Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Autorun.worm.aae possible infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 ibgileu

ibgileu

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 20 February 2010 - 05:21 PM

Last week I put my son's USB flash drive into my computer and McAfee informed me that 2 infections were blocked, autorun.worm.aae and another trojan named something like Generic!****. My computer is in safe mode, and I can't seem to get my McAfee logs to open up. Anyhow, after the warnings from McAfee, I ran Malwarebytes' and it found 2 suspicious registry entries which is fixed, and I thought i was ok, until yeasterday when i turned on my computer and Microsoft Security Center poped up telling me my computer was at risk and that I didn't have my firewall enabled and that I didnt have any anti-virus installed. I now belive I have some sort of infection, but it's something Malwarebytes and McAfee can't see. Any help would be greatly appreciated.

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Maester Brian at 18:45:54.74 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1919 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\McAfee.com\Agent\mcagent.exe
E:\Program Files\Razer\Mamba\RazerTray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Maester Brian\Local Settings\Apps\2.0\TTKX9LYC.VZ3\DCMA8OTM.8WT\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
E:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe -k hpdevmgmt
E:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\McAfee\SiteAdvisor\McSACore.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\wscntfy.exe
e:\PROGRA~1\mcafee\msc\mcshell.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
E:\Idunno.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\PROGRA~1\McAfee\MSC\McLgView.exe
E:\Documents and Settings\Maester Brian\My Documents\Downloads\Defogger.exe
E:\Documents and Settings\Maester Brian\My Documents\Downloads\dds.scr
E:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GPEA_en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - e:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - e:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - e:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - e:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - e:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - e:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] "e:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [Razer Mamba Driver] e:\program files\razer\mamba\RazerTray.exe
StartupFolder: e:\documents and settings\maester brian\start menu\programs\startup\CurseClientStartup.ccip
IE: E&xport to Microsoft Excel - e:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - e:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242527222343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - e:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - e:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - e:\windows\system32\rundll32.exe e:\windows\system32\advpack.dll,launchinfsectionex e:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\maeste~1\applic~1\mozilla\firefox\profiles\f0e5lqi6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: e:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: e:\documents and settings\maester brian\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: e:\documents and settings\maester brian\application data\mozilla\firefox\profiles\f0e5lqi6.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: e:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: e:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;e:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;e:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-30 93320]
R2 McProxy;McAfee Proxy Service;e:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-30 359952]
R2 McrdSvc;Media Center Extender Service;e:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;e:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-30 144704]
R3 MBAMSwissArmy;MBAMSwissArmy;e:\windows\system32\drivers\mbamswissarmy.sys [2009-10-11 38224]
R3 McSysmon;McAfee SystemGuards;e:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;e:\windows\system32\drivers\mfeavfk.sys [2009-11-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;e:\windows\system32\drivers\mfebopk.sys [2009-11-30 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;e:\windows\system32\drivers\mfesmfk.sys [2009-11-30 40552]
S2 gupdate1c9e625a273011a;Google Update Service (gupdate1c9e625a273011a);e:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104]
S3 mferkdk;McAfee Inc. mferkdk;e:\windows\system32\drivers\mferkdk.sys [2009-11-30 34248]

=============== Created Last 30 ================

2010-02-20 00:43:52 0 ----a-w- e:\documents and settings\maester brian\defogger_reenable
2010-02-20 00:25:38 218112 ----a-w- E:\Idunno.exe
2010-02-16 21:11:52 0 d-----w- e:\docume~1\alluse~1\applic~1\Easy CD-DA Extractor
2010-02-16 21:11:48 0 d-----w- e:\windows\Easy CD-DA Extractor 12
2010-02-16 21:11:48 0 d-----w- e:\program files\Easy CD-DA Extractor 12
2010-01-27 01:47:33 0 dc-h--w- e:\windows\ie8

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- e:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- e:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- e:\windows\system32\mspaint.exe
2009-12-15 17:17:02 254880 ----a-w- e:\windows\system32\RazerMiddlewareServer.dll
2009-12-14 07:08:23 33280 ----a-w- e:\windows\system32\csrsrv.dll
2009-12-13 01:05:39 1682628 ----a-w- e:\windows\new_screensaver.scr
2009-12-08 19:26:15 2145280 ----a-w- e:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- e:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- e:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- e:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- e:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- e:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- e:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- e:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- e:\windows\system32\msrle32.dll

============= FINISH: 18:47:57.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 AM

Posted 20 February 2010 - 06:10 PM

Good evening. smile.gif

Both your AV and firewall appear to be OK according to the DDS log. Work through the following and we'll see where that gets us:

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go here and click the Download EXE button at the top and save the file to your Desktop - the file is randomly named to try to sidestep the actions of certain malicious files.
Double click the file to begin:
  • If you get a pop-up regarding rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right and OK any pop-up that you may see regarding rootkit activity.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save... button and again save the log with any name to a handy location.
Post the contents of the log(s) into your next reply. The Preview option on the forum may show the whole log(s) being posted, but they sometimes get cut down when the actual post is made, so please check the post once it is completed.

So long, and thanks for all the fish.

 

 


#3 ibgileu

ibgileu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 20 February 2010 - 09:57 PM

The anti-virus scan found nothing, and the GMER log is as follows:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 20:54:53
Windows 5.1.2600 Service Pack 3
Running: 0snig15h.exe; Driver: E:\DOCUME~1\MAESTE~1\LOCALS~1\Temp\fxtdqpoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAEB4278A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAEB42821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAEB42738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAEB4274C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAEB42835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAEB42861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAEB428CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAEB428B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAEB427CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAEB428FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAEB4280D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAEB42710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAEB42724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAEB4279E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAEB42937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAEB428A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAEB4288D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAEB4284B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAEB42923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAEB4290F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAEB42776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAEB42762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAEB42877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAEB427F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAEB428E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAEB427E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAEB427B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 AM

Posted 21 February 2010 - 02:48 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh DDS log as well.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 ibgileu

ibgileu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 21 February 2010 - 07:00 PM

Combofix Log:

ComboFix 10-02-21.02 - Maester Brian 02/21/2010 17:19:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2311 [GMT -6:00]
Running from: e:\documents and settings\Maester Brian\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-20 02:55 . 2010-02-20 02:55 -------- d-----w- e:\program files\Lavalys
2010-02-20 00:25 . 2005-02-16 17:06 218112 ----a-w- E:\Idunno.exe
2010-02-16 21:11 . 2010-02-16 21:12 -------- d-----w- e:\documents and settings\Maester Brian\Local Settings\Application Data\Easy CD-DA Extractor
2010-02-16 21:11 . 2010-02-16 21:11 -------- d-----w- e:\documents and settings\All Users\Application Data\TEMP
2010-02-16 21:11 . 2010-02-16 21:11 -------- d-----w- e:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2010-02-16 21:11 . 2010-02-16 21:11 -------- d-----w- e:\program files\Easy CD-DA Extractor 12
2010-02-16 21:11 . 2010-02-16 21:11 -------- d-----w- e:\windows\Easy CD-DA Extractor 12
2010-02-16 03:41 . 2010-02-16 03:41 -------- d-----w- e:\program files\Razer
2010-02-06 15:11 . 2010-02-09 00:41 161576 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-27 01:47 . 2010-01-27 01:47 -------- dc-h--w- e:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 02:49 . 2009-05-17 01:56 -------- d-----w- e:\documents and settings\Maester Brian\Application Data\U3
2010-02-20 00:12 . 2009-12-01 01:25 -------- d-----w- e:\program files\McAfee
2010-02-10 01:14 . 2009-05-17 03:44 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-09 00:42 . 2009-10-12 02:21 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-02-01 01:32 . 2009-06-05 21:35 -------- d-----w- e:\program files\Google
2010-01-22 01:15 . 2009-05-17 02:32 -------- d-----w- e:\program files\Microsoft Silverlight
2010-01-07 22:07 . 2009-10-12 02:21 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-10-12 02:21 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-01-02 18:31 . 2010-01-02 18:31 -------- d-----w- e:\program files\KingsIsle Entertainment
2010-01-02 18:31 . 2009-05-17 03:55 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-12-31 16:50 . 2006-03-15 12:00 353792 ----a-w- e:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-03-15 12:00 916480 ----a-w- e:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-05-16 20:47 343040 ----a-w- e:\windows\system32\mspaint.exe
2009-12-15 17:17 . 2009-12-15 17:17 254880 ----a-w- e:\windows\system32\RazerMiddlewareServer.dll
2009-12-14 07:08 . 2006-03-15 12:00 33280 ----a-w- e:\windows\system32\csrsrv.dll
2009-12-13 01:05 . 2009-12-13 01:05 1682628 ----a-w- e:\windows\new_screensaver.scr
2009-12-08 19:26 . 2006-03-15 12:00 2145280 ----a-w- e:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- e:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-03-15 12:00 455424 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2006-03-15 12:00 1291776 ----a-w- e:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- e:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-03-15 12:00 28672 ----a-w- e:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- e:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-03-15 12:00 84992 ----a-w- e:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2006-03-15 12:00 11264 ----a-w- e:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- e:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="e:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"Razer Mamba Driver"="e:\program files\Razer\Mamba\RazerTray.exe" [2009-12-15 3278728]

e:\documents and settings\Maester Brian\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-6 0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Documents and Settings\\Maester Brian\\Local Settings\\Apps\\2.0\\TTKX9LYC.VZ3\\DCMA8OTM.8WT\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;e:\program files\McAfee\SiteAdvisor\McSACore.exe [11/30/2009 7:26 PM 93320]
S2 gupdate1c9e625a273011a;Google Update Service (gupdate1c9e625a273011a);e:\program files\Google\Update\GoogleUpdate.exe [6/5/2009 3:36 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;e:\windows\system32\drivers\mbamswissarmy.sys [10/11/2009 8:21 PM 38224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- e:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 e:\windows\Tasks\Google Software Updater.job
- e:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-05 21:35]

2010-02-21 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-06-05 21:36]

2010-02-21 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2009-06-05 21:36]

2009-12-01 e:\windows\Tasks\McDefragTask.job
- e:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-01 18:22]

2009-12-01 e:\windows\Tasks\McQcTask.job
- e:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-01 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GPEA_en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\documents and settings\Maester Brian\Application Data\Mozilla\Firefox\Profiles\f0e5lqi6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: e:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: e:\documents and settings\Maester Brian\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: e:\documents and settings\Maester Brian\Application Data\Mozilla\Firefox\Profiles\f0e5lqi6.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: e:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: e:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: e:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - E:\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 17:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1868)
e:\windows\system32\WININET.dll
e:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\hnetcfg.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-21 17:24:03
ComboFix-quarantined-files.txt 2010-02-21 23:24

Pre-Run: 479,195,918,336 bytes free
Post-Run: 479,378,481,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - A9EA0495AF672AA244EBE1FB752CCBF0

DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Maester Brian at 17:57:58.05 on Sun 02/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2169 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\McAfee.com\Agent\mcagent.exe
E:\Program Files\Razer\Mamba\RazerTray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Maester Brian\Local Settings\Apps\2.0\TTKX9LYC.VZ3\DCMA8OTM.8WT\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
svchost.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe -k hpdevmgmt
E:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\McAfee\SiteAdvisor\McSACore.exe
E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
e:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
E:\Program Files\McAfee\MPF\MPFSrv.exe
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Maester Brian\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GPEA_en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - e:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - e:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - e:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - e:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - e:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - e:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [mcagent_exe] "e:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [Razer Mamba Driver] e:\program files\razer\mamba\RazerTray.exe
StartupFolder: e:\documents and settings\maester brian\start menu\programs\startup\CurseClientStartup.ccip
IE: E&xport to Microsoft Excel - e:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - e:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242527222343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - e:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - e:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - e:\windows\system32\rundll32.exe e:\windows\system32\advpack.dll,launchinfsectionex e:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\maeste~1\applic~1\mozilla\firefox\profiles\f0e5lqi6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: e:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: e:\documents and settings\maester brian\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: e:\documents and settings\maester brian\application data\mozilla\firefox\profiles\f0e5lqi6.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: e:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: e:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;e:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;e:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-30 93320]
R2 McProxy;McAfee Proxy Service;e:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-30 359952]
R2 McrdSvc;Media Center Extender Service;e:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;e:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-30 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;e:\windows\system32\drivers\mfeavfk.sys [2009-11-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;e:\windows\system32\drivers\mfebopk.sys [2009-11-30 35272]
S2 gupdate1c9e625a273011a;Google Update Service (gupdate1c9e625a273011a);e:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;e:\windows\system32\drivers\mbamswissarmy.sys [2009-10-11 38224]
S3 mferkdk;McAfee Inc. mferkdk;e:\windows\system32\drivers\mferkdk.sys [2009-11-30 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;e:\windows\system32\drivers\mfesmfk.sys [2009-11-30 40552]
S4 McSysmon;McAfee SystemGuards;e:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-30 606736]

=============== Created Last 30 ================

2010-02-20 02:55:40 0 d-----w- e:\program files\Lavalys
2010-02-20 00:43:52 0 ----a-w- e:\documents and settings\maester brian\defogger_reenable
2010-02-20 00:25:38 218112 ----a-w- E:\Idunno.exe
2010-02-16 21:11:52 0 d-----w- e:\docume~1\alluse~1\applic~1\Easy CD-DA Extractor
2010-02-16 21:11:48 0 d-----w- e:\windows\Easy CD-DA Extractor 12
2010-02-16 21:11:48 0 d-----w- e:\program files\Easy CD-DA Extractor 12
2010-01-27 01:47:33 0 dc-h--w- e:\windows\ie8

==================== Find3M ====================

2010-01-07 22:07:14 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- e:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- e:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- e:\windows\system32\mspaint.exe
2009-12-15 17:17:02 254880 ----a-w- e:\windows\system32\RazerMiddlewareServer.dll
2009-12-14 07:08:23 33280 ----a-w- e:\windows\system32\csrsrv.dll
2009-12-13 01:05:39 1682628 ----a-w- e:\windows\new_screensaver.scr
2009-12-10 04:54:07 261632 ----a-w- e:\windows\PEV.exe
2009-12-08 19:26:15 2145280 ------w- e:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- e:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- e:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- e:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- e:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- e:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- e:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- e:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- e:\windows\system32\msrle32.dll

============= FINISH: 17:58:11.42 ===============

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 AM

Posted 21 February 2010 - 07:02 PM

QUOTE
Let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#7 ibgileu

ibgileu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 21 February 2010 - 07:20 PM

I haven't had anymore warnings from Windows telling me my anti-virus was not installed and that my firewall was turned off. It seems to be acting normal.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 AM

Posted 22 February 2010 - 03:45 PM

Good evening. smile.gif

That's good to read. I think that a little scan won't hurt and will check for any stragglers that CF may have overlooked.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#9 ibgileu

ibgileu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 22 February 2010 - 08:31 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3778
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/22/2010 7:25:44 PM
mbam-log-2010-02-22 (19-25-44).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 217054
Time elapsed: 30 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



My computer seems to be working fine.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 AM

Posted 23 February 2010 - 03:44 PM

Good evening. smile.gif

I'd say that you were about done then.

You are running an old version of Sun Java which needs updating:

Go here and click on the Windows XP/Vista/2000/2003 Offline link in the Windows section near the top and save the file somewhere handy.
Install as you would normally and that's that done.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is also out of date. You can get the latest version here - feel free to uncheck the Free McAfeeŽ Security Scan Plus option before you download it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 


#11 ibgileu

ibgileu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 23 February 2010 - 06:47 PM

Great, thank you very much for you time and patience! I'll make those updates!

Brian

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 AM

Posted 24 February 2010 - 03:24 PM

Since this issue appears to be resolved, this topic has been closed. dance.gif

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users