Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Photo

Something is wrong.....

Started by jakedogg , Nov 24 2009 07:55 PM

  • This topic is locked This topic is locked
18 replies to this topic

#1 jakedogg

jakedogg

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 24 November 2009 - 07:55 PM

I've been trying to correct this problem and can't seem to get it worked out. Everytime I run MBAM I keep getting "malware trace" C:WINDOWSGnuHashes.ini ....I don't know if this is the source of my problem, but would very much appreciate any help....Here is my HJT log....





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:10 PM, on 11/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesIntelIntel Matrix Storage Manageriaantmon.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32lxcycoms.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSExplorer.EXE
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeMSKMskSrver.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
c:PROGRA~1mcafee.comagentmcagent.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
C:WINDOWSehomeehtray.exe
C:Program FilesDellMedia ExperienceDMXLauncher.exe
C:WINDOWSSystem32DLADLACTRLW.EXE
C:PROGRAM FILESATI TECHNOLOGIESATI CONTROL PANELATIPTAXX.EXE
C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
C:WINDOWSeHomeehmsas.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinArcCon.ac
C:Program FilesMozilla Firefoxfirefox.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Documents and SettingsJacobDesktopComputer ToolsHiJackThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.ask.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.dell.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
user_pref("network.cookie.prefsMigrated", true);
user_pref("prefs.converted-to-utf8", true);
user_pref("privacy.popups.first_popup", false);
user_pref("security.warn_submit_insecure", false);
us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:Program FilesLexmark Toolbartoolband.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:PROGRA~1ArcSoftMEDIAC~1INTERN~1ARCURL~1.DLL
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:PROGRA~1COMMON~1fluxDVDDOWNLO~1XEBDLH~1.DLL
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:PROGRA~1mcafeemskmskapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSSystem32DLADLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScanscriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:Program FilesBAEBAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:Program FilesLexmark Toolbartoolband.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O4 - HKLM..Run: [IAAnotif] C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
O4 - HKLM..Run: [ehTray] C:WINDOWSehomeehtray.exe
O4 - HKLM..Run: [DMXLauncher] C:Program FilesDellMedia ExperienceDMXLauncher.exe
O4 - HKLM..Run: [DLA] C:WINDOWSSystem32DLADLACTRLW.EXE
O4 - HKLM..Run: [ATIPTA] C:PROGRAM FILESATI TECHNOLOGIESATI CONTROL PANELATIPTAXX.EXE
O4 - HKLM..Run: [mcagent_exe] "C:Program FilesMcAfee.comAgentmcagent.exe" /runkey
O4 - HKLM..Run: [LXCYCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM..Run: [ArcSoft Connection Service] C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:Program FilesieSpellMerriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:Program FilesieSpellwikipedia.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.cengage.com
O15 - Trusted Zone: *.course.com
O15 - Trusted Zone: *.skillcheck.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161205003765
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O20 - Winlogon Notify: 54b32831691 - C:WINDOWSSystem32igmpagnt32.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:Program FilesIVT CorporationBlueSoleilBTNtService.exe (file missing)
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:Program FilesIntelIntelDHIntel® Quick Resume TechnologyELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage Manageriaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: lxcy_device - - C:WINDOWSsystem32lxcycoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:Program FilesMcAfeeMSKMskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:Program FilesIntelPROSetWiredNCSSyncNetSvc.exe

--
End of file - 9274 bytes

DDS


DDS (Ver_09-11-24.02) - NTFSx86
Run by Jacob at 20:00:51.98 on Tue 11/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.447 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesIntelIntel Matrix Storage Manageriaantmon.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32lxcycoms.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSExplorer.EXE
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeMSKMskSrver.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32svchost.exe -k netsvcs
c:PROGRA~1mcafee.comagentmcagent.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
C:WINDOWSehomeehtray.exe
C:Program FilesDellMedia ExperienceDMXLauncher.exe
C:WINDOWSSystem32DLADLACTRLW.EXE
C:PROGRAM FILESATI TECHNOLOGIESATI CONTROL PANELATIPTAXX.EXE
C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
C:WINDOWSeHomeehmsas.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinArcCon.ac
C:Program FilesMozilla Firefoxfirefox.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Documents and SettingsJacobDesktopComputer Toolsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/
mStart Page = hxxp://www.dell.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:program fileslexmark toolbartoolband.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:progra~1arcsoftmediac~1intern~1ARCURL~1.DLL
BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:progra~1common~1fluxdvddownlo~1XEBDLH~1.DLL
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:progra~1mcafeemskmskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlaDLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeevirusscanscriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:program fileslexmark toolbartoolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [IAAnotif] c:program filesintelintel matrix storage manageriaanotif.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [DMXLauncher] c:program filesdellmedia experienceDMXLauncher.exe
mRun: [DLA] c:windowssystem32dlaDLACTRLW.EXE
mRun: [ATIPTA] c:program filesati technologiesati control panelATIPTAXX.EXE
mRun: [mcagent_exe] "c:program filesmcafee.comagentmcagent.exe" /runkey
mRun: [LXCYCATS] rundll32 c:windowssystem32spooldriversw32x863LXCYtime.dll,_RunDLLEntry@16
mRun: [ArcSoft Connection Service] c:program filescommon filesarcsoftconnection servicebinACDaemon.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office10EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:program filesiespellMerriam Webster.HTM
IE: Lookup on Wikipedia - file://c:program filesiespellwikipedia.HTM
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
Trusted Zone: cengage.com
Trusted Zone: course.com
Trusted Zone: skillcheck.com
Trusted Zone: musicmatch.comonline
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161205003765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Notify: 54b32831691 - c:windowssystem32igmpagnt32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1jacobapplic~1mozillafirefoxprofilesdowk45fq.default
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.ask.com
FF - component: c:program filesarcsoftmedia converter for philipsinternet video downloaderplugin_firefoxcomponentsnsURLRecordEx.dll
FF - component: c:program filesmcafeesiteadvisorcomponentsMcFFPlg.dll
FF - plugin: c:program filescommon filesmpdrmNPMPDRM.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpPandoWebInst.dll
FF - plugin: c:windowssystem32c2mpnpdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 lxcy_device;lxcy_device;c:windowssystem32lxcycoms.exe -service --> c:windowssystem32lxcycoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:program filesmcafeesiteadvisorMcSACore.exe [2009-7-25 93320]
S3 motccgp;Motorola USB Composite Device Driver;c:windowssystem32driversmotccgp.sys --> c:windowssystem32driversmotccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:windowssystem32driversmotccgpfl.sys --> c:windowssystem32driversmotccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:windowssystem32driversmotport.sys --> c:windowssystem32driversmotport.sys [?]
S3 ProtoWall;ProtoWall Network Service;c:windowssystem32driversprotowall.sys --> c:windowssystem32driversProtoWall.sys [?]

=============== Created Last 30 ================

2009-11-25 00:30:56 203776 --sh--w- c:windowssystem32unrar.exe
2009-11-25 00:15:20 77312 ----a-w- c:windowsMBR.exe
2009-11-21 17:35:22 738816 --sha-w- c:windowssystem32352.tmp
2009-11-19 05:05:00 1355 --sha-w- c:windowssystem3282016353
2009-11-19 05:04:59 817 ----a-w- c:windowssystem321421027377
2009-11-19 05:04:47 0 d-sh--w- c:windowssystem32SysWoW32
2009-11-19 05:03:21 0 d-----w- c:windowssystem321719750486
2009-11-14 01:57:49 3247 ----a-w- c:windowssystem32wbemOutlook_01ca64cdde5c7a1a.mof
2009-11-08 23:05:28 54156 ---ha-w- c:windowsQTFont.qfn
2009-11-08 23:05:28 1409 ----a-w- c:windowsQTFont.for
2009-11-08 23:02:45 0 d-----w- c:program filesRhapsody
2009-11-08 22:57:54 0 d-----w- c:docume~1alluse~1applic~1ArcSoft
2009-11-08 22:56:20 0 d-----w- c:program filesPhilips
2009-10-31 11:44:57 0 ----a-w- c:windowssystem32QuickTime.qtp

==================== Find3M ====================

2009-11-14 06:47:57 260608 ----a-w- c:windowsPEV.exe
2009-10-24 11:01:05 268288 ----a-w- c:windowssystem32avirpa32.dll
2009-10-24 10:53:56 125440 ----a-w- c:windowssystem32igmpagnt32.dll
2009-10-23 23:09:33 9232 ----a-w- c:documents and settingsjacobmqdmmdfl.sys
2009-10-23 23:09:33 92064 ----a-w- c:documents and settingsjacobmqdmmdm.sys
2009-10-23 23:09:33 79328 ----a-w- c:documents and settingsjacobmqdmserd.sys
2009-10-23 23:09:33 6208 ----a-w- c:documents and settingsjacobmqdmcmnt.sys
2009-10-23 23:09:33 5936 ----a-w- c:documents and settingsjacobmqdmwhnt.sys
2009-10-23 23:09:33 4048 ----a-w- c:documents and settingsjacobmqdmcr.sys
2009-10-23 23:09:32 66656 ----a-w- c:documents and settingsjacobmqdmbus.sys
2009-10-23 23:09:31 25600 ----a-w- c:documents and settingsjacobusbsermptxp.sys
2009-10-23 23:09:31 22768 ----a-w- c:documents and settingsjacobusbsermpt.sys
2009-10-23 22:33:35 0 ---ha-w- c:windowssystem32driversMsft_Kernel_motport_01005.Wdf
2009-10-23 22:30:06 0 ---ha-w- c:windowssystem32driversMsft_Kernel_motmodem_01005.Wdf
2009-10-23 22:26:56 0 ---ha-w- c:windowssystem32driversMsft_Kernel_motccgpfl_01005.Wdf
2009-10-23 22:26:56 0 ---ha-w- c:windowssystem32driversMsft_Kernel_motccgp_01005.Wdf
2009-10-23 22:26:55 0 ---ha-w- c:windowssystem32driversMsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-23 00:18:11 47360 ----a-w- c:docume~1jacobapplic~1pcouffin.sys
2009-10-17 14:28:27 104512 ----a-w- c:windowssystem32driversAnyDVD.sys
2009-09-28 18:20:43 89256 ------w- c:windowssystem32ElbyCDIO.dll
2009-09-26 17:57:34 25768 ------w- c:windowssystem32driversElbyCDIO.sys
2009-08-31 22:14:06 2855 ----a-w- c:windowssystem32desote.PIF
2000-12-11 12:57:32 21841 ----a-w- c:program filescommon filestppupd2k.dll
2006-08-21 03:20:24 88 -csh--r- c:windowssystem32F4FE6F60A2.sys

============= FINISH: 20:01:42.04 ===============

Attached File  Attach.zip   5.3KB   2 downloads

Merged posts. ~ OB

Edited by Orange Blossom, 24 November 2009 - 08:18 PM.

BC AdBot (Login to Remove)

 

#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 29 November 2009 - 03:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 30 November 2009 - 08:41 PM

Myrti...... So far my problems consist of the computer slowing down after about an hour or so. Something is eating up my bandwidth. When this happens I run MBAM and "sometimes" I get 3 malicious items including; 2 trojans - (c:\windows\system32\c.tmp), claiming one of the two is a memory module, and (c:\windows\gnuhashes.ini). I remove them each time, but somehow they keep coming back. Thank you for taking time to help....

I'm having a problem running the scan. It stops every time it gets to HKEY_LOCAL_MACHINE Winsock2 settings and says: " ')' is not a valid integer value "

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 01 December 2009 - 09:47 AM

Hi,

please provide a log from DDS instead:
Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Please also provide a log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 01 December 2009 - 11:27 AM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Jacob at 11:24:19.59 on Tue 12/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.472 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jacob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/
mStart Page = hxxp://www.dell.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:\progra~1\common~1\fluxdvd\downlo~1\XEBDLH~1.DLL
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\ATIPTAXX.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: cengage.com
Trusted Zone: course.com
Trusted Zone: skillcheck.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161205003765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: 54b32831691 - c:\windows\system32\igmpagnt32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacob\applic~1\mozilla\firefox\profiles\dowk45fq.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.ask.com
FF - plugin: c:\program files\common files\mpdrm\NPMPDRM.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-25 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-25 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-25 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-25 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-25 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-25 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\protowall.sys --> c:\windows\system32\drivers\ProtoWall.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-25 606736]

=============== Created Last 30 ================

2009-11-25 19:25:51 738816 --sha-w- c:\windows\system32\13.tmp
2009-11-25 00:30:56 203776 --sh--w- c:\windows\system32\unrar.exe
2009-11-25 00:15:20 77312 ----a-w- c:\windows\MBR.exe
2009-11-21 17:35:22 738816 --sha-w- c:\windows\system32\352.tmp
2009-11-19 05:05:00 1446 --sha-w- c:\windows\system32\82016353
2009-11-19 05:04:59 817 ----a-w- c:\windows\system32\1421027377
2009-11-19 05:04:47 0 d-sh--w- c:\windows\system32\SysWoW32
2009-11-19 05:03:21 0 d-----w- c:\windows\system32\1719750486
2009-11-14 01:57:49 3247 ----a-w- c:\windows\system32\wbem\Outlook_01ca64cdde5c7a1a.mof
2009-11-08 23:05:28 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-08 23:05:28 1409 ----a-w- c:\windows\QTFont.for
2009-11-08 22:57:54 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-11-08 22:56:20 0 d-----w- c:\program files\Philips

==================== Find3M ====================

2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-10-24 11:01:05 268288 ----a-w- c:\windows\system32\avirpa32.dll
2009-10-24 10:53:56 125440 ----a-w- c:\windows\system32\igmpagnt32.dll
2009-10-23 23:09:33 9232 ----a-w- c:\documents and settings\jacob\mqdmmdfl.sys
2009-10-23 23:09:33 92064 ----a-w- c:\documents and settings\jacob\mqdmmdm.sys
2009-10-23 23:09:33 79328 ----a-w- c:\documents and settings\jacob\mqdmserd.sys
2009-10-23 23:09:33 6208 ----a-w- c:\documents and settings\jacob\mqdmcmnt.sys
2009-10-23 23:09:33 5936 ----a-w- c:\documents and settings\jacob\mqdmwhnt.sys
2009-10-23 23:09:33 4048 ----a-w- c:\documents and settings\jacob\mqdmcr.sys
2009-10-23 23:09:32 66656 ----a-w- c:\documents and settings\jacob\mqdmbus.sys
2009-10-23 23:09:31 25600 ----a-w- c:\documents and settings\jacob\usbsermptxp.sys
2009-10-23 23:09:31 22768 ----a-w- c:\documents and settings\jacob\usbsermpt.sys
2009-10-23 22:33:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-10-23 22:30:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-10-23 22:26:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-10-23 22:26:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-10-23 22:26:55 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-23 00:18:11 47360 ----a-w- c:\docume~1\jacob\applic~1\pcouffin.sys
2009-10-17 14:28:27 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-09-28 18:20:43 89256 ------w- c:\windows\system32\ElbyCDIO.dll
2000-12-11 12:57:32 21841 ----a-w- c:\program files\common files\tppupd2k.dll
2006-08-21 03:20:24 88 -csh--r- c:\windows\system32\F4FE6F60A2.sys

============= FINISH: 11:25:02.35 ===============
Attached File  Attach.zip   5.08KB   2 downloads

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 01 December 2009 - 11:55 AM

Hi,

there is sign of an infection in that log. To be sure I would like to see a rootkitscan as well:

Please run gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

#7 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 01 December 2009 - 08:44 PM

Sorry, I started the scan, but had to go back to work.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 20:39:35
Windows 5.1.2600 Service Pack 3
Running: n7niqvw1.exe; Driver: C:\DOCUME~1\Jacob\LOCALS~1\Temp\uwtdapob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat F65C6C8A

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw@imagepath \systemroot\system32\drivers\kbiwkmtacfgknd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main@aid 10038
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtacfgknd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmjfnrcbci.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmbovlryhb.dat
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmrsbffqla.dll
Reg HKLM\SYSTEM\ControlSet001\Services\kbiwkmjwqiwuuw\modules@kbiwkm.dat \systemroot\system32\kbiwkmlmsqttvy.dat

---- EOF - GMER 1.0.15 ----

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 02 December 2009 - 05:14 PM

hi,

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

#9 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 03 December 2009 - 07:01 PM

ComboFix 09-12-03.03 - Jacob 12/03/2009 18:37.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.577 [GMT -5:00]
Running from: c:\documents and settings\Jacob\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brittany\Application Data\020000002bf743ac691C.manifest
c:\documents and settings\Brittany\Application Data\020000002bf743ac691O.manifest
c:\documents and settings\Brittany\Application Data\020000002bf743ac691P.manifest
c:\documents and settings\Brittany\Application Data\020000002bf743ac691S.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691C.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691O.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691P.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691S.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691C.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691O.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691P.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\1719750486
c:\windows\system32\unrar.exe

Infected copy of c:\windows\system32\hid.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\hid.dll

Infected copy of c:\windows\system32\midimap.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\midimap.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-11-27 14:49 . 2009-11-27 14:49 -------- d-----w- c:\documents and settings\Tim & Denise\Local Settings\Application Data\ArcSoft
2009-11-27 14:49 . 2009-11-27 14:50 -------- d-----w- c:\documents and settings\Tim & Denise\Application Data\ArcSoft
2009-11-20 01:38 . 2009-11-20 01:38 -------- d-----w- c:\documents and settings\Brittany\Application Data\Malwarebytes
2009-11-19 05:04 . 2009-11-29 08:56 -------- d-sh--w- c:\windows\system32\SysWoW32
2009-11-11 21:22 . 2009-11-11 21:22 -------- d-----w- c:\documents and settings\Brittany\Local Settings\Application Data\ArcSoft
2009-11-11 21:22 . 2009-11-11 21:22 -------- d-----w- c:\documents and settings\Brittany\Application Data\ArcSoft
2009-11-08 22:58 . 2009-11-08 22:58 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\ArcSoft
2009-11-08 22:58 . 2009-11-08 23:05 -------- d-----w- c:\documents and settings\Jacob\Application Data\ArcSoft
2009-11-08 22:57 . 2009-11-08 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-11-08 22:57 . 2009-11-08 22:57 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-11-08 22:57 . 2009-11-08 22:57 -------- d-----w- c:\program files\ArcSoft
2009-11-08 22:56 . 2009-11-08 22:56 -------- d-----w- c:\program files\Philips
2009-11-08 22:55 . 2009-11-08 22:55 -------- d-----w- c:\documents and settings\Jacob\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 23:18 . 2008-10-17 14:54 -------- d-----w- c:\program files\lx_cats
2009-11-25 19:25 . 2009-11-25 19:25 738816 --sha-w- c:\windows\system32\13.tmp
2009-11-24 23:32 . 2009-07-25 14:37 -------- d-----w- c:\program files\McAfee
2009-11-21 17:35 . 2009-11-21 17:35 738816 --sha-w- c:\windows\system32\352.tmp
2009-11-08 22:59 . 2006-07-14 00:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 14:24 . 2008-08-20 21:38 5751045 ----a-w- c:\windows\java\Packages\979fdbjj.zip
2009-10-30 14:22 . 2008-08-20 21:38 188338 ----a-w- c:\windows\java\Packages\m81nr1v1.zip
2009-10-24 11:01 . 2009-10-24 11:01 268288 ----a-w- c:\windows\system32\avirpa32.dll
2009-10-24 10:55 . 2009-10-24 10:55 -------- d-----w- c:\program files\ImTOO
2009-10-24 10:53 . 2009-10-24 10:53 125440 ----a-w- c:\windows\system32\igmpagnt32.dll
2009-10-24 01:19 . 2009-10-24 01:19 -------- d-----w- c:\documents and settings\Jacob\Application Data\ImTOO Software Studio
2009-10-24 01:15 . 2009-10-24 01:15 -------- d-----w- c:\program files\Xilisoft
2009-10-24 00:26 . 2009-10-24 00:26 -------- d-----w- c:\documents and settings\Jacob\Application Data\Leawo
2009-10-24 00:26 . 2009-10-24 00:26 -------- d-----w- c:\program files\SeekService
2009-10-24 00:26 . 2009-10-24 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekService
2009-10-24 00:25 . 2009-10-24 00:25 -------- d-----w- c:\program files\Leawo
2009-10-23 23:35 . 2009-10-23 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-10-23 23:15 . 2009-10-23 23:09 -------- d-----w- c:\program files\Motorola Phone Tools
2009-10-23 23:14 . 2009-10-23 23:14 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-10-23 23:12 . 2009-10-23 23:11 -------- d-----w- c:\program files\Avanquest update
2009-10-23 23:09 . 2009-10-23 23:09 9232 ----a-w- c:\documents and settings\Jacob\mqdmmdfl.sys
2009-10-23 23:09 . 2009-10-23 23:09 92064 ----a-w- c:\documents and settings\Jacob\mqdmmdm.sys
2009-10-23 23:09 . 2009-10-23 23:09 79328 ----a-w- c:\documents and settings\Jacob\mqdmserd.sys
2009-10-23 23:09 . 2009-10-23 23:09 5936 ----a-w- c:\documents and settings\Jacob\mqdmwhnt.sys
2009-10-23 23:09 . 2009-10-23 23:09 4048 ----a-w- c:\documents and settings\Jacob\mqdmcr.sys
2009-10-23 23:09 . 2009-10-23 23:09 6208 ----a-w- c:\documents and settings\Jacob\mqdmcmnt.sys
2009-10-23 23:09 . 2009-10-23 23:09 66656 ----a-w- c:\documents and settings\Jacob\mqdmbus.sys
2009-10-23 23:09 . 2009-10-23 23:09 25600 ----a-w- c:\documents and settings\Jacob\usbsermptxp.sys
2009-10-23 23:09 . 2009-10-23 23:09 22768 ----a-w- c:\documents and settings\Jacob\usbsermpt.sys
2009-10-23 22:35 . 2009-10-23 22:35 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2009-10-23 22:33 . 2009-10-23 22:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-10-23 22:30 . 2009-10-23 22:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-10-23 22:26 . 2009-10-23 22:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-10-23 22:26 . 2009-10-23 22:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-10-23 22:26 . 2009-10-23 22:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-23 00:28 . 2009-10-23 00:28 -------- d-----w- c:\program files\Elaborate Bytes
2009-10-23 00:18 . 2008-12-10 23:31 -------- d-----w- c:\documents and settings\Jacob\Application Data\Vso
2009-10-23 00:18 . 2008-12-10 23:31 47360 ----a-w- c:\documents and settings\Jacob\Application Data\pcouffin.sys
2009-10-23 00:18 . 2008-12-10 23:31 47360 ----a-w- c:\documents and settings\Jacob\Application Data\pcouffin.sys
2009-10-23 00:14 . 2009-10-23 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-10-23 00:07 . 2009-10-23 00:07 -------- d-----w- c:\program files\SlySoft
2009-10-22 22:59 . 2009-10-22 22:58 -------- d-----w- c:\program files\DVDFab 6
2009-10-17 14:28 . 2009-10-17 14:28 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-09-28 18:20 . 2009-09-28 18:20 89256 ------w- c:\windows\system32\ElbyCDIO.dll
2009-09-26 17:57 . 2009-09-26 17:57 25768 ------w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-16 14:22 . 2009-07-25 14:37 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-07-25 14:37 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-07-25 14:37 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-05-14 03:25 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-07-25 14:33 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2000-12-11 12:57 . 2007-10-16 00:11 21841 ----a-w- c:\program files\Common Files\tppupd2k.dll
2006-08-21 03:20 . 2006-07-18 23:17 88 -csh--r- c:\windows\system32\F4FE6F60A2.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2007-02-28 . E6679C3023B17D8B78946BC5DF53FA20 . 2137600 . . [5.1.2600.3093] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2006-12-19 . 57B9D140E1EB8B0EA06DF927B63B0EEE . 2137600 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2005-06-23 . 5611F453C6D20AB0552956F39BCDDB88 . 2136064 . . [5.1.2600.2705] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[7] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

c:\windows\System32\ntoskrnl.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-11-25_00.24.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-03 23:47 . 2009-12-03 23:47 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
+ 2008-08-20 21:39 . 2008-04-14 00:11 18944 c:\windows\system32\midimap.dll
- 2008-08-20 21:39 . 2004-08-10 09:00 18944 c:\windows\system32\midimap.dll
- 2008-08-20 21:39 . 2004-08-10 09:00 20992 c:\windows\system32\hid.dll
+ 2008-08-20 21:39 . 2008-04-14 00:11 20992 c:\windows\system32\hid.dll
+ 2006-07-18 22:38 . 2009-12-03 22:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-18 22:38 . 2009-11-24 23:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-18 22:38 . 2009-11-24 23:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-25 04:05 . 2009-12-03 22:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-16 20:47 . 2009-12-02 03:56 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Qemm]
@="{F613E3DD-838B-4E33-8D94-1D154EF35D53}"
[HKEY_CLASSES_ROOT\CLSID\{F613E3DD-838B-4E33-8D94-1D154EF35D53}]
2001-01-01 16:53 94208 ----a-w- c:\windows\system32\avirpa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\54b32831691]
2009-10-24 10:53 125440 ----a-w- c:\windows\system32\igmpagnt32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear VIBE Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear VIBE Device Manager.lnk
backup=c:\windows\pss\Philips GoGear VIBE Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56616:TCP"= 56616:TCP:*:Disabled:Pando
"56616:UDP"= 56616:UDP:*:Disabled:Pando
"56536:TCP"= 56536:TCP:*:Disabled:Pando
"56536:UDP"= 56536:UDP:*:Disabled:Pando

R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/25/2009 9:40 AM 93320]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\DRIVERS\ProtoWall.sys --> c:\windows\system32\DRIVERS\ProtoWall.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/
mStart Page = hxxp://www.dell.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: cengage.com
Trusted Zone: course.com
Trusted Zone: skillcheck.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\dowk45fq.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.ask.com
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\mpDRM\LicenseStore*]
@DACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\System32\igmpagnt32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-12-03 18:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 23:57
ComboFix2.txt 2009-11-25 00:26
ComboFix3.txt 2009-09-01 03:01

Pre-Run: 145,233,399,808 bytes free
Post-Run: 145,198,764,032 bytes free

- - End Of File - - 4179D722EBE9C3EF32571647E04A9F71

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 05 December 2009 - 05:09 AM

Hi,

I'm afraid I have bad news:

Your logs reveal an information stealing trojan.


I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required to clean your PC.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation as soon as possible.

If you do not have access to a known clean computer, you will still need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

To remove the remaining files, please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\13.tmp
c:\windows\system32\352.tmp
c:\windows\system32\igmpagnt32.dll
c:\windows\system32\avirpa32.dll
Folder::
c:\windows\system32\SysWoW32
Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Qemm]
[-HKEY_CLASSES_ROOT\CLSID\{F613E3DD-838B-4E33-8D94-1D154EF35D53}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\54b32831691]

FCopy::
c:\windows\system32\dllcache\ntoskrnl.exe | C:\windows\system32\ntoskrnl.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

#11 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 05 December 2009 - 07:29 AM

ComboFix 09-12-04.04 - Jacob 12/05/2009 6:44.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.538 [GMT -5:00]
Running from: c:\documents and settings\Jacob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jacob\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\13.tmp"
"c:\windows\system32\352.tmp"
"c:\windows\system32\avirpa32.dll"
"c:\windows\system32\igmpagnt32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jacob\Application Data\020000002bf743ac691C.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691O.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691P.manifest
c:\documents and settings\Jacob\Application Data\020000002bf743ac691S.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691C.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691O.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691P.manifest
c:\documents and settings\Tim & Denise\Application Data\020000002bf743ac691S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\13.tmp
c:\windows\system32\1719750486
c:\windows\system32\352.tmp
c:\windows\system32\avirpa32.dll
c:\windows\system32\igmpagnt32.dll
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\@i250180203v0
c:\windows\system32\SysWoW32\@i250180203v1
c:\windows\system32\SysWoW32\@i250180203v2
c:\windows\system32\SysWoW32\@i250180203v3
c:\windows\system32\SysWoW32\@u250180203v4
c:\windows\system32\SysWoW32\@u250180203v5
c:\windows\system32\SysWoW32\@u250180203v6
c:\windows\system32\SysWoW32\@u250180203v7
c:\windows\system32\SysWoW32\_i250180203v0
c:\windows\system32\SysWoW32\_i250180203v1
c:\windows\system32\SysWoW32\_i250180203v2
c:\windows\system32\SysWoW32\_i250180203v3
c:\windows\system32\SysWoW32\_u250180203v4
c:\windows\system32\SysWoW32\_u250180203v5
c:\windows\system32\SysWoW32\_u250180203v6
c:\windows\system32\SysWoW32\_u250180203v7
c:\windows\system32\SysWoW32\mi250180203v4
c:\windows\system32\SysWoW32\mi250180203v4.kwd
c:\windows\system32\SysWoW32\mi250180203v5
c:\windows\system32\SysWoW32\mi250180203v5.kwd
c:\windows\system32\SysWoW32\mi250180203v6
c:\windows\system32\SysWoW32\mi250180203v6.kwd
c:\windows\system32\SysWoW32\mi250180203v7
c:\windows\system32\SysWoW32\mi250180203v7.kwd
c:\windows\system32\SysWoW32\wu250180203v0
c:\windows\system32\SysWoW32\wu250180203v0.kwd
c:\windows\system32\SysWoW32\wu250180203v1
c:\windows\system32\SysWoW32\wu250180203v1.kwd
c:\windows\system32\SysWoW32\wu250180203v2
c:\windows\system32\SysWoW32\wu250180203v2.kwd
c:\windows\system32\SysWoW32\wu250180203v3
c:\windows\system32\SysWoW32\wu250180203v3.kwd
c:\windows\system32\unrar.exe

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\ntoskrnl.exe --> c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 11:44 . 2007-02-28 09:55 2182144 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-05 11:44 . 2007-02-28 09:55 2182144 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-04 22:00 . 2009-12-04 22:00 -------- d-----w- c:\documents and settings\Tim & Denise\Application Data\Malwarebytes
2009-11-27 14:49 . 2009-11-27 14:49 -------- d-----w- c:\documents and settings\Tim & Denise\Local Settings\Application Data\ArcSoft
2009-11-27 14:49 . 2009-11-27 14:50 -------- d-----w- c:\documents and settings\Tim & Denise\Application Data\ArcSoft
2009-11-20 01:38 . 2009-11-20 01:38 -------- d-----w- c:\documents and settings\Brittany\Application Data\Malwarebytes
2009-11-11 21:22 . 2009-11-11 21:22 -------- d-----w- c:\documents and settings\Brittany\Local Settings\Application Data\ArcSoft
2009-11-11 21:22 . 2009-11-11 21:22 -------- d-----w- c:\documents and settings\Brittany\Application Data\ArcSoft
2009-11-08 22:58 . 2009-11-08 22:58 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\ArcSoft
2009-11-08 22:58 . 2009-11-08 23:05 -------- d-----w- c:\documents and settings\Jacob\Application Data\ArcSoft
2009-11-08 22:57 . 2009-11-08 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-11-08 22:57 . 2009-11-08 22:57 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-11-08 22:57 . 2009-11-08 22:57 -------- d-----w- c:\program files\ArcSoft
2009-11-08 22:56 . 2009-11-08 22:56 -------- d-----w- c:\program files\Philips
2009-11-08 22:55 . 2009-11-08 22:55 -------- d-----w- c:\documents and settings\Jacob\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 12:20 . 2008-10-17 14:54 -------- d-----w- c:\program files\lx_cats
2009-12-04 00:57 . 2009-12-04 00:57 738816 --sha-w- c:\windows\system32\D0.tmp
2009-11-24 23:32 . 2009-07-25 14:37 -------- d-----w- c:\program files\McAfee
2009-11-08 22:59 . 2006-07-14 00:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 14:24 . 2008-08-20 21:38 5751045 ----a-w- c:\windows\java\Packages\979fdbjj.zip
2009-10-30 14:22 . 2008-08-20 21:38 188338 ----a-w- c:\windows\java\Packages\m81nr1v1.zip
2009-10-24 10:55 . 2009-10-24 10:55 -------- d-----w- c:\program files\ImTOO
2009-10-24 01:19 . 2009-10-24 01:19 -------- d-----w- c:\documents and settings\Jacob\Application Data\ImTOO Software Studio
2009-10-24 01:15 . 2009-10-24 01:15 -------- d-----w- c:\program files\Xilisoft
2009-10-24 00:26 . 2009-10-24 00:26 -------- d-----w- c:\documents and settings\Jacob\Application Data\Leawo
2009-10-24 00:26 . 2009-10-24 00:26 -------- d-----w- c:\program files\SeekService
2009-10-24 00:26 . 2009-10-24 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekService
2009-10-24 00:25 . 2009-10-24 00:25 -------- d-----w- c:\program files\Leawo
2009-10-23 23:35 . 2009-10-23 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-10-23 23:15 . 2009-10-23 23:09 -------- d-----w- c:\program files\Motorola Phone Tools
2009-10-23 23:14 . 2009-10-23 23:14 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-10-23 23:12 . 2009-10-23 23:11 -------- d-----w- c:\program files\Avanquest update
2009-10-23 23:09 . 2009-10-23 23:09 9232 ----a-w- c:\documents and settings\Jacob\mqdmmdfl.sys
2009-10-23 23:09 . 2009-10-23 23:09 92064 ----a-w- c:\documents and settings\Jacob\mqdmmdm.sys
2009-10-23 23:09 . 2009-10-23 23:09 79328 ----a-w- c:\documents and settings\Jacob\mqdmserd.sys
2009-10-23 23:09 . 2009-10-23 23:09 5936 ----a-w- c:\documents and settings\Jacob\mqdmwhnt.sys
2009-10-23 23:09 . 2009-10-23 23:09 4048 ----a-w- c:\documents and settings\Jacob\mqdmcr.sys
2009-10-23 23:09 . 2009-10-23 23:09 6208 ----a-w- c:\documents and settings\Jacob\mqdmcmnt.sys
2009-10-23 23:09 . 2009-10-23 23:09 66656 ----a-w- c:\documents and settings\Jacob\mqdmbus.sys
2009-10-23 23:09 . 2009-10-23 23:09 25600 ----a-w- c:\documents and settings\Jacob\usbsermptxp.sys
2009-10-23 23:09 . 2009-10-23 23:09 22768 ----a-w- c:\documents and settings\Jacob\usbsermpt.sys
2009-10-23 22:35 . 2009-10-23 22:35 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2009-10-23 22:33 . 2009-10-23 22:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-10-23 22:30 . 2009-10-23 22:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-10-23 22:26 . 2009-10-23 22:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-10-23 22:26 . 2009-10-23 22:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-10-23 22:26 . 2009-10-23 22:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-23 00:28 . 2009-10-23 00:28 -------- d-----w- c:\program files\Elaborate Bytes
2009-10-23 00:18 . 2008-12-10 23:31 -------- d-----w- c:\documents and settings\Jacob\Application Data\Vso
2009-10-23 00:18 . 2008-12-10 23:31 47360 ----a-w- c:\documents and settings\Jacob\Application Data\pcouffin.sys
2009-10-23 00:18 . 2008-12-10 23:31 47360 ----a-w- c:\documents and settings\Jacob\Application Data\pcouffin.sys
2009-10-23 00:14 . 2009-10-23 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-10-23 00:07 . 2009-10-23 00:07 -------- d-----w- c:\program files\SlySoft
2009-10-22 22:59 . 2009-10-22 22:58 -------- d-----w- c:\program files\DVDFab 6
2009-10-17 14:28 . 2009-10-17 14:28 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-09-28 18:20 . 2009-09-28 18:20 89256 ------w- c:\windows\system32\ElbyCDIO.dll
2009-09-26 17:57 . 2009-09-26 17:57 25768 ------w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-16 14:22 . 2009-07-25 14:37 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-07-25 14:37 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-07-25 14:37 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-05-14 03:25 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-07-25 14:33 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2000-12-11 12:57 . 2007-10-16 00:11 21841 ----a-w- c:\program files\Common Files\tppupd2k.dll
2006-08-21 03:20 . 2006-07-18 23:17 88 -csh--r- c:\windows\system32\F4FE6F60A2.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-11-25_00.24.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 11:53 . 2009-12-05 11:53 16384 c:\windows\Temp\Perflib_Perfdata_68c.dat
+ 2008-08-20 21:39 . 2008-04-14 00:11 18944 c:\windows\system32\midimap.dll
- 2008-08-20 21:39 . 2004-08-10 09:00 18944 c:\windows\system32\midimap.dll
- 2008-08-20 21:39 . 2004-08-10 09:00 20992 c:\windows\system32\hid.dll
+ 2008-08-20 21:39 . 2008-04-14 00:11 20992 c:\windows\system32\hid.dll
+ 2006-07-18 22:38 . 2009-12-05 08:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-18 22:38 . 2009-11-24 23:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-07-18 22:38 . 2009-11-24 23:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-04 03:11 . 2009-12-05 08:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-16 20:47 . 2009-12-02 03:56 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-10-16 20:47 . 2006-10-18 00:34 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2006-10-16 20:47 . 2009-12-02 03:56 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 106496]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear VIBE Device Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips GoGear VIBE Device Manager.lnk
backup=c:\windows\pss\Philips GoGear VIBE Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56616:TCP"= 56616:TCP:*:Disabled:Pando
"56616:UDP"= 56616:UDP:*:Disabled:Pando
"56536:TCP"= 56536:TCP:*:Disabled:Pando
"56536:UDP"= 56536:UDP:*:Disabled:Pando

R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/25/2009 9:40 AM 93320]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\DRIVERS\ProtoWall.sys --> c:\windows\system32\DRIVERS\ProtoWall.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/
mStart Page = hxxp://www.dell.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: cengage.com
Trusted Zone: course.com
Trusted Zone: skillcheck.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\dowk45fq.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.ask.com
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 07:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\mpDRM\LicenseStore*]
@DACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3060)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxcycoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2009-12-05 07:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 12:26
ComboFix2.txt 2009-12-03 23:57
ComboFix3.txt 2009-11-25 00:26
ComboFix4.txt 2009-09-01 03:01

Pre-Run: 145,234,677,760 bytes free
Post-Run: 145,185,583,104 bytes free

- - End Of File - - E0F5981BCA51E409446E4E7A0F344748

#12 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 08 December 2009 - 09:51 PM

Computer is running real good now. I will still change my passwords after you confirm I'm clean.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 11 December 2009 - 11:43 AM

Hi,

I'm terribly sorry for the delay. :( I had unexpected family issues to deal with, which left me without internet access for most of the week, but I'm back in the internet connected world now and I hope there won't be any more delays.

The log from Combofix is looking good. Just to be safe I would like you to run a scan with Eset:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Sorry once more,
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

#14 jakedogg

jakedogg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
    •  
  • Local time:10:41 AM

Posted 11 December 2009 - 08:06 PM

I completely understand. I greatly appreciate all your help. What you requested:



C:\Qoobox\Quarantine\[4]-Submit_2009-12-05_06.43.56.zip a variant of Win32/Kryptik.AVM trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Program Files\IEToolbar\Bullseye Tool Bar\lwpopper.html.vir Win32/Adware.Toolbar.Bullseye application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\IEToolbar\Bullseye Tool Bar\tbu00317\lwpopper.html.vir Win32/Adware.Toolbar.Bullseye application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\0MzVJ.vbs.vir VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\avirpa32.dll.vir a variant of Win32/Kryptik.AVM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\bTmIo.vbs.vir VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Cbgatav.vbs.vir VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\fdG3a.vbs.vir VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\HXDPd.vbs.vir VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\igmpagnt32.dll.vir a variant of Win32/Kryptik.AVM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@i250180203v0.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@i250180203v1.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@i250180203v2.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@i250180203v3.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@u250180203v4.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@u250180203v5.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@u250180203v6.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\@u250180203v7.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi250180203v4.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi250180203v5.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi250180203v6.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\mi250180203v7.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu250180203v0.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu250180203v1.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu250180203v2.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu250180203v3.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_i250180203v0.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_i250180203v1.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_i250180203v2.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_i250180203v3.vir a variant of Win32/Kryptik.BIR trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u250180203v4.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u250180203v5.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u250180203v6.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u250180203v7.vir a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1079\A0102749.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1079\A0102750.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1079\A0102751.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1079\A0102752.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1079\A0102753.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1086\A0104727.dll a variant of Win32/Kryptik.AVM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1086\A0104728.dll a variant of Win32/Kryptik.AVM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1086\A0104735.dll a variant of Win32/Kryptik.AVM trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\avirpa.dll Win32/Adware.BHO.BA application cleaned by deleting - quarantined
C:\WINDOWS\system32\D0.tmp a variant of Win32/Kryptik.AVM trojan cleaned by deleting - quarantined

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:04:41 PM

Posted 12 December 2009 - 09:48 AM

Hi,

this is actually looking good, the files found by Eset are mostly in System Restore, which we will empty at the end and in the quarantine-folder of ComboFix, which will also be deleted in the final step :(

Do you have any problems with your PC left?

Please update your software:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Please let me know if you have any problems.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·