Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - dont know with what


  • This topic is locked This topic is locked
9 replies to this topic

#1 mandee996

mandee996

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 27 November 2009 - 09:56 AM

Here's a link to my previous post .. http://www.bleepingcomputer.com/forums/t/271937/need-help-figuring-this-out/
Since then, i now can't connect to the internet, i get a message saying i don't have permission. However, I still get pop up windows to random pages (which is how I'm on now.) I did a system restore, that fixed that part of the problem for about an hour before it started doing it again. I have Vista pro on my computer.

Below is the DDS.txt log. Attached is the attach.txt log. I couldn't run the rootrepal, but attached is the crash log. If you can help me fix this I will be extremely grateful. Thank you so much


DDS (Ver_09-11-24.02) - NTFSx86
Run by mandee at 9:09:33.23 on Thu 11/26/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1015.102 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\crypserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\msa.exe
C:\Users\mandee\AppData\Local\Temp\b.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Windows\System32\jureg.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATICGA.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
C:\Windows\system32\schtasks.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Users\mandee\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uWindow Title = Road Runner High Speed Online
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [MSMSGS] "c:\program files\messenger\Msmsgs.exe" /background
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [EPSON PictureMate PM 260] c:\windows\system32\spool\drivers\w32x86\3\e_faticga.exe /fu "c:\windows\temp\E_SF1BD.tmp" /EF "HKCU"
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MailBlocker] c:\users\mandee\appdata\local\temp\b.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=349&nc_referer=&age=0&hiscore=&sp=0&questionSet=&r=3578909&width=600&height=440&quality=high"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRunOnce: [PCDrProfiler] c:\program files\pc-doctor 5 for windows\RunProfiler.exe -r
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\users\mandee\appdata\roaming\microsoft\windows\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://vpn.compucom.com/vdesk/terminal/urxvpn.cab#version=6030,2008,1031,2121
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.compucom.com/vdesk/terminal/f5tunsrv.cab#version=6030,2008,1112,2313
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://vpn.compucom.com/vdesk/terminal/urTermProxy.cab#version=6020,2007,1213,2004
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.compucom.com/vdesk/terminal/urxshost.cab#version=6030,2008,1031,2112
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.compucom.com/vdesk/terminal/urxhost.cab#version=6030,2008,1031,2108
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2009-3-27 13952]

=============== Created Last 30 ================

2009-11-26 13:57:20 524288 --sha-w- c:\users\mandee\ntuser.dat{7fa14abc-da93-11de-ab19-463500000031}.TMContainer00000000000000000002.regtrans-ms
2009-11-26 13:57:19 524288 --sha-w- c:\users\mandee\ntuser.dat{7fa14abc-da93-11de-ab19-463500000031}.TMContainer00000000000000000001.regtrans-ms
2009-11-26 13:57:18 65536 --sha-w- c:\users\mandee\ntuser.dat{7fa14abc-da93-11de-ab19-463500000031}.TM.blf
2009-11-16 22:10:14 0 d-----w- c:\program files\common files\PC Tools
2009-11-16 22:10:13 0 d-----w- c:\users\mandee\appdata\roaming\PC Tools
2009-11-16 22:10:13 0 d-----w- c:\programdata\PC Tools
2009-11-16 22:10:13 0 d-----w- c:\program files\Spyware Doctor
2009-11-16 19:22:37 0 d-----w- c:\program files\McAfee(3).com
2009-11-16 18:43:01 0 d-----w- c:\programdata\Citrix
2009-11-16 18:27:21 0 d-----w- c:\users\mandee\appdata\roaming\McAfee
2009-11-16 18:25:03 0 d-----w- c:\windows\49FA793C785E47E993DFBD442B0B45D1.TMP
2009-11-16 17:51:12 8175 ----a-w- c:\windows\system32\Config.MPF
2009-11-16 17:50:37 0 d-----w- c:\programdata\SiteAdvisor
2009-11-16 17:46:24 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-16 17:46:24 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-16 17:46:24 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-16 17:46:16 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-16 17:45:25 0 d-----w- c:\program files\common files\McAfee
2009-11-16 17:45:23 0 d-----w- c:\program files\McAfee.com
2009-11-16 17:45:17 0 d-----w- c:\program files\McAfee
2009-11-16 17:41:41 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-16 17:36:37 0 d-----w- c:\programdata\McAfee
2009-11-16 14:37:02 256512 ----a-w- c:\windows\msa.exe
2009-11-16 14:36:40 0 ----a-w- c:\windows\win32k.sys
2009-11-10 23:19:25 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-10 23:17:34 0 d-----w- c:\program files\Microsoft
2009-11-10 23:01:26 2032128 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 23:01:17 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-04 21:08:58 0 d-----w- c:\users\mandee\appdata\roaming\Faerie Solitaire
2009-11-04 05:27:09 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-02 17:21:48 0 d-----w- c:\programdata\IronCode
2009-11-02 17:21:45 0 d-----w- c:\users\mandee\appdata\roaming\IronCode
2009-11-02 11:22:17 0 d-----w- c:\programdata\MumboJumbo
2009-11-01 22:20:47 0 d-----w- c:\programdata\ValuSoft
2009-11-01 22:20:46 0 d-----w- c:\users\mandee\appdata\roaming\ValuSoft
2009-11-01 18:03:12 0 d-----w- c:\users\mandee\appdata\roaming\Princess Isabella
2009-11-01 13:24:41 0 d-----w- c:\programdata\Becky Brogan
2009-10-31 21:27:36 0 d-----w- c:\users\mandee\appdata\roaming\Flood Light Games
2009-10-31 21:27:36 0 d-----w- c:\programdata\Flood Light Games
2009-10-31 20:29:37 0 ----a-w- c:\windows\ResortingToDanger.INI
2009-10-30 22:43:06 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2009-10-30 22:37:27 0 d-----w- c:\programdata\GameHouse
2009-10-27 21:55:15 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 21:55:12 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-27 21:55:12 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-27 21:55:12 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-27 21:55:06 8147968 ----a-w- c:\windows\system32\wmploc.DLL

==================== Find3M ====================

2009-11-03 01:42:06 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-15 02:37:35 55072 ----a-w- c:\windows\system32\jureg.exe
2009-10-15 02:37:35 386872 ----a-w- c:\windows\system32\jucheck.exe
2009-10-15 02:37:35 149280 ----a-w- c:\windows\system32\jusched.exe
2009-10-15 02:37:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:38:11 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 15:21:17 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:17:39 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-08-31 15:16:28 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-30 13:56:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-30 13:56:31 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-30 13:56:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-10 08:16:31 174 --sha-w- c:\program files\desktop.ini
2008-06-11 07:10:58 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-31 22:07:43 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-31 22:07:43 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-31 22:07:43 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-04-25 17:49:29 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-25 17:49:29 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-25 17:49:29 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-10 17:14:21 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-08-03 08:03:43 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:15:36.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:01 AM

Posted 05 December 2009 - 07:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 mandee996

mandee996
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 05 December 2009 - 05:18 PM

Since i last posted, the only new thing is i received an error message stating: w32/gaobot.worm.gen.u-win32/robt.3ue! worm virus from your computer. Below and attached are the files from running DDS. Thanks!

DDS (Ver_09-12-01.01) - NTFSx86
Run by mandee at 17:04:40.28 on Sat 12/05/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1015.273 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\crypserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Windows\System32\jureg.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATICGA.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Snapfish Picture Mover\SnapfishPictureMover.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\ctfmon.exe
C:\Users\mandee\AppData\Roaming\MSA\fff.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\jucheck.exe
C:\Windows\msa.exe
C:\Windows\system32\taskeng.exe
C:\Users\mandee\AppData\Local\Temp\b.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\mandee\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uWindow Title = Road Runner High Speed Online
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [MSMSGS] "c:\program files\messenger\Msmsgs.exe" /background
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [EPSON PictureMate PM 260] c:\windows\system32\spool\drivers\w32x86\3\e_faticga.exe /fu "c:\windows\temp\E_SF1BD.tmp" /EF "HKCU"
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MailBlocker] c:\users\mandee\appdata\local\temp\b.exe
uRun: [mscj.exe] c:\users\mandee\appdata\roaming\msa\mscj.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=349&nc_referer=&age=0&hiscore=&sp=0&questionSet=&r=3578909&width=600&height=440&quality=high"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRunOnce: [PCDrProfiler] c:\program files\pc-doctor 5 for windows\RunProfiler.exe -r
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\users\mandee\appdata\roaming\microsoft\windows\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://vpn.compucom.com/vdesk/terminal/urxvpn.cab#version=6030,2008,1031,2121
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.compucom.com/vdesk/terminal/f5tunsrv.cab#version=6030,2008,1112,2313
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://vpn.compucom.com/vdesk/terminal/urTermProxy.cab#version=6020,2007,1213,2004
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.compucom.com/vdesk/terminal/urxshost.cab#version=6030,2008,1031,2112
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.compucom.com/vdesk/terminal/urxhost.cab#version=6030,2008,1031,2108
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-16 144704]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-16 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-16 359952]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-16 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-16 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-16 40552]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpnwlh.sys [2008-10-31 34944]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2009-3-27 13952]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-16 34248]

=============== Created Last 30 ================

2009-11-29 04:07:58 0 d-----w- c:\users\mandee\appdata\roaming\MSA
2009-11-27 14:09:51 65536 --sha-w- c:\users\mandee\ntuser.dat{f228287b-db58-11de-b103-463500000031}.TM.blf
2009-11-27 14:09:51 524288 --sha-w- c:\users\mandee\ntuser.dat{f228287b-db58-11de-b103-463500000031}.TMContainer00000000000000000002.regtrans-ms
2009-11-27 14:09:51 524288 --sha-w- c:\users\mandee\ntuser.dat{f228287b-db58-11de-b103-463500000031}.TMContainer00000000000000000001.regtrans-ms
2009-11-27 13:39:21 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 13:57:20 524288 --sha-w- c:\users\mandee\ntuser.dat{7fa14abc-da93-11de-ab19-463500000031}.TMContainer00000000000000000002.regtrans-ms
2009-11-26 13:57:19 524288 --sha-w- c:\users\mandee\ntuser.dat{7fa14abc-da93-11de-ab19-463500000031}.TMContainer00000000000000000001.regtrans-ms
2009-11-26 13:57:18 65536 --sha-w- c:\users\mandee\ntuser.dat{7fa14abc-da93-11de-ab19-463500000031}.TM.blf
2009-11-16 22:10:14 0 d-----w- c:\program files\common files\PC Tools
2009-11-16 22:10:13 0 d-----w- c:\users\mandee\appdata\roaming\PC Tools
2009-11-16 22:10:13 0 d-----w- c:\programdata\PC Tools
2009-11-16 22:10:13 0 d-----w- c:\program files\Spyware Doctor
2009-11-16 19:22:37 0 d-----w- c:\program files\McAfee(3).com
2009-11-16 18:43:01 0 d-----w- c:\programdata\Citrix
2009-11-16 18:27:21 0 d-----w- c:\users\mandee\appdata\roaming\McAfee
2009-11-16 18:25:03 0 d-----w- c:\windows\49FA793C785E47E993DFBD442B0B45D1.TMP
2009-11-16 17:51:12 8505 ----a-w- c:\windows\system32\Config.MPF
2009-11-16 17:50:37 0 d-----w- c:\programdata\SiteAdvisor
2009-11-16 17:46:24 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-16 17:46:24 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-16 17:46:24 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-16 17:46:16 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-16 17:45:25 0 d-----w- c:\program files\common files\McAfee
2009-11-16 17:45:23 0 d-----w- c:\program files\McAfee.com
2009-11-16 17:45:17 0 d-----w- c:\program files\McAfee
2009-11-16 17:41:41 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-16 17:36:37 0 d-----w- c:\programdata\McAfee
2009-11-16 14:37:02 256512 ----a-w- c:\windows\msa.exe
2009-11-16 14:36:40 0 ----a-w- c:\windows\win32k.sys
2009-11-10 23:19:25 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-10 23:17:34 0 d-----w- c:\program files\Microsoft
2009-11-10 23:01:26 2032128 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 23:01:17 321536 ----a-w- c:\windows\system32\WSDApi.dll

==================== Find3M ====================

2009-11-03 01:42:06 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-15 02:37:35 55072 ----a-w- c:\windows\system32\jureg.exe
2009-10-15 02:37:35 386872 ----a-w- c:\windows\system32\jucheck.exe
2009-10-15 02:37:35 149280 ----a-w- c:\windows\system32\jusched.exe
2009-10-15 02:37:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 17:40:11 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-10 17:39:44 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:29:54 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:29:34 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-06-30 13:56:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-06-30 13:56:31 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-30 13:56:29 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-10 08:16:31 174 --sha-w- c:\program files\desktop.ini
2008-06-11 07:10:58 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-31 22:07:43 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-31 22:07:43 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-31 22:07:43 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-04-25 17:49:29 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-25 17:49:29 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-25 17:49:29 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-04-10 17:14:21 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-08-03 08:03:43 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:09:12.14 ===============

Attached Files



#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:01 PM

Posted 06 December 2009 - 10:14 AM

Hello mandee996 and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :(

In the meantime:

1. Please TRACK this Topic

  • At the top-right of this thread, click on the Posted Image button.
  • In the list that drops down, click on Posted Image
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on Posted Image
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :(
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. :)

Doc.

#5 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:01 PM

Posted 09 December 2009 - 08:46 AM

Hi mandee996,

Sorry for not replying here sooner. I've researched your log and just need to confer with my coach. Will be posting a Fix here ASAP.

Doc.

#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:01 PM

Posted 12 December 2009 - 08:15 AM

Hello mandee996,

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Doc.

#7 mandee996

mandee996
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 December 2009 - 10:06 AM

Hi Doc,
The computer I'm having the problems with will not let me connect to the internet (says i don't have permission). So i downloaded the primary mirror from the direct link to a back up drive on my other computer. I then copied it over to the desktop on the computer that's having problems.

When i opened the file, i got an error message stating -
fops-deviceIO control error! Error code = Oxc0000024 Extended info (0x000000e8) - I clicked the OK box
I went to the report tab & clicked scan, and got the following error
could not initalize driver! Please contact author.
I clicked the OK box, then got this error
Error dumping SSDT (oxc0000024)
I clicked the OK box and it looked like it was going to scan for a few seconds but then stopped and gave another error
Attempt to read from address 0x00000004
I clicked the OK box again and got error
DeviceIoControl Error! Error code = 0x0
I clicked OK again and then nothing else happened. I did get a TXT doc from it that only said the following info

ROOTREPEAL CRASH REPORT
-------------------------------
Windows version: Windows Vista SP0
Exception Code: 0xc0000005
Exception Address: 0x00422bf2
Attempt to read from address: 0x00000004



Thank you,
Mandee

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:01 PM

Posted 21 December 2009 - 07:38 AM

Hello mandee996,

Lets try a dfifferent Rootkit Scanner:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

#9 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:01 PM

Posted 27 December 2009 - 08:02 AM

Still with me mandee996?

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:01 PM

Posted 29 December 2009 - 01:42 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users