Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirct Virus (possible other virus?)


  • Please log in to reply
18 replies to this topic

#1 dream.injection

dream.injection

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 11 February 2010 - 12:48 AM

I've had this problem for about 3 days now. Whenever I go to google.com and search for anything, my results come up normally - however, when I click on the link, I always get redirected to some funky site (mostly search8.com or some other weird site). Also, I cannot access my gmail - it says the certificate for google is invalid and has been compromised (or my connection has been compromised). Note: And I actually signed up for this account on my gmail email which I cant access, so if I dont reply, uh dont blame me? I'll just keep on refreshing the page. busy.gif I have checked my time/year and it is all correct. I have run Mcafee, which finds a file it cant get rid of (jotuyidi.dll, which I cant manually find). I have run Mcafee (antivirus plus, in case you need to know) several times in the past few days, and it keeps on finding one or 2 misc other virii but quarantines or gets rid of them. I also have Exterminate (did not find anything) and Antivirus plus (found catchme.exe - got rid of, supposedly..). All 3 of these programs I bought and are registered. I tried deleting all the temp files the other day, but that did not help.

Oh, and I can access webpages (as you can see..) by typing in the addy in the address bar or by clicking cache on the search results page. And everything is running slow (takes forever for a program to start up).

So basically, I am at my wits end and have no idea what the frick to do. crazy.gif Please help, oh lovely administrators? :'(

Here is the DDS log form (the other 2 forms are attached like specified):

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 20:59:10.15 on Wed 02/10/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.93 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.searchgateway.net/search
uSearch Bar = hxxp://www.searchgateway.net/search
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {041DBE9D-8B10-4FB1-8C49-7E55FD18853F} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
{77ab5974-55a3-4737-9fd5-b93c64307f78}
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100209194647.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {cb0101eb-e917-4fdd-ac60-713065540947} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [gadcom] "c:\documents and settings\owner\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dc5b5e36] rundll32.exe "c:\windows\system32\jlwngmnw.dll",b
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [yedehovij] Rundll32.exe "c:\windows\system32\muvetuvo.dll",a
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ParetoLogic Anti-Virus PLUS] "c:\program files\paretologic\anti-virus plus\Pareto_AV.exe" -NM -hidesplash
dRun: [Adobe Loader] c:\program files\SafeStart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
TCP: {BECC4E0E-75AE-4087-8829-182B086D9F86} = 83.149.115.157,4.2.2.1,24.205.192.61 68.116.46.115 71.9.127.107
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: khfFUOiG - khfFUOiG.dll
AppInit_DLLs: wokozupi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yahiyibip - {9cc602b3-87ed-404c-9b3e-573af9a31f7b} - No File
SSODL: jakehiwuv - {7832ddb8-08ee-436e-989c-11bc81644f35} - No File
SSODL: fulapemis - {e769f67c-1079-4412-9f1a-8dad06ba3e82} - No File
STS: {9cc602b3-87ed-404c-9b3e-573af9a31f7b} - No File
STS: {7832ddb8-08ee-436e-989c-11bc81644f35} - No File
STS: {e769f67c-1079-4412-9f1a-8dad06ba3e82} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\awttutSL
LSA: Notification Packages = scecli sinidopa.dll jotuyidi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g9zknlqq.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-2-10 186128]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-2-9 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-9 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-9 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-9 141792]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2009-2-18 587216]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-9 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-25 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-25 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-9 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-2-9 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-2-9 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-9 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-25 40552]

=============== Created Last 30 ================

2010-02-11 00:08:03 0 d-----w- c:\windows\EHome
2010-02-10 09:46:56 81696 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-10 09:46:56 3533856 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-10 09:46:56 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-10 09:46:56 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-10 09:44:32 2918 ----a-w- C:\rollback.ini
2010-02-10 09:39:46 0 ----a-w- c:\windows\system32\SBRC.dat
2010-02-10 09:39:46 0 ----a-w- c:\windows\system32\SBFC.dat
2010-02-10 09:21:35 0 d-----w- c:\program files\ParetoLogic
2010-02-10 09:21:35 0 d-----w- c:\program files\common files\ParetoLogic
2010-02-10 09:21:35 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2010-02-10 09:21:35 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-02-10 03:46:42 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-10 03:46:08 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 03:46:08 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-10 03:46:08 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-10 03:46:07 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-10 03:46:06 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-10 03:19:13 57856 ----a-w- C:\7da291313d1380.bup
2010-02-10 03:19:08 57856 ----a-w- C:\7da2913138ab0.bup
2010-02-10 03:19:02 57856 ----a-w- C:\7da29131323b90.bup
2010-02-10 03:18:57 57856 ----a-w- C:\7da291312392220.bup
2010-02-10 03:18:52 57856 ----a-w- C:\7da291312341860.bup
2010-02-10 03:18:47 57856 ----a-w- C:\7da2913122fda0.bup
2010-02-10 03:18:37 57856 ----a-w- C:\7da291312251c50.bup
2010-02-10 03:18:20 57856 ----a-w- C:\7da291312142420.bup
2010-02-10 03:18:15 57856 ----a-w- C:\7da291312f1b50.bup
2010-02-10 03:18:09 57856 ----a-w- C:\7da2913129ea0.bup
2010-02-10 03:18:04 57856 ----a-w- C:\7da29131242e0.bup
2010-02-10 03:17:58 57856 ----a-w- C:\7da2913113a37a0.bup
2010-02-10 03:17:53 57856 ----a-w- C:\7da291311351480.bup
2010-02-10 03:17:47 57856 ----a-w- C:\7da2913112f3a90.bup
2010-02-10 03:17:42 57856 ----a-w- C:\7da2913112a2fd0.bup
2010-02-10 03:17:29 57856 ----a-w- C:\7da2913111d2af0.bup
2010-02-10 01:38:14 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-10 01:34:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-09 21:09:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-08 04:13:07 2098 --sh--w- c:\windows\system32\zubufaho.dll
2010-02-08 04:13:07 2098 --sh--w- c:\windows\system32\jevetedo.dll
2010-02-08 04:11:33 0 ---ha-w- c:\windows\system32\BITFB.tmp
2010-02-08 04:10:36 0 ---ha-w- c:\windows\system32\BITFA.tmp

==================== Find3M ====================

2010-01-06 02:04:02 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 02:04:02 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 02:04:02 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-06 02:04:02 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
1601-01-01 00:03:52 55296 --sha-w- c:\windows\system32\jotuyidi.dll
2009-01-16 00:34:29 1694700 -csha-w- c:\windows\system32\LStuttwa.ini2

============= FINISH: 21:01:20.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 12 February 2010 - 06:13 PM

Hello dream.injection,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
ParetoLogic Anti-Virus PLUS or McAfee AntiVirus Plus.


**********************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh DDS log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 12 February 2010 - 08:17 PM

Uninstalled AVP.

Malwarebytes log. note: i was unable to get malwarebytes to work. after several tries, i uninstalled and looked on this site for advice and found the "if you are having trouble running malwarebytes" topics - the first post advised super antispyware, which caught a few things, then i was able to run malwarebytes (yayyy). hopefully that was ok?

Malwarebytes' Anti-Malware 1.44
Database version: 3731
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/12/2010 4:59:44 PM
mbam-log-2010-02-12 (16-59-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167319
Time elapsed: 1 hour(s), 15 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc5b5e36 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yedehovij (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{becc4e0e-75ae-4087-8829-182b086d9f86}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,24.205.192.61 68.116.46.115 71.9.127.107 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Security check log

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee AntiVirus Plus
ZoneAlarm Spy Blocker
``````````````````````````````
Anti-malware/Other Utilities Check:

ZoneAlarm Spy Blocker
SUPERAntiSpyware Free Edition
Java™ 6 Update 14
Java™ 6 Update 6
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


New DDS log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 17:13:38.45 on Fri 02/12/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.293 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.searchgateway.net/search
uSearch Bar = hxxp://www.searchgateway.net/search
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {041DBE9D-8B10-4FB1-8C49-7E55FD18853F} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100209194647.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {cb0101eb-e917-4fdd-ac60-713065540947} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [Adobe Loader] c:\program files\SafeStart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: khfFUOiG - khfFUOiG.dll
AppInit_DLLs: wokozupi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yahiyibip - {9cc602b3-87ed-404c-9b3e-573af9a31f7b} - No File
SSODL: jakehiwuv - {7832ddb8-08ee-436e-989c-11bc81644f35} - No File
SSODL: fulapemis - {e769f67c-1079-4412-9f1a-8dad06ba3e82} - No File
STS: {9cc602b3-87ed-404c-9b3e-573af9a31f7b} - No File
STS: {7832ddb8-08ee-436e-989c-11bc81644f35} - No File
STS: {e769f67c-1079-4412-9f1a-8dad06ba3e82} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\awttutSL
LSA: Notification Packages = scecli sinidopa.dll jotuyidi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g9zknlqq.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-2-10 186128]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-2-9 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-9 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-9 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-9 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-9 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-9 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-25 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-25 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-9 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-2-9 88480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-2-9 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-9 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-25 40552]

=============== Created Last 30 ================

2010-02-12 23:42:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 23:42:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 23:42:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 02:42:27 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-12 02:41:15 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 02:41:14 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-02-12 02:40:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-11 11:27:07 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-11 11:18:52 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-11 11:08:23 0 d-----w- c:\windows\ServicePackFiles
2010-02-11 00:08:03 0 d-----w- c:\windows\EHome
2010-02-10 09:46:56 56468 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-10 09:46:56 4146720 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-10 09:46:56 183840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-10 09:46:56 18188 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-10 09:44:32 4100 ----a-w- C:\rollback.ini
2010-02-10 09:21:35 0 d-----w- c:\program files\common files\ParetoLogic
2010-02-10 09:21:35 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2010-02-10 09:21:35 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-02-10 03:46:42 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-10 03:46:08 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 03:46:08 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-10 03:46:08 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-10 03:46:07 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-10 03:46:06 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-10 03:19:13 57856 ----a-w- C:\7da291313d1380.bup
2010-02-10 03:19:08 57856 ----a-w- C:\7da2913138ab0.bup
2010-02-10 03:19:02 57856 ----a-w- C:\7da29131323b90.bup
2010-02-10 03:18:57 57856 ----a-w- C:\7da291312392220.bup
2010-02-10 03:18:52 57856 ----a-w- C:\7da291312341860.bup
2010-02-10 03:18:47 57856 ----a-w- C:\7da2913122fda0.bup
2010-02-10 03:18:37 57856 ----a-w- C:\7da291312251c50.bup
2010-02-10 03:18:20 57856 ----a-w- C:\7da291312142420.bup
2010-02-10 03:18:15 57856 ----a-w- C:\7da291312f1b50.bup
2010-02-10 03:18:09 57856 ----a-w- C:\7da2913129ea0.bup
2010-02-10 03:18:04 57856 ----a-w- C:\7da29131242e0.bup
2010-02-10 03:17:58 57856 ----a-w- C:\7da2913113a37a0.bup
2010-02-10 03:17:53 57856 ----a-w- C:\7da291311351480.bup
2010-02-10 03:17:47 57856 ----a-w- C:\7da2913112f3a90.bup
2010-02-10 03:17:42 57856 ----a-w- C:\7da2913112a2fd0.bup
2010-02-10 03:17:29 57856 ----a-w- C:\7da2913111d2af0.bup
2010-02-10 01:38:14 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-10 01:34:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-09 21:09:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-08 04:11:33 0 ---ha-w- c:\windows\system32\BITFB.tmp
2010-02-08 04:10:36 0 ---ha-w- c:\windows\system32\BITFA.tmp

==================== Find3M ====================

2010-01-06 02:04:02 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 02:04:02 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 02:04:02 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-06 02:04:02 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55:25 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19:32 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:33:35 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-01-16 00:34:29 1694700 -csha-w- c:\windows\system32\LStuttwa.ini2

============= FINISH: 17:15:23.75 ===============


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 12 February 2010 - 09:33 PM

Hi dream.injection,

QUOTE
hopefully that was ok?


Yes, that is fine. thumbup2.gif


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee AntiVirus Plus before running ComboFix, as it will prevent it from running.

To disable McAfee Virusscan:  
Please navigate to the system tray on the bottom right hand corner and look for a sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.

If you cant disable McAfee AntiVirus Plus then uninstall it. You can reinstall when we have you clean.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

To workl properly, you must install ComboFix on the Desktop. <==IMPORTANT



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt

Edited by SifuMike, 12 February 2010 - 09:36 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 12 February 2010 - 10:05 PM

Hm I'm running Mcafee antivirus plus which is a bit different than mcafee virus scan - there is no exit option? I turned off the firewall, virus scanner and real time scanning manually.. but the icon for mcafee antivirus plus is still on the toolbar (right hand side) - is that ok?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 12 February 2010 - 10:08 PM


Hi dream.injection ,

That should be OK. If ComboFix will not run becasue of McAfee Antivirus, then you will have to uninstall McAfee.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 12 February 2010 - 10:47 PM

Whew, that had me nervous! cold.gif


ComboFix 10-02-12.01 - Owner 02/12/2010 19:20:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.326 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\LStuttwa.ini
c:\windows\system32\LStuttwa.ini2
c:\windows\Tasks\tdzoznht.job

----- BITS: Possible infected sites -----

hxxp://82.98.235.29
.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-12 23:42 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 23:42 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 23:42 . 2010-02-12 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 21:20 . 2010-02-12 21:20 153176 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 20:37 . 2010-02-12 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-12 02:42 . 2010-02-12 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 02:41 . 2010-02-12 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 02:41 . 2010-02-12 02:41 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-12 02:40 . 2010-02-12 02:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-11 11:27 . 2010-02-11 11:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-11 11:18 . 2004-08-12 14:10 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\windows\ServicePackFiles
2010-02-11 00:08 . 2010-02-11 00:08 -------- d-----w- c:\windows\EHome
2010-02-10 09:46 . 2010-02-13 03:37 191520 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-10 09:46 . 2010-02-13 03:34 4256032 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-10 09:21 . 2010-02-12 23:36 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-02-10 09:21 . 2010-02-12 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-02-10 09:21 . 2010-02-10 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-02-10 09:19 . 2010-02-10 09:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2010-02-10 03:46 . 2010-01-06 02:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-10 03:46 . 2010-01-06 02:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 03:46 . 2010-01-06 02:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-10 03:46 . 2010-01-06 02:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-10 03:46 . 2010-01-06 02:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-10 03:46 . 2010-01-06 02:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-10 02:56 . 2010-02-10 02:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-10 01:38 . 2010-02-10 01:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-10 01:34 . 2010-02-10 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\program files\Alwil Software
2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 03:29 . 2010-02-10 09:46 58004 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-13 03:29 . 2010-02-10 09:46 18956 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-12 20:43 . 2010-02-12 20:43 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 20:43 . 2010-02-12 20:43 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 02:43 . 2010-02-12 02:43 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 02:43 . 2010-02-12 02:43 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 08:22 . 2008-12-25 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-02-11 04:34 . 2009-01-22 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-02-10 10:00 . 2010-02-10 10:00 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-02-10 04:01 . 2008-12-26 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-10 03:56 . 2008-12-26 00:15 -------- d-----w- c:\program files\McAfee
2010-02-10 03:50 . 2008-12-26 00:16 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-10 03:29 . 2008-12-26 00:16 -------- d-----w- c:\program files\McAfee.com
2010-02-10 02:54 . 2009-07-19 01:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-08 04:11 . 2010-02-08 04:11 0 ---ha-w- c:\windows\system32\BITFB.tmp
2010-02-08 04:10 . 2010-02-08 04:10 0 ---ha-w- c:\windows\system32\BITFA.tmp
2010-01-06 02:04 . 2010-01-06 02:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 02:04 . 2010-01-06 02:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-06 02:04 . 2008-12-26 00:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 02:04 . 2008-12-26 00:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-31 16:14 . 2004-08-12 14:06 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 05:07 . 2009-12-31 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-31 05:07 . 2009-12-31 05:05 -------- d-----w- c:\program files\iTunes
2009-12-31 05:06 . 2008-06-24 02:55 -------- d-----w- c:\program files\iPod
2009-12-31 05:06 . 2008-06-24 02:53 -------- d-----w- c:\program files\Common Files\Apple
2009-12-31 05:03 . 2009-12-31 05:02 -------- d-----w- c:\program files\QuickTime
2009-12-31 04:55 . 2009-12-31 04:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-22 05:42 . 2004-08-12 14:09 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-12 13:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2008-06-22 05:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-12 14:02 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:03 . 2009-12-04 18:03 251376 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-04 14:41 . 2004-08-12 14:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-12 14:03 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-12 14:01 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-12 14:01 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 16:36 . 2004-08-12 13:55 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2010-01-06 02:04 . 2010-02-10 03:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-21 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-01-27 1179952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-23 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 16:32 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 16:36 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 21:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-29 18:10 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/9/2010 7:46 PM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/9/2010 7:48 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2/9/2010 7:46 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/9/2010 7:46 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/9/2010 7:46 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/9/2010 7:46 PM 88480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/9/2010 7:46 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/9/2010 7:46 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1957994488-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 07:55]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1957994488-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 07:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g9zknlqq.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{041DBE9D-8B10-4FB1-8C49-7E55FD18853F} - (no file)
BHO-{cb0101eb-e917-4fdd-ac60-713065540947} - (no file)
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKU-Default-Run-Adobe Loader - c:\program files\SafeStart.exe
SharedTaskScheduler-{9cc602b3-87ed-404c-9b3e-573af9a31f7b} - (no file)
SharedTaskScheduler-{7832ddb8-08ee-436e-989c-11bc81644f35} - (no file)
SharedTaskScheduler-{e769f67c-1079-4412-9f1a-8dad06ba3e82} - (no file)
SSODL-yahiyibip-{9cc602b3-87ed-404c-9b3e-573af9a31f7b} - (no file)
SSODL-jakehiwuv-{7832ddb8-08ee-436e-989c-11bc81644f35} - (no file)
SSODL-fulapemis-{e769f67c-1079-4412-9f1a-8dad06ba3e82} - (no file)
Notify-khfFUOiG - khfFUOiG.dll
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 19:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3108)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-12 19:44:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 03:44

Pre-Run: 62,087,618,560 bytes free
Post-Run: 62,151,217,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B82CB8547D434481F4D03CE9E3F6E85D


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 13 February 2010 - 12:18 AM

HI dream.injection,


QUOTE
Whew, that had me nervous!



Yes, it is not a tool to be run on your own or without supervision.
Every day we get some yahoos that run it on their own and trash their system. wacko.gif


You need to disable your McAfee AntiVirus Plus before running ComboFix, as it will prevent it from running.

If you cant disable McAfee AntiVirus Plus then uninstall it. You can reinstall when we have you clean.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 13 February 2010 - 12:57 AM

ComboFix 10-02-12.01 - Owner 02/12/2010 21:26:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.351 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-12 23:42 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 23:42 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 23:42 . 2010-02-12 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 21:20 . 2010-02-12 21:20 153176 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 20:37 . 2010-02-12 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-12 02:42 . 2010-02-12 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 02:41 . 2010-02-12 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 02:41 . 2010-02-12 02:41 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-12 02:40 . 2010-02-12 02:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-11 11:27 . 2010-02-11 11:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-11 11:18 . 2004-08-12 14:10 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\windows\ServicePackFiles
2010-02-11 00:08 . 2010-02-11 00:08 -------- d-----w- c:\windows\EHome
2010-02-10 09:46 . 2010-02-13 05:48 198176 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-10 09:46 . 2010-02-13 05:47 4342048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-10 09:21 . 2010-02-12 23:36 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-02-10 09:21 . 2010-02-12 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-02-10 09:21 . 2010-02-10 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-02-10 09:19 . 2010-02-10 09:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2010-02-10 03:46 . 2010-01-06 02:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-10 03:46 . 2010-01-06 02:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 03:46 . 2010-01-06 02:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-10 03:46 . 2010-01-06 02:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-10 03:46 . 2010-01-06 02:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-10 03:46 . 2010-01-06 02:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-10 02:56 . 2010-02-10 02:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-10 01:38 . 2010-02-10 01:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-10 01:34 . 2010-02-10 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\program files\Alwil Software
2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 05:34 . 2010-02-10 09:46 59156 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-13 05:34 . 2010-02-10 09:46 19580 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-12 20:43 . 2010-02-12 20:43 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 20:43 . 2010-02-12 20:43 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 02:43 . 2010-02-12 02:43 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 02:43 . 2010-02-12 02:43 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 08:22 . 2008-12-25 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-02-11 04:34 . 2009-01-22 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-02-10 10:00 . 2010-02-10 10:00 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-02-10 04:01 . 2008-12-26 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-10 03:56 . 2008-12-26 00:15 -------- d-----w- c:\program files\McAfee
2010-02-10 03:50 . 2008-12-26 00:16 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-10 03:29 . 2008-12-26 00:16 -------- d-----w- c:\program files\McAfee.com
2010-02-10 02:54 . 2009-07-19 01:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-08 04:11 . 2010-02-08 04:11 0 ---ha-w- c:\windows\system32\BITFB.tmp
2010-02-08 04:10 . 2010-02-08 04:10 0 ---ha-w- c:\windows\system32\BITFA.tmp
2010-01-06 02:04 . 2010-01-06 02:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 02:04 . 2010-01-06 02:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-06 02:04 . 2008-12-26 00:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 02:04 . 2008-12-26 00:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-31 16:14 . 2004-08-12 14:06 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 05:07 . 2009-12-31 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-31 05:07 . 2009-12-31 05:05 -------- d-----w- c:\program files\iTunes
2009-12-31 05:06 . 2008-06-24 02:55 -------- d-----w- c:\program files\iPod
2009-12-31 05:06 . 2008-06-24 02:53 -------- d-----w- c:\program files\Common Files\Apple
2009-12-31 05:03 . 2009-12-31 05:02 -------- d-----w- c:\program files\QuickTime
2009-12-31 04:55 . 2009-12-31 04:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-22 05:42 . 2004-08-12 14:09 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-12 13:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2008-06-22 05:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-12 14:02 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:03 . 2009-12-04 18:03 251376 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-04 14:41 . 2004-08-12 14:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-12 14:03 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-12 14:01 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-12 14:01 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 16:36 . 2004-08-12 13:55 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2010-01-06 02:04 . 2010-02-10 03:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-21 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-01-27 1179952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-23 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 16:32 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 16:36 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 21:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-29 18:10 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/9/2010 7:46 PM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/9/2010 7:48 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2/9/2010 7:46 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/9/2010 7:46 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/9/2010 7:46 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/9/2010 7:46 PM 88480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/9/2010 7:46 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/9/2010 7:46 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1957994488-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 07:55]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1957994488-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 07:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g9zknlqq.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 21:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(4956)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-12 21:53:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 05:53
ComboFix2.txt 2010-02-13 03:44

Pre-Run: 62,160,445,440 bytes free
Post-Run: 62,120,845,312 bytes free

- - End Of File - - F2CD1EE6DFC77D74A85DC59245544D5D


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 13 February 2010 - 01:09 AM

HI dream.injection,

Looks better, but still have a few items left.

You need to disable your McAfee AntiVirus Plus before running ComboFix, as it will prevent it from running.

If you cant disable McAfee AntiVirus Plus then uninstall it. You can reinstall when we have you clean.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\windows\TEMP\logishrd\LVPrcInj01.dll

DDS::
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 13 February 2010 - 02:21 AM

Is mcafee interfering with the scans at all?

ComboFix 10-02-12.01 - Owner 02/12/2010 22:18:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.295 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\TEMP\logishrd\LVPrcInj01.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-12 23:42 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 23:42 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 23:42 . 2010-02-12 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 21:20 . 2010-02-12 21:20 153176 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 20:37 . 2010-02-12 20:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-12 02:42 . 2010-02-12 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 02:41 . 2010-02-12 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 02:41 . 2010-02-12 02:41 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-12 02:40 . 2010-02-12 02:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-11 11:27 . 2010-02-11 11:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-11 11:18 . 2004-08-12 14:10 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\windows\ServicePackFiles
2010-02-11 00:08 . 2010-02-11 00:08 -------- d-----w- c:\windows\EHome
2010-02-10 09:46 . 2010-02-13 06:39 202528 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-10 09:46 . 2010-02-13 06:38 4413728 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-10 09:21 . 2010-02-12 23:36 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-02-10 09:21 . 2010-02-12 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-02-10 09:21 . 2010-02-10 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-02-10 09:19 . 2010-02-10 09:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2010-02-10 03:46 . 2010-01-06 02:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-10 03:46 . 2010-01-06 02:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-02-10 03:46 . 2010-01-06 02:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-10 03:46 . 2010-01-06 02:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-02-10 03:46 . 2010-01-06 02:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-10 03:46 . 2010-01-06 02:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-10 02:56 . 2010-02-10 02:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-10 01:38 . 2010-02-10 01:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-10 01:34 . 2010-02-10 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\program files\Alwil Software
2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 06:26 . 2010-02-10 09:46 20012 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-13 06:26 . 2010-02-10 09:46 60116 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-12 20:43 . 2010-02-12 20:43 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 20:43 . 2010-02-12 20:43 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 02:43 . 2010-02-12 02:43 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 02:43 . 2010-02-12 02:43 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 08:22 . 2008-12-25 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-02-11 04:34 . 2009-01-22 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2010-02-10 10:00 . 2010-02-10 10:00 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-02-10 04:01 . 2008-12-26 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-10 03:56 . 2008-12-26 00:15 -------- d-----w- c:\program files\McAfee
2010-02-10 03:50 . 2008-12-26 00:16 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-10 03:29 . 2008-12-26 00:16 -------- d-----w- c:\program files\McAfee.com
2010-02-10 02:54 . 2009-07-19 01:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-08 04:11 . 2010-02-08 04:11 0 ---ha-w- c:\windows\system32\BITFB.tmp
2010-02-08 04:10 . 2010-02-08 04:10 0 ---ha-w- c:\windows\system32\BITFA.tmp
2010-01-06 02:04 . 2010-01-06 02:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 02:04 . 2010-01-06 02:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-06 02:04 . 2008-12-26 00:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 02:04 . 2008-12-26 00:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-31 16:14 . 2004-08-12 14:06 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 05:07 . 2009-12-31 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-31 05:07 . 2009-12-31 05:05 -------- d-----w- c:\program files\iTunes
2009-12-31 05:06 . 2008-06-24 02:55 -------- d-----w- c:\program files\iPod
2009-12-31 05:06 . 2008-06-24 02:53 -------- d-----w- c:\program files\Common Files\Apple
2009-12-31 05:03 . 2009-12-31 05:02 -------- d-----w- c:\program files\QuickTime
2009-12-31 04:55 . 2009-12-31 04:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-22 05:42 . 2004-08-12 14:09 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-12 13:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2008-06-22 05:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-12 13:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-12 14:02 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:03 . 2009-12-04 18:03 251376 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-12-04 14:41 . 2004-08-12 14:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2004-08-12 14:03 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2004-08-12 14:01 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2004-08-12 14:01 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 16:36 . 2004-08-12 13:55 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2010-01-06 02:04 . 2010-02-10 03:46 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-21 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 290816]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-01-27 1179952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-23 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 16:32 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 16:36 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 21:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-29 18:10 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/9/2010 7:46 PM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/9/2010 7:44 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/9/2010 7:48 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2/9/2010 7:46 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/9/2010 7:46 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/9/2010 7:46 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/9/2010 7:46 PM 88480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/9/2010 7:46 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/9/2010 7:46 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1957994488-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 07:55]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1957994488-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 07:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g9zknlqq.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(4704)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-12 22:45:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 06:45
ComboFix2.txt 2010-02-13 05:53
ComboFix3.txt 2010-02-13 03:44

Pre-Run: 62,132,723,712 bytes free
Post-Run: 62,092,009,472 bytes free

- - End Of File - - D2C895187A2B41878CFD115D868485EA


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 13 February 2010 - 02:34 AM

Hi dream.injection,

No, McAfee is disabled. smile.gif

Please do an online scan with Kaspersky WebScanner

Attention!
Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.


Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 13 February 2010 - 06:35 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, February 13, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, February 13, 2010 07:48:09
Records in database: 3494255
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 48131
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:36:10

No threats found. Scanned area is clean.

Selected area has been scanned.


#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:25 AM

Posted 13 February 2010 - 12:04 PM

Hi


You are using an outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
    Adobe Reader 8.1.2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.
Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.

You may also try the free Foxit PDF reader, if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    Please download Java Version 6 Update 18
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 14
    Java™ 6 Update 6
    Java™ 6 Update 7

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.


Please make sure you turn on the Java Automatic Update Feature
http://java.com/en/download/help/java_update.xml#howto

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.


I think we finally have your computer clean. thumbup2.gif

Please tell me how it is running.

If all OK, then we will do the program clean up.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 dream.injection

dream.injection
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 13 February 2010 - 03:35 PM

Installed the new Adobe reader and java. Computer is working great! clapping.gif smile.gif but there is a lot of clutter on my desktop ;x




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users