Classes\CLSID\{C3D19DF6-688C-2382-D3BC-D0403006E0A3}\VersionIndependentProgID@ VsaVbRT
Reg HKLM\SOFTWARE\Classes\CLSID\{FF1BDCAA-8D1E-D22E-9984-C1036A48C5FE}\InProcServer32@ %SystemRoot%\System32\GPEdit.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FF1BDCAA-8D1E-D22E-9984-C1036A48C5FE}\InProcServer32@ThreadingModel Apartment

---- EOF - GMER 1.0.15 ----

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 01 December 2009 - 11:38 PM

When you have completed the following along with posting the log it produces let me know if you are still getting redirects.



Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\abcfyync.sys
c:\windows\system32\drivers\ahcbvfhh.sys
c:\windows\system32\drivers\amdntzfj.sys
c:\windows\system32\drivers\aqqemusx.sys
c:\windows\system32\drivers\beqfflxn.sys
c:\windows\system32\drivers\bfnhivvb.sys
c:\windows\system32\drivers\bvfwkozr.sys
c:\windows\system32\drivers\cdkqytmg.sys
c:\windows\system32\drivers\cetgyrju.sys
c:\windows\system32\drivers\chsfmuqb.sys
c:\windows\system32\drivers\dkduysfb.sys
c:\windows\system32\drivers\drcoqflm.sys
c:\windows\system32\drivers\drvuqirn.sys
c:\windows\system32\drivers\ewkvlarj.sys
c:\windows\system32\drivers\exdblohv.sys
c:\windows\system32\drivers\eynecijc.sys
c:\windows\system32\drivers\eztvroro.sys
c:\windows\system32\drivers\fbeebtln.sys
c:\windows\system32\drivers\fbohxcrf.sys
c:\windows\system32\drivers\fgowqlzq.sys
c:\windows\system32\drivers\fjezadka.sys
c:\windows\system32\drivers\fnfydesp.sys
c:\windows\system32\drivers\fryfmxlq.sys
c:\windows\system32\drivers\gdgnzfqz.sys
c:\windows\system32\drivers\ghzrptkn.sys
c:\windows\system32\drivers\glotwjcr.sys
c:\windows\system32\drivers\gsltkuvc.sys
c:\windows\system32\drivers\gssqtoot.sys
c:\windows\system32\drivers\haffsaka.sys
c:\windows\system32\drivers\hececfby.sys
c:\windows\system32\drivers\hgtnrdev.sys
c:\windows\system32\drivers\hlpwkmwx.sys
c:\windows\system32\drivers\hpdaxvdw.sys
c:\windows\system32\drivers\hqolxvrh.sys
c:\windows\system32\drivers\hwglewyj.sys
c:\windows\system32\drivers\hzgcjwek.sys
c:\windows\system32\drivers\hzrdpcue.sys
c:\windows\system32\drivers\ihqlezvh.sys
c:\windows\system32\drivers\imvbrpnd.sys
c:\windows\system32\drivers\iwoavltw.sys
c:\windows\system32\drivers\kayyvnft.sys
c:\windows\system32\drivers\kpqkggws.sys
c:\windows\system32\drivers\laswbkfg.sys
c:\windows\system32\drivers\ljcdemch.sys
c:\windows\system32\drivers\mgqbakra.sys
c:\windows\system32\drivers\mhhbymah.sys
c:\windows\system32\drivers\mkffxsvf.sys
c:\windows\system32\drivers\nhhaihuc.sys
c:\windows\system32\drivers\ntatbfaq.sys
c:\windows\system32\drivers\ofckhzoe.sys
c:\windows\system32\drivers\opuszwri.sys
c:\windows\system32\drivers\pajxducg.sys
c:\windows\system32\drivers\plbzxfcf.sys
c:\windows\system32\drivers\qjrqrybx.sys
c:\windows\system32\drivers\qmvhlxph.sys
c:\windows\system32\drivers\qvpybsri.sys
c:\windows\system32\drivers\rcjgrfnd.sys
c:\windows\system32\drivers\rvefqhaz.sys
c:\windows\system32\drivers\rvzbsnpv.sys
c:\windows\system32\drivers\stwkxwjv.sys
c:\windows\system32\drivers\tafckzib.sys
c:\windows\system32\drivers\ubuwizvq.sys
c:\windows\system32\drivers\ukdkyjez.sys
c:\windows\system32\drivers\uokayfdu.sys
c:\windows\system32\drivers\uupvefoo.sys
c:\windows\system32\drivers\uytwsmjt.sys
c:\windows\system32\drivers\vmjhsenf.sys
c:\windows\system32\drivers\wtzyacpn.sys
c:\windows\system32\drivers\wvddympa.sys
c:\windows\system32\drivers\xcsjbsoq.sys
c:\windows\system32\drivers\xdzqtkhi.sys
c:\windows\system32\drivers\xjollobs.sys
c:\windows\system32\drivers\xorddnis.sys
c:\windows\system32\drivers\ydfcqujv.sys
c:\windows\system32\drivers\yjrqordz.sys
c:\windows\system32\drivers\ytotmeei.sys
c:\windows\system32\drivers\zsezxgzj.sys
c:\windows\system32\drivers\zvncwnvg.sys

Driver::
abcfyync
ahcbvfhh
amdntzfj
aqqemusx
beqfflxn
bfnhivvb
bvfwkoz
cdkqytmg
cetgyrju
chsfmuqb
dkduysfb
drcoqflm
drvuqirn
ewkvlarj
exdblohv
eynecijc
eztvroro
fbeebtln
fbohxcrf
fdhxtbap
fgowqlzq
fjezadka
fnfydesp
fryfmxlq
gdgnzfqz
ghzrptkn
glotwjcr
gsltkuvc
gssqtoot
haffsaka
hececfby
hgtnrdev
hlpwkmwx
hpdaxvdw
hqolxvrh
hwglewyj
hzgcjwek
hzrdpcue
ihqlezvh
imvbrpnd
iwoavltw
kayyvnft
kpqkggws
laswbkfg
ljcdemch
mgqbakra
mhhbymah
mkffxsvf
nhhaihuc
ntatbfaq
ofckhzoe
opuszwri
pajxducg
plbzxfcf
qjrqrybx
qmvhlxph
qvpybsri
rcjgrfnd
rvefqhaz
rvzbsnpv
stwkxwjv
tafckzib
ubuwizvq
ukdkyjez
uokayfdu
uupvefoo
uytwsmjt
vmjhsenf
wtzyacpn
wvddympa
xcsjbsoq
xdzqtkhi
xjollobs
xorddnis
ydfcqujv
yjrqordz
ytotmeei
zsezxgzj
zvncwnvg


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 02 December 2009 - 08:49 PM

:( :( :) :) It appears fixed. You guys are great. I wish that I could be of assistance to you. (By any chance if you own a durango or dakota, I am a big helper on several of those forums or if you have car problems in general I still may be able to help. Let me know.)

Ok, could you determine what was the particular Trojan I had and what is the best protection to use? As far as I could tell McAfee did not pick it up. I had McAfee and Windows Defender on the machine and Defender first picked it up. Then I tried Avria and a couple others which hit on other items. What is the best combination currently?



ComboFix 09-11-30.02 - Neil 12/02/2009 17:37.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.388 [GMT -5:00]
Running from: c:\documents and settings\Neil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Neil\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\abcfyync.sys"
"c:\windows\system32\drivers\ahcbvfhh.sys"
"c:\windows\system32\drivers\amdntzfj.sys"
"c:\windows\system32\drivers\aqqemusx.sys"
"c:\windows\system32\drivers\beqfflxn.sys"
"c:\windows\system32\drivers\bfnhivvb.sys"
"c:\windows\system32\drivers\bvfwkozr.sys"
"c:\windows\system32\drivers\cdkqytmg.sys"
"c:\windows\system32\drivers\cetgyrju.sys"
"c:\windows\system32\drivers\chsfmuqb.sys"
"c:\windows\system32\drivers\dkduysfb.sys"
"c:\windows\system32\drivers\drcoqflm.sys"
"c:\windows\system32\drivers\drvuqirn.sys"
"c:\windows\system32\drivers\ewkvlarj.sys"
"c:\windows\system32\drivers\exdblohv.sys"
"c:\windows\system32\drivers\eynecijc.sys"
"c:\windows\system32\drivers\eztvroro.sys"
"c:\windows\system32\drivers\fbeebtln.sys"
"c:\windows\system32\drivers\fbohxcrf.sys"
"c:\windows\system32\drivers\fgowqlzq.sys"
"c:\windows\system32\drivers\fjezadka.sys"
"c:\windows\system32\drivers\fnfydesp.sys"
"c:\windows\system32\drivers\fryfmxlq.sys"
"c:\windows\system32\drivers\gdgnzfqz.sys"
"c:\windows\system32\drivers\ghzrptkn.sys"
"c:\windows\system32\drivers\glotwjcr.sys"
"c:\windows\system32\drivers\gsltkuvc.sys"
"c:\windows\system32\drivers\gssqtoot.sys"
"c:\windows\system32\drivers\haffsaka.sys"
"c:\windows\system32\drivers\hececfby.sys"
"c:\windows\system32\drivers\hgtnrdev.sys"
"c:\windows\system32\drivers\hlpwkmwx.sys"
"c:\windows\system32\drivers\hpdaxvdw.sys"
"c:\windows\system32\drivers\hqolxvrh.sys"
"c:\windows\system32\drivers\hwglewyj.sys"
"c:\windows\system32\drivers\hzgcjwek.sys"
"c:\windows\system32\drivers\hzrdpcue.sys"
"c:\windows\system32\drivers\ihqlezvh.sys"
"c:\windows\system32\drivers\imvbrpnd.sys"
"c:\windows\system32\drivers\iwoavltw.sys"
"c:\windows\system32\drivers\kayyvnft.sys"
"c:\windows\system32\drivers\kpqkggws.sys"
"c:\windows\system32\drivers\laswbkfg.sys"
"c:\windows\system32\drivers\ljcdemch.sys"
"c:\windows\system32\drivers\mgqbakra.sys"
"c:\windows\system32\drivers\mhhbymah.sys"
"c:\windows\system32\drivers\mkffxsvf.sys"
"c:\windows\system32\drivers\nhhaihuc.sys"
"c:\windows\system32\drivers\ntatbfaq.sys"
"c:\windows\system32\drivers\ofckhzoe.sys"
"c:\windows\system32\drivers\opuszwri.sys"
"c:\windows\system32\drivers\pajxducg.sys"
"c:\windows\system32\drivers\plbzxfcf.sys"
"c:\windows\system32\drivers\qjrqrybx.sys"
"c:\windows\system32\drivers\qmvhlxph.sys"
"c:\windows\system32\drivers\qvpybsri.sys"
"c:\windows\system32\drivers\rcjgrfnd.sys"
"c:\windows\system32\drivers\rvefqhaz.sys"
"c:\windows\system32\drivers\rvzbsnpv.sys"
"c:\windows\system32\drivers\stwkxwjv.sys"
"c:\windows\system32\drivers\tafckzib.sys"
"c:\windows\system32\drivers\ubuwizvq.sys"
"c:\windows\system32\drivers\ukdkyjez.sys"
"c:\windows\system32\drivers\uokayfdu.sys"
"c:\windows\system32\drivers\uupvefoo.sys"
"c:\windows\system32\drivers\uytwsmjt.sys"
"c:\windows\system32\drivers\vmjhsenf.sys"
"c:\windows\system32\drivers\wtzyacpn.sys"
"c:\windows\system32\drivers\wvddympa.sys"
"c:\windows\system32\drivers\xcsjbsoq.sys"
"c:\windows\system32\drivers\xdzqtkhi.sys"
"c:\windows\system32\drivers\xjollobs.sys"
"c:\windows\system32\drivers\xorddnis.sys"
"c:\windows\system32\drivers\ydfcqujv.sys"
"c:\windows\system32\drivers\yjrqordz.sys"
"c:\windows\system32\drivers\ytotmeei.sys"
"c:\windows\system32\drivers\zsezxgzj.sys"
"c:\windows\system32\drivers\zvncwnvg.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Neil\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Neil\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_abcfyync
-------\Service_ahcbvfhh
-------\Service_amdntzfj
-------\Service_aqqemusx
-------\Service_beqfflxn
-------\Service_bfnhivvb
-------\Service_cdkqytmg
-------\Service_cetgyrju
-------\Service_chsfmuqb
-------\Service_dkduysfb
-------\Service_drcoqflm
-------\Service_drvuqirn
-------\Service_ewkvlarj
-------\Service_exdblohv
-------\Service_eynecijc
-------\Service_eztvroro
-------\Service_fbeebtln
-------\Service_fbohxcrf
-------\Service_fdhxtbap
-------\Service_fgowqlzq
-------\Service_fjezadka
-------\Service_fnfydesp
-------\Service_fryfmxlq
-------\Service_gdgnzfqz
-------\Service_ghzrptkn
-------\Service_glotwjcr
-------\Service_gsltkuvc
-------\Service_gssqtoot
-------\Service_haffsaka
-------\Service_hececfby
-------\Service_hgtnrdev
-------\Service_hlpwkmwx
-------\Service_hpdaxvdw
-------\Service_hqolxvrh
-------\Service_hwglewyj
-------\Service_hzgcjwek
-------\Service_hzrdpcue
-------\Service_ihqlezvh
-------\Service_imvbrpnd
-------\Service_iwoavltw
-------\Service_kayyvnft
-------\Service_kpqkggws
-------\Service_laswbkfg
-------\Service_ljcdemch
-------\Service_mgqbakra
-------\Service_mhhbymah
-------\Service_mkffxsvf
-------\Service_nhhaihuc
-------\Service_ntatbfaq
-------\Service_ofckhzoe
-------\Service_opuszwri
-------\Service_pajxducg
-------\Service_plbzxfcf
-------\Service_qjrqrybx
-------\Service_qmvhlxph
-------\Service_qvpybsri
-------\Service_rcjgrfnd
-------\Service_rvefqhaz
-------\Service_rvzbsnpv
-------\Service_stwkxwjv
-------\Service_tafckzib
-------\Service_ubuwizvq
-------\Service_ukdkyjez
-------\Service_uokayfdu
-------\Service_uupvefoo
-------\Service_uytwsmjt
-------\Service_vmjhsenf
-------\Service_wtzyacpn
-------\Service_wvddympa
-------\Service_xcsjbsoq
-------\Service_xdzqtkhi
-------\Service_xjollobs
-------\Service_xorddnis
-------\Service_ydfcqujv
-------\Service_yjrqordz
-------\Service_ytotmeei
-------\Service_zsezxgzj
-------\Service_zvncwnvg


((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-01 06:18 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-19 11:40 . 2009-11-19 11:40 -------- d-----w- c:\documents and settings\Angela\Application Data\Malwarebytes
2009-11-14 03:21 . 2009-11-14 03:21 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Threat Expert
2009-11-14 03:06 . 2009-11-14 03:06 -------- d-----w- c:\program files\Trend Micro
2009-11-10 02:21 . 2009-11-10 02:21 -------- d-----w- c:\documents and settings\Neil Jr\Application Data\Malwarebytes
2009-11-09 01:17 . 2009-11-09 01:17 -------- d-----w- c:\documents and settings\Neil\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-09 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-25 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 00:15 . 2009-11-08 00:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-05 01:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 06:25 . 2009-06-05 00:45 -------- d-----w- c:\program files\McAfee
2009-11-25 18:38 . 2009-02-11 21:54 -------- d-----w- c:\program files\eGames
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 03:10 . 2006-05-20 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 00:47 . 2008-05-09 04:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 00:14 . 2009-06-09 21:40 -------- d-----w- c:\program files\Coupons
2009-11-06 05:42 . 2006-06-28 22:33 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-06 04:56 . 2006-06-28 22:33 88 --sh--r- c:\windows\system32\240C7418F5.sys
2009-11-03 01:42 . 2009-10-03 03:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 00:57 . 2008-11-14 05:25 -------- d-----w- c:\documents and settings\Angela\Application Data\AdobeUM
2009-11-01 05:37 . 2006-06-24 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2009-11-01 05:37 . 2006-06-24 18:32 -------- d-----w- c:\program files\Verizon
2009-11-01 05:36 . 2009-11-01 05:36 1511184 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\Verizon_Servicepoint_Setup_SA.18467.exe.dir\Verizon_Servicepoint_Setup_SA.exe
2009-11-01 05:36 . 2009-11-01 05:36 -------- d-----w- c:\program files\Radialpoint
2009-11-01 05:36 . 2009-11-01 05:36 2345400 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\sa.41.exe.dir\sa.exe
2009-10-17 23:41 . 2009-10-17 23:41 48 ----a-w- c:\documents and settings\Neil\768.tmp
2009-10-14 23:38 . 2009-02-15 23:57 664 ----a-w- c:\documents and settings\Neil Jr\Local Settings\Application Data\d3d9caps.tmp
2009-10-04 03:53 . 2006-06-24 23:21 -------- d-----w- c:\program files\Common Files\PestPatrol
2009-10-04 03:45 . 2009-05-16 00:37 -------- d-----w- c:\program files\SSI
2009-10-04 03:43 . 2007-03-23 02:00 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:22 . 2009-06-05 00:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-06-05 00:41 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2008-08-31 00:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-08-16 08:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-05-09 04:35 . 2008-05-09 04:35 0 -c--a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2009-12-01_17.30.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-26 01:10 . 2009-12-02 21:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-26 01:10 . 2009-12-01 17:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-29 23:46 . 2009-12-01 17:27 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-29 23:46 . 2009-12-02 21:55 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-12-01 22:34 . 2009-12-02 21:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-26 01:10 . 2009-12-01 17:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2007-6-12 331776]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/4/2009 7:50 PM 93320]
S1 bvfwkozr;bvfwkozr;\??\c:\windows\system32\drivers\bvfwkozr.sys --> c:\windows\system32\drivers\bvfwkozr.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-02 c:\windows\Tasks\User_Feed_Synchronization-{016563C6-17B5-4326-B4D2-47987513EE8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\c033dkgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\GRADKE~1\DBSIGN~1\lib\npDBsignWeb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3330607417-1489096790-3342882160-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,66,ef,35,33,1f,40,04,d5,59,2e,c9,b9,2c,38,91,b2,2d,67,df,20,8b,19,
b8,8e,10,4c,83,b9,2b,41,ec,5a,b0,44,ef,7b,77,42,f7,32,ab,5c,db,1e,6f,0e,93,\
"??"=hex:68,79,cc,6e,24,e0,00,d9,12,cb,6a,5e,7c,e3,5a,1e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\Neil\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-02 18:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 23:01
ComboFix2.txt 2009-12-01 20:31
ComboFix3.txt 2009-12-01 17:40

Pre-Run: 25,718,517,760 bytes free
Post-Run: 25,666,822,144 bytes free

- - End Of File - - 69B47FEE06E013A30544D262619E509C

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:33 AM

Posted 02 December 2009 - 09:30 PM

Good deal!! :(

I don't have any of the vehicles you mentioned but I appreciate the offer and will keep it in mind for the future



What you had was the New TDSS rootkit variant called TDL3. It can help hide a bunch of other nasties and is a really bad infection itself. They are changing it up on us continuously. As to how you got it I am not sure. I know some of your programs are out of date and that presents a vulnerability which I will address right below the ComboFix script. I'll address security a little more when we start to finish up.

.

Unluckily with all that scripting I did I missed one driver and so we'll have to run CF one more time.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\bvfwkozr.sys
Driver::
bvfwkozr


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.








Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.







Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Neil F.

Neil F.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 03 December 2009 - 08:21 PM

ComboFix 09-11-30.02 - Neil 12/03/2009 19:42.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.432 [GMT -5:00]
Running from: c:\documents and settings\Neil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Neil\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\bvfwkozr.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Neil\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Neil\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bvfwkozr


((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-01 06:18 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-19 11:40 . 2009-11-19 11:40 -------- d-----w- c:\documents and settings\Angela\Application Data\Malwarebytes
2009-11-14 03:21 . 2009-11-14 03:21 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Threat Expert
2009-11-14 03:06 . 2009-11-14 03:06 -------- d-----w- c:\program files\Trend Micro
2009-11-10 02:21 . 2009-11-10 02:21 -------- d-----w- c:\documents and settings\Neil Jr\Application Data\Malwarebytes
2009-11-09 01:17 . 2009-11-09 01:17 -------- d-----w- c:\documents and settings\Neil\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-09 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 01:16 . 2009-11-25 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 00:15 . 2009-11-08 00:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-05 01:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 06:25 . 2009-06-05 00:45 -------- d-----w- c:\program files\McAfee
2009-11-25 18:38 . 2009-02-11 21:54 -------- d-----w- c:\program files\eGames
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 03:14 . 2007-01-20 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 03:10 . 2006-05-20 21:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 00:47 . 2008-05-09 04:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 00:14 . 2009-06-09 21:40 -------- d-----w- c:\program files\Coupons
2009-11-06 05:42 . 2006-06-28 22:33 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-06 04:56 . 2006-06-28 22:33 88 --sh--r- c:\windows\system32\240C7418F5.sys
2009-11-03 01:42 . 2009-10-03 03:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 00:57 . 2008-11-14 05:25 -------- d-----w- c:\documents and settings\Angela\Application Data\AdobeUM
2009-11-01 05:37 . 2006-06-24 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2009-11-01 05:37 . 2006-06-24 18:32 -------- d-----w- c:\program files\Verizon
2009-11-01 05:36 . 2009-11-01 05:36 1511184 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\Verizon_Servicepoint_Setup_SA.18467.exe.dir\Verizon_Servicepoint_Setup_SA.exe
2009-11-01 05:36 . 2009-11-01 05:36 -------- d-----w- c:\program files\Radialpoint
2009-11-01 05:36 . 2009-11-01 05:36 2345400 ----a-w- c:\documents and settings\Neil\Application Data\Verizon\VSP\downloads\sa.41.exe.dir\sa.exe
2009-10-17 23:41 . 2009-10-17 23:41 48 ----a-w- c:\documents and settings\Neil\768.tmp
2009-10-14 23:38 . 2009-02-15 23:57 664 ----a-w- c:\documents and settings\Neil Jr\Local Settings\Application Data\d3d9caps.tmp
2009-09-16 14:22 . 2009-06-05 00:46 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-06-05 00:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-03-25 15:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-06-05 00:41 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2008-08-31 00:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2008-05-09 04:35 . 2008-05-09 04:35 0 -c--a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2009-12-01_17.30.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-26 01:10 . 2009-12-04 00:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-26 01:10 . 2009-12-01 17:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-29 23:46 . 2009-12-01 17:27 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-29 23:46 . 2009-12-04 00:19 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-12-03 01:55 . 2009-12-04 00:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-26 01:10 . 2009-12-01 17:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2007-6-12 331776]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/4/2009 7:50 PM 93320]
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-05 16:22]

2009-12-04 c:\windows\Tasks\User_Feed_Synchronization-{016563C6-17B5-4326-B4D2-47987513EE8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\c033dkgm.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\GRADKE~1\DBSIGN~1\lib\npDBsignWeb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 20:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3330607417-1489096790-3342882160-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,66,ef,35,33,1f,40,04,d5,59,2e,c9,b9,2c,38,91,b2,2d,67,df,20,8b,19,
b8,8e,10,4c,83,b9,2b,41,ec,5a,b0,44,ef,7b,77,42,f7,32,ab,5c,db,1e,6f,0e,93,\
"??"=hex:68,79,cc,6e,24,e0,00,d9,12,cb,6a,5e,7c,e3,5a,1e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\Neil\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-03 20:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 01:12
ComboFix2.txt 2009-12-02 23:01
ComboFix3.txt 2009-12-01 20:31
ComboFix4.txt 2009-12-01 17:40

Pre-Run: 25,615,716,352 bytes free
Post-Run: 25,585,025,024 bytes free

- - End Of File - - 00B526BF7F3E573996B0F65CE5AF52D7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users