Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vista Guardian 2010


  • This topic is locked This topic is locked
46 replies to this topic

#1 Kevin5120

Kevin5120

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 23 February 2010 - 04:55 PM

i have a Dell Inspiron 1525 with windows vista home premium 32 bit with Mcafee Total protection

Ok well last week while on Yahoo answers i got redirected to a different site saying my computer was infected i had a hard time getting this page to go away and not long afterwards i got a program popping up on my screen called Antivirus vista 2010 saying i had all these infections already knowing that this program itself was the real culprit i ignored buying their product and closed it out but of course it always pops up every now and then and being really annoying since i was already on Yahoo answers i looked up a solution i found some special removal tool that i had to download and run to remove the infection i did so and it seemed to work but only about an hour or 2 later it came back only this time under a different name calling itself Antivirus Soft 2010 so i looked up another removal tool for this one tried to run it but it failed so i looked up more info on what to do when i came across MalwareBytes - Antimalware program so i downloaded this and ran it with the full scan option it detected 3 things which i went on to removing the infections and got a log file stating it was done successfully now thinking i have finally gotten rid of it i go about my normal business only to find out the next day that it came back which i dont know which name it used that time i just remember running Malwarebytes again knowing that it at least would temporaily stop it another i

shouldmention is that i've had numerous computer problems in the past and have formatted my hard drive 4 times the 2nd time was in october and i only did a limited amount of updates afterwards and didnt try doing any again til about a few weeks ago so i attempted to install vista service pack 1 and during stage 2 of the installation it restarted and when it came back on there was a black screen with a bunch of files either running loading or being scanned not sure which but it froze at some point and wouldnt do anything else so i had to manually shut it down and afterward it wouldnt start up again long story on this im gonna cut it to the point i had to reformat of course 3rd time now and this time i didnt do any updates cause if i had another problem like before i couldnt get Mcafee back until they sent me the recovery disk which took over 2 weeks to get i finally got it this past friday and on sunday attempted to do the service pack update again and the same thing as before happend so i formatted 4th time....but this time i did updates before anything else and i got every update availvable even up to vista service pack 2 which i've never had on my system before computer runs like brand new and i was finally happy thinking

everything was in tip top shape until last night i randomly got the pop for the virus again only this time i dont know how cause i had formatted the other night but the virus was calling itself Vista guardian 2010 really frustrated i redownloaded Malwarebytes - Antimalware did the scan removed the virus of course it came back again under another name removed it for the final time last night shutdown the computer afterwards for the night got on today and 20 minutes after being on i get the virus again.....under the Vista Guardian 2010 name which its still on my system now i havent bothered to use Malwarebytes at all today and i came across this site did the steps provided for making this topic but whle runinng the GMER program after i saved the scanned info i got a blue screen crash error and the system restarted tried to get back on my user account only to have a black screen with a cursor and the only other thing i can see or interact with was the virus program...so i restarted again went on my cousins user account which doesnt have any traces of the virus which leads me to believe its only affecting my user account and finally got on here to post the topic i really appreciate the help i know you guys are busy so im okay with waiting take your time thank you for your time and sorry for such a long post just wanted to make this as desriptive as possible.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 15:13:13.07 on Tue 02/23/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.863 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ytbb.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Users\Administrator\AppData\Local\av.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/ig/dell
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080424
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080424
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100221230647.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-2-21 385536]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-2-21 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-2-21 160720]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-2-21 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-4-23 73728]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-21 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-21 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-21 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-21 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-21 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-21 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-21 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-21 55456]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-4-24 111616]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-21 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-21 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-21 312584]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-2-21 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-23 30192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-21 83496]

=============== Created Last 30 ================

2010-02-23 20:08:32 0 ----a-w- c:\users\administrator\defogger_reenable
2010-02-23 14:37:47 0 d-----w- c:\program files\Microsoft
2010-02-23 14:37:33 0 d-----w- c:\program files\Windows Live SkyDrive
2010-02-23 14:27:19 0 d-----w- c:\program files\common files\Windows Live
2010-02-23 03:59:23 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-02-23 03:59:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 03:59:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 03:59:18 0 d-----w- c:\programdata\Malwarebytes
2010-02-23 03:59:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 18:58:53 0 d-----w- c:\programdata\Apple Computer
2010-02-22 18:58:00 0 d-----w- c:\programdata\Apple
2010-02-22 05:12:04 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-22 04:54:11 0 d-----w- c:\programdata\Yahoo! Companion
2010-02-22 04:53:53 0 d-----w- c:\programdata\Yahoo!
2010-02-22 04:52:03 0 d-----w- c:\program files\Yahoo!
2010-02-22 04:43:07 0 d-----w- c:\program files\McAfeeMOBK
2010-02-22 04:43:03 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-02-22 04:43:01 0 d-----w- c:\program files\McAfee Online Backup
2010-02-22 04:08:30 0 d-----w- c:\program files\SiteAdvisor
2010-02-22 04:06:47 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-02-22 04:06:40 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-02-22 04:06:40 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-02-22 04:06:40 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-02-22 04:06:40 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-02-22 04:06:40 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-22 04:06:40 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-02-22 04:06:40 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-02-22 04:06:40 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-02-22 04:06:40 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-22 04:06:34 0 d-----w- c:\program files\McAfee.com
2010-02-22 04:06:34 0 d-----w- c:\program files\common files\Mcafee
2010-02-22 04:06:32 0 d-----w- c:\program files\McAfee
2010-02-22 04:01:24 0 d-----w- c:\programdata\McAfee
2010-02-22 03:39:56 0 d-----w- c:\program files\Windows Portable Devices
2010-02-22 03:38:56 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-02-22 03:24:03 0 d-----w- c:\windows\system32\vi-VN
2010-02-22 03:24:03 0 d-----w- c:\windows\system32\eu-ES
2010-02-22 03:24:03 0 d-----w- c:\windows\system32\ca-ES
2010-02-22 03:10:03 0 d-----w- c:\windows\system32\EventProviders
2010-02-22 03:08:59 883712 ----a-w- c:\windows\system32\IMJP10.IME
2010-02-22 03:07:59 516608 ----a-w- c:\windows\system32\autoplay.dll
2010-02-22 03:06:52 153 ----a-w- c:\windows\system32\RacUREx.xml
2010-02-22 03:06:42 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2010-02-22 03:06:42 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2010-02-22 03:06:42 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-02-22 03:06:42 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2010-02-22 03:06:42 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2010-02-22 03:06:42 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2010-02-22 03:06:42 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2010-02-22 03:06:41 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2010-02-22 03:06:38 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-02-22 03:06:38 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-02-22 03:06:26 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-02-22 02:55:02 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-02-22 02:54:57 11967524 ----a-w- c:\windows\system32\korwbrkr.lex
2010-02-22 02:31:43 0 d-----w- C:\PerfLogs
2010-02-22 02:09:59 758784 ----a-w- c:\windows\system32\WMADMOD.DLL
2010-02-22 02:08:59 64000 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2010-02-22 01:41:04 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-02-22 01:39:44 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-22 01:39:44 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-22 01:16:39 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-02-22 01:16:39 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-02-22 01:16:39 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-02-22 01:16:39 23552 ----a-w- c:\windows\system32\lpk.dll
2010-02-22 01:16:39 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-02-22 01:16:39 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-02-22 01:15:01 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-02-22 01:15:00 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-22 01:14:59 72704 ----a-w- c:\windows\system32\admparse.dll
2010-02-22 01:14:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-02-22 01:14:55 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-02-22 01:13:22 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-02-22 01:13:22 272896 ----a-w- c:\windows\system32\polstore.dll
2010-02-22 01:12:33 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-22 01:12:33 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-22 01:10:49 17920 ----a-w- c:\windows\system32\netevent.dll
2010-02-22 01:10:48 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-02-22 01:10:48 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-02-22 01:10:48 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-02-22 01:10:48 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-02-22 01:10:48 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-02-22 01:10:48 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-02-22 01:10:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-02-22 01:10:48 10240 ----a-w- c:\windows\system32\finger.exe
2010-02-22 01:10:45 814 ----a-w- c:\windows\system32\wbem\WFP.MOF
2010-02-22 01:09:43 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-02-22 01:09:42 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-02-22 01:09:42 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-02-22 01:09:42 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-02-22 01:09:42 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-02-22 01:09:42 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-02-22 01:09:42 2501921 ----a-w- c:\windows\system32\wlan.tmf
2010-02-22 01:09:40 2334 ----a-w- c:\windows\system32\wbem\L2SecHC.mof
2010-02-22 01:09:39 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-02-22 01:08:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-02-22 01:08:46 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-02-22 01:08:46 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-02-22 01:08:45 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-02-22 01:07:28 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-02-22 01:06:35 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-22 01:06:35 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-22 01:06:35 2868224 ----a-w- c:\windows\system32\mf.dll
2010-02-22 01:06:35 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-22 01:06:35 2048 ----a-w- c:\windows\system32\mferror.dll
2010-02-22 01:05:39 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-22 01:02:50 71680 ----a-w- c:\windows\system32\atl.dll
2010-02-22 00:57:49 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-02-22 00:57:01 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-02-22 00:57:01 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-02-22 00:57:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-02-22 00:53:50 714240 ----a-w- c:\windows\system32\timedate.cpl
2010-02-22 00:51:18 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2010-02-22 00:49:09 623616 ----a-w- c:\windows\system32\localspl.dll
2010-02-22 00:47:02 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-02-22 00:47:01 9728 ----a-w- c:\windows\system32\lsass.exe
2010-02-22 00:47:01 72704 ----a-w- c:\windows\system32\secur32.dll
2010-02-22 00:47:01 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-02-22 00:47:01 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-02-22 00:47:01 270848 ----a-w- c:\windows\system32\schannel.dll
2010-02-22 00:47:01 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-02-22 00:47:00 13780 ----a-w- c:\windows\system32\wbem\lsasrv.mof
2010-02-22 00:42:38 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-02-22 00:38:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-22 00:38:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-22 00:37:59 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-22 00:37:00 37888 ----a-w- c:\windows\system32\printcom.dll
2010-02-22 00:36:23 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-02-22 00:35:10 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-02-22 00:34:33 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-02-22 00:34:33 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-02-22 00:34:33 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-02-22 00:32:39 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-22 00:32:38 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-22 00:23:21 65536 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-02-22 00:23:21 31916032 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-02-22 00:23:21 196608 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-02-22 00:21:40 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-02-22 00:16:24 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-22 00:16:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-22 00:16:22 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-02-22 00:15:59 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-02-22 00:15:51 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-02-22 00:15:37 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-02-22 00:15:31 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-02-22 00:15:25 243712 ----a-w- c:\windows\system32\rastls.dll
2010-02-22 00:15:19 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-02-22 00:13:13 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-22 00:13:13 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 23:48:21 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-02-21 23:48:13 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-02-21 23:47:59 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-02-21 23:47:59 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-02-21 23:44:11 0 d-----w- C:\Intel
2010-02-21 23:39:31 0 d-sh--we c:\programdata\Documents
2010-02-15 23:50:20 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-02-15 23:50:20 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-02-06 02:14:48 0 ----a-w- c:\windows\MOBK.flt
2010-02-06 02:14:48 0 ----a-w- c:\windows\MOBK.blk

==================== Find3M ====================

2010-02-22 04:07:03 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-22 04:07:03 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-22 04:07:02 143360 ----a-w- c:\windows\inf\infstor.dat
2010-02-22 03:39:54 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-22 03:16:28 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-22 02:42:01 174 --sha-w- c:\program files\desktop.ini
2010-02-22 02:26:35 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-02-22 02:26:34 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-02-22 00:14:51 91136 ----a-w- c:\windows\system32\avifil32.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-04-24 00:30:00 76 --sha-r- c:\windows\CT4CET.bin
2008-04-24 08:03:47 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:14:36.83 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 02:02 PM

Hi Kevin5120,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 04:54 PM

Hello thank you for assiting me with this problem i really appreicate it smile.gif

i would like to add the following new problems i been experienceing since my first reply my user account on this computer became completely unuseable and only displays a black screen with my cursor and the virus program appearing so i been using my cousins user account and the virus originated from my user account and never affected this one before until yesterday which i have had to use task manager and end the process of the virus to make it go away and leave task manager open was also the only way to keep the virus from readding itself to my active processes also when i surf the web and type anything into a search engine on the webpage displaying the results of my search if i click on any of the links im automaticly redirected to another site which mcafee says its dangerous so i get out of it the only way to avoid this is to instead copy the exact web address instead of clicking the link and pasting it directly into my web browser.

and here is the combofix log

ComboFix 10-02-25.02 - Alicia 02/25/2010 16:19:50.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.2015 [GMT -5:00]
Running from: c:\users\Alicia\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Alicia\AppData\Local\av.exe
c:\windows\system32\gatherWirelessInfo.vbs
c:\windows\system32\oem7.inf
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_STacSV


((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 21:28 . 2010-02-25 21:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-25 21:28 . 2010-02-25 21:28 -------- d-----w- c:\users\User\AppData\Local\temp
2010-02-25 17:51 . 2010-02-25 17:51 -------- d-----w- c:\users\Alicia\AppData\Roaming\Reallusion
2010-02-25 17:51 . 2010-02-25 17:51 -------- d-----w- c:\users\Alicia\AppData\Roaming\tmp
2010-02-25 02:58 . 2010-02-25 15:25 59464 ----a-w- c:\users\Alicia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 08:05 . 2010-02-24 08:05 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-02-23 18:49 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 18:48 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 18:48 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 18:48 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 18:48 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 18:48 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 18:48 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 18:48 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 18:48 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 18:48 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 18:48 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-23 18:48 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-23 18:48 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-23 15:16 . 2010-02-23 15:16 -------- d-----w- c:\users\Alicia\AppData\Local\Adobe
2010-02-23 14:38 . 2010-02-25 21:09 -------- d-----w- c:\users\Alicia\Tracing
2010-02-23 14:37 . 2010-02-23 14:37 -------- d-----w- c:\program files\Microsoft
2010-02-23 14:37 . 2010-02-23 14:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-23 14:37 . 2010-02-23 14:37 -------- d-----w- c:\program files\Windows Live
2010-02-23 14:27 . 2010-02-23 14:27 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-23 03:59 . 2010-02-23 03:59 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-02-23 03:59 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 03:59 . 2010-02-23 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 03:59 . 2010-02-23 03:59 -------- d-----w- c:\programdata\Malwarebytes
2010-02-23 03:59 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 01:34 . 2010-02-23 01:34 -------- d-----w- c:\windows\Sun
2010-02-22 20:05 . 2010-02-23 21:04 -------- d-----w- c:\users\Alicia\AppData\Local\Yahoo
2010-02-22 18:58 . 2010-02-22 18:58 -------- d-----w- c:\programdata\Apple Computer
2010-02-22 18:58 . 2010-02-22 18:58 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 18:58 . 2010-02-22 18:58 -------- d-----w- c:\users\Alicia\AppData\Local\Apple
2010-02-22 18:58 . 2010-02-22 18:58 -------- d-----w- c:\program files\Apple Software Update
2010-02-22 18:58 . 2010-02-22 18:58 -------- d-----w- c:\programdata\Apple
2010-02-22 18:55 . 2010-02-22 18:59 -------- d-----w- c:\program files\QuickTime
2010-02-22 15:20 . 2010-02-22 15:26 -------- d-----w- c:\users\Alicia\AppData\Roaming\Elluminate
2010-02-22 14:10 . 2010-02-22 20:05 -------- d-----w- c:\users\Alicia\AppData\Roaming\Yahoo!
2010-02-22 05:40 . 2010-02-22 05:40 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2010-02-22 05:18 . 2010-02-22 20:51 -------- d-----w- c:\users\Administrator\AppData\Local\Yahoo
2010-02-22 05:18 . 2010-02-22 20:51 -------- d-----w- c:\users\Administrator\AppData\Roaming\Yahoo!
2010-02-22 05:12 . 2010-02-22 05:18 -------- d-----w- c:\users\Administrator\AppData\Local\Google
2010-02-22 05:12 . 2010-02-22 05:12 58896 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-22 05:12 . 2010-02-22 05:12 -------- d--h--w- c:\users\Administrator\AppData\Roaming\GTek
2010-02-22 05:12 . 2010-02-22 05:12 -------- d-----w- c:\users\Administrator\AppData\Local\SupportSoft
2010-02-22 05:12 . 2010-02-22 05:12 -------- d-----w- c:\users\Administrator\AppData\Local\MediaDirect
2010-02-22 05:12 . 2008-03-06 07:58 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-02-22 04:57 . 2010-02-22 04:57 -------- d-----w- c:\users\User\AppData\Local\Yahoo
2010-02-22 04:54 . 2010-02-22 05:18 -------- d-----w- c:\programdata\Yahoo! Companion
2010-02-22 04:54 . 2010-02-22 04:57 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2010-02-22 04:53 . 2010-02-22 04:54 -------- d-----w- c:\programdata\Yahoo!
2010-02-22 04:52 . 2010-02-22 04:54 -------- d-----w- c:\program files\Yahoo!
2010-02-22 04:43 . 2010-02-22 04:43 -------- d-----w- c:\program files\McAfeeMOBK
2010-02-22 04:43 . 2010-02-22 04:43 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-22 04:43 . 2010-02-06 02:13 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-02-22 04:43 . 2010-02-22 04:43 -------- d-----w- c:\program files\McAfee Online Backup
2010-02-22 04:08 . 2010-02-22 04:08 -------- d-----w- c:\program files\SiteAdvisor
2010-02-22 04:01 . 2010-02-22 14:14 -------- d-----w- c:\programdata\McAfee
2010-02-22 03:38 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-02-22 03:24 . 2010-02-22 03:24 -------- d-----w- c:\windows\system32\ca-ES
2010-02-22 03:24 . 2010-02-22 03:24 -------- d-----w- c:\windows\system32\eu-ES
2010-02-22 03:24 . 2010-02-22 03:24 -------- d-----w- c:\windows\system32\vi-VN
2010-02-22 03:10 . 2010-02-22 03:10 -------- d-----w- c:\windows\system32\EventProviders
2010-02-22 03:08 . 2009-04-11 06:28 758784 ----a-w- c:\windows\system32\qmgr.dll
2010-02-22 03:07 . 2009-04-11 06:28 1671680 ----a-w- c:\windows\system32\wlanpref.dll
2010-02-22 03:06 . 2009-04-11 06:28 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2010-02-22 03:06 . 2009-04-11 06:28 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2010-02-22 03:06 . 2009-04-11 06:28 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2010-02-22 03:06 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2010-02-22 03:06 . 2009-04-11 06:28 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2010-02-22 03:06 . 2009-04-11 06:28 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-02-22 03:06 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2010-02-22 03:06 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2010-02-22 03:06 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-02-22 03:06 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-02-22 03:06 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-02-22 02:55 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-02-22 02:31 . 2010-02-22 02:31 -------- d-----w- C:\PerfLogs
2010-02-22 02:09 . 2008-01-19 07:36 758784 ----a-w- c:\windows\system32\WMADMOD.DLL
2010-02-22 02:08 . 2008-01-19 07:36 11264 ----a-w- c:\windows\system32\usbperf.dll
2010-02-22 01:41 . 2010-02-22 01:41 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-02-22 01:39 . 2010-02-22 01:39 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-22 01:39 . 2010-02-22 01:39 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-22 01:28 . 2010-02-22 01:28 -------- d-----w- c:\users\User\AppData\Local\SupportSoft
2010-02-22 01:16 . 2010-02-22 01:16 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-02-22 01:16 . 2010-02-22 01:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-02-22 01:16 . 2010-02-22 01:16 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-02-22 01:16 . 2010-02-22 01:16 23552 ----a-w- c:\windows\system32\lpk.dll
2010-02-22 01:16 . 2010-02-22 01:16 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-02-22 01:16 . 2010-02-22 01:16 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-02-22 01:15 . 2010-02-22 01:15 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-22 01:14 . 2010-02-22 01:14 72704 ----a-w- c:\windows\system32\admparse.dll
2010-02-22 01:14 . 2010-02-22 01:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-02-22 01:14 . 2010-02-22 01:14 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-02-22 01:13 . 2010-02-22 01:13 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-02-22 01:13 . 2010-02-22 01:13 272896 ----a-w- c:\windows\system32\polstore.dll
2010-02-22 01:12 . 2010-02-22 01:12 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-22 01:12 . 2010-02-22 01:12 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-22 01:10 . 2010-02-22 01:10 17920 ----a-w- c:\windows\system32\netevent.dll
2010-02-22 01:10 . 2010-02-22 01:10 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-02-22 01:10 . 2010-02-22 01:10 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-02-22 01:10 . 2010-02-22 01:10 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-02-22 01:10 . 2010-02-22 01:10 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-02-22 01:10 . 2010-02-22 01:10 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-02-22 01:10 . 2010-02-22 01:10 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-02-22 01:10 . 2010-02-22 01:10 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-02-22 01:10 . 2010-02-22 01:10 10240 ----a-w- c:\windows\system32\finger.exe
2010-02-22 01:09 . 2010-02-22 01:09 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-02-22 01:09 . 2010-02-22 01:09 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-02-22 01:09 . 2010-02-22 01:09 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-02-22 01:09 . 2010-02-22 01:09 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-02-22 01:09 . 2010-02-22 01:09 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-02-22 01:09 . 2010-02-22 01:09 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-02-22 01:08 . 2010-02-22 01:08 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-02-22 01:08 . 2010-02-22 01:08 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-02-22 01:08 . 2010-02-22 01:08 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-02-22 01:08 . 2010-02-22 01:08 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-02-22 01:07 . 2010-02-22 01:07 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-02-22 01:06 . 2010-02-22 01:06 2868224 ----a-w- c:\windows\system32\mf.dll
2010-02-22 01:06 . 2010-02-22 01:06 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-22 01:06 . 2010-02-22 01:06 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-22 01:06 . 2010-02-22 01:06 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-22 01:06 . 2010-02-22 01:06 2048 ----a-w- c:\windows\system32\mferror.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 08:09 . 2008-04-24 00:40 -------- d-----w- c:\programdata\Microsoft Help
2010-02-25 08:05 . 2008-04-24 00:41 -------- d-----w- c:\program files\Microsoft Works
2010-02-24 01:33 . 2008-04-24 08:10 304920 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-23 23:08 . 2010-02-22 04:06 -------- d-----w- c:\program files\McAfee
2010-02-23 14:21 . 2010-02-22 05:52 -------- d--h--w- c:\users\Alicia\AppData\Roaming\GTek
2010-02-22 04:07 . 2010-02-22 04:06 -------- d-----w- c:\program files\Common Files\Mcafee
2010-02-22 04:06 . 2010-02-22 04:06 -------- d-----w- c:\program files\McAfee.com
2010-02-22 03:52 . 2008-04-24 00:43 -------- d-----w- c:\program files\Google
2010-02-22 03:48 . 2010-02-22 03:48 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbA3A0.tmp.exe
2010-02-22 03:39 . 2010-02-22 03:39 -------- d-----w- c:\program files\Windows Portable Devices
2010-02-22 03:39 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-22 03:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-02-22 03:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-02-22 03:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-02-22 03:24 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-22 03:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-02-22 03:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-02-22 03:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-02-22 02:26 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-02-22 02:26 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-02-22 01:38 . 2008-04-24 00:44 -------- d-----w- c:\programdata\Dell
2010-02-22 00:16 . 2010-02-22 00:16 2560 ----a-w- c:\windows\AppPatch\AcRes.dll
2010-02-21 23:44 . 2010-02-21 23:44 -------- d--h--w- c:\users\User\AppData\Roaming\GTek
2010-02-21 23:44 . 2010-02-21 23:44 58896 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-21 23:39 . 2010-02-21 23:39 -------- d-sh--we c:\programdata\Templates
2010-02-21 23:39 . 2010-02-21 23:39 -------- d-sh--we c:\programdata\Start Menu
2010-02-21 23:39 . 2010-02-21 23:39 -------- d-sh--we c:\programdata\Favorites
2010-02-21 23:39 . 2010-02-21 23:39 -------- d-sh--we c:\programdata\Documents
2010-02-21 23:39 . 2010-02-21 23:39 -------- d-sh--we c:\programdata\Desktop
2010-01-06 15:38 . 2010-02-23 18:48 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-23 18:48 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-23 18:48 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-23 18:48 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-05 23:04 . 2010-02-22 04:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-01-05 23:04 . 2010-02-22 04:06 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-05 23:04 . 2010-02-22 04:06 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-01-05 23:04 . 2010-02-22 04:06 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-01-05 23:04 . 2010-02-22 04:06 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-01-05 23:04 . 2010-02-22 04:06 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-05 23:04 . 2010-02-22 04:06 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-05 23:04 . 2010-02-22 04:06 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-01-05 23:04 . 2010-02-22 04:06 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-01-05 23:04 . 2010-02-22 04:06 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2008-04-24 00:30 . 2008-04-24 00:30 76 --sha-r- c:\windows\CT4CET.bin
2008-04-24 08:03 . 2008-04-24 07:50 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-06 02:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-06 02:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-06 02:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-24 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-22 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-01-27 1179952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-23 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:48,9c,93,6b,6f,b3,ca,01

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\System32\drivers\mfenlfk.sys [2/21/2010 11:06 PM 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\System32\drivers\mfewfpk.sys [2/21/2010 11:06 PM 160720]
R1 MOBKFilter;MOBKFilter;c:\windows\System32\drivers\MOBK.sys [2/21/2010 11:43 PM 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [4/23/2008 7:15 PM 73728]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2010 11:06 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2010 11:06 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2010 11:06 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [2/21/2010 11:07 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [2/21/2010 11:06 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 9:14 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\System32\drivers\cfwids.sys [2/21/2010 11:06 PM 55456]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [4/24/2008 3:10 AM 111616]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\System32\drivers\mfefirek.sys [2/21/2010 11:06 PM 312584]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/23/2008 7:43 PM 30192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\System32\drivers\mferkdet.sys [2/21/2010 11:06 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-22 03:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 16:32
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85933A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a9a4d24
\Driver\ACPI -> acpi.sys @ 0x82697d68
\Driver\atapi -> ataport.SYS @ 0x82cdba2c
\Driver\iaStor -> iastor.sys @ 0x82c42918
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1284)
c:\progra~1\mcafee\sitead~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\vssvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-02-25 16:44:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-25 21:43

Pre-Run: 88,618,770,432 bytes free
Post-Run: 88,365,150,208 bytes free

- - End Of File - - 5ACCBD4C7C6CBAE0B111495106CD46A3


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 05:27 PM

Please disable Windows automatic update. Also don't use the computer and don't change anything until we have taken care of this rootkit infection. In many cases it leaves the computer unbootable and we have to take other measures.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


CODE
@ECHO OFF
sc query type= driver group= "SCSI Miniport" > Log.txt
dir /a /s iastor.* >>log.txt
dir /a /s atapi.* >>log.txt
Start Log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Right-click to run it as administrator.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#5 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 05:57 PM

ok i set windows update to never check for updates i hope that was right cause i wasnt sure exactly how to disable it i've also closed all other web pages except this one and not running any other programs except those you shall instruct.

also id like to note something that started to occur after i ran the combofix when i open anything on my computer ex: notepad i get this error

C:\Windows\System32\notepad.exe

Illegal operation attempted on a registry key that has been marked for deletion.

i can still use any progam if i run it as dministrator but i get this error if i just try opening it.

heres the look.bat log file


SERVICE_NAME: atapi
DISPLAY_NAME: IDE Channel
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: iaStor
DISPLAY_NAME: Intel AHCI Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Volume in drive C is OS
Volume Serial Number is 0EC2-B5BB

Directory of C:\Windows\system32\drivers

02/23/2010 08:33 PM 304,920 iaStor.sys
1 File(s) 304,920 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository

04/24/2008 03:10 AM <DIR> iastor.inf_5f6e7be5
0 File(s) 0 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\iaahci.inf_3a63e5a6

09/06/2007 11:43 AM 304,920 iaStor.sys
1 File(s) 304,920 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\iastor.inf_5f6e7be5

09/06/2007 11:43 AM 11,156 iaStor.cat
09/06/2007 11:43 AM 7,678 iastor.inf
09/06/2007 11:43 AM 304,920 iaStor.sys
3 File(s) 323,754 bytes

Total Files Listed:
5 File(s) 933,594 bytes
1 Dir(s) 88,396,615,680 bytes free
Volume in drive C is OS
Volume Serial Number is 0EC2-B5BB

Directory of C:\Windows\system32\drivers

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_5a9555b4

04/24/2008 02:50 AM 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_5da5d093

04/24/2008 03:09 AM 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_64dfd8ea

04/24/2008 03:03 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_6c3af7d3

04/24/2008 03:09 AM 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_7de13c21

04/24/2008 03:03 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_82339ef2

04/24/2008 02:51 AM 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84

04/11/2009 01:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_c6c2e699

11/02/2006 04:49 AM 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_cc18792d

01/19/2008 02:41 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_e6b2949c

04/24/2008 02:51 AM 21,688 atapi.sys
1 File(s) 21,688 bytes

Total Files Listed:
11 File(s) 229,416 bytes
0 Dir(s) 88,396,615,680 bytes free


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 06:19 PM

QUOTE
ok i set windows update to never check for updates

thumbup2.gif

QUOTE
Illegal operation attempted on a registry key that has been marked for deletion.

This will be corrected after rebooting once.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Xcopy /h "C:\Windows\system32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys" c:\ >log.txt
    Xcopy /h "C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys" c:\ >>log.txt
    start log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A log file opens. In case the log reports: "1 file(s) copied" twice proceed with the next step. Otherwise stop here and tell me the content of it.


  2. Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      CODE
      Comment:
      start to process
      Files to move:
      C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
      C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
    • In the avenger window, click the Paste Script from Clipboard, button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.


#7 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 06:39 PM

im experiencing a problem with the avenger download when i save it to the desktop and then right clcik to extract theres no option to do so and if i double click the the folder and try to extract it that way it gets to the point where it asks where i want to extract it and i choose the desktop and hit next but then i get a access denied error sad.gif

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 06:44 PM

Try first to extract it to its own folder. Then cut and paste it to desktop.

Edited by farbar, 25 February 2010 - 06:53 PM.


#9 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 06:54 PM

ok im not 100% sure what you meant but i saved it to the desktop again and made an empty folder in documents and tried extracting it to the empty folder but still got the error i also tried saving the download to documents instead of the desktop and tired it extract it from there with the error still appearing....

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 06:57 PM

If you right click the zip file you should have Extract All... option. By default it is set to Avenger folder. Is this the only software you are not able to run and get access denied?

#11 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 07:12 PM

well i just checked other folders on my computer which are compressed zip folders and they dont have the right click option to extract either all i see is

Open
Explore
Scan with malwarebytes anti malware
scan with mcafee
add to mcafee online backup
open with...
share...
send to
cut
copy
create shortcut
delete
rename
properties

but with my other zip folders if i open the folder then click at the extract all files option at the top of explorer i can set where to extract it then click next and it works but again i tried with the avenger zip folder and still got access denied could my option to extract be blocked from the combo fix like my other applications should i perform a restart and try again?

Edited by Kevin5120, 25 February 2010 - 07:14 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 07:18 PM

If you have not restarted restart again.

Then perform the following before running the Avenger and wait until i replay.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    iastor.sys
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#13 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 07:35 PM

after i restarted the computer i got another blue screen error and it restarted itself again do you know what might be the cause of this?

but after it came back on again i found that i am now able to see the extract all option when i right click but i didnt do anything aside from that and have followed your other instructions and have the log you requested.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:31 on 25/02/2010 by Alicia (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\Drivers\storage\R166200\iastor.sys --a--- 304920 bytes [07:47 24/04/2008] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16
C:\iaStor.sys --a--- 304920 bytes [23:24 25/02/2010] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 381720 bytes [00:34 24/04/2008] [17:59 21/03/2007] 9D7ED4275702E2FC409F2CC563245740
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 304920 bytes [00:34 24/04/2008] [17:58 21/03/2007] 997E8F5939F2D12CD9F2E6B395724C16
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys --a--- 304920 bytes [08:10 24/04/2008] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys --a--- 304920 bytes [08:10 24/04/2008] [16:43 06/09/2007] 997E8F5939F2D12CD9F2E6B395724C16
C:\Windows\System32\drivers\iaStor.sys --a--- 304920 bytes [08:10 24/04/2008] [01:33 24/02/2010] 997E8F5939F2D12CD9F2E6B395724C16

Searching for "atapi.sys"
C:\atapi.sys --a--- 19048 bytes [23:24 25/02/2010] [07:51 24/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [21:40 25/02/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys --a--- 21688 bytes [07:50 24/04/2008] [07:50 24/04/2008] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys --a--- 21688 bytes [08:09 24/04/2008] [08:09 24/04/2008] 61CA2C1E145809813C28752298CF9843
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys --a--- 21560 bytes [08:03 24/04/2008] [08:03 24/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys --a--- 21688 bytes [08:09 24/04/2008] [08:09 24/04/2008] 7EB55F6BEFB392BD312CD0CD5263305D
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [08:03 24/04/2008] [08:03 24/04/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys --a--- 19048 bytes [07:51 24/04/2008] [07:51 24/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [03:08 22/02/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:09 22/02/2010] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_e6b2949c\atapi.sys --a--- 21688 bytes [07:51 24/04/2008] [07:51 24/04/2008] 3E39E69F31F95D056703212E94320899
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [03:08 22/02/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys --a--- 19048 bytes [07:51 24/04/2008] [07:51 24/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys --a--- 21688 bytes [08:09 24/04/2008] [08:09 24/04/2008] 7EB55F6BEFB392BD312CD0CD5263305D
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [08:03 24/04/2008] [08:03 24/04/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys --a--- 19048 bytes [07:51 24/04/2008] [07:51 24/04/2008] 5653737BAD8C6C10136451C195C19881
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys --a--- 21688 bytes [07:50 24/04/2008] [07:50 24/04/2008] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20544_none_dbb443eb3d9db847\atapi.sys --a--- 21688 bytes [07:51 24/04/2008] [07:51 24/04/2008] 3E39E69F31F95D056703212E94320899
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys --a--- 21688 bytes [08:09 24/04/2008] [08:09 24/04/2008] 61CA2C1E145809813C28752298CF9843
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [08:03 24/04/2008] [08:03 24/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:09 22/02/2010] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [03:08 22/02/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:16 AM

Posted 25 February 2010 - 07:46 PM

OK. Please run the Avenger with this script (don't include the word CODE):

CODE
Comment:
start to process
Files to move:
C:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


#15 Kevin5120

Kevin5120
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 February 2010 - 07:54 PM

ok it was successful this time smile.gif

here is the log.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\iaStor.sys"
File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

File move operation "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users