Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Central


  • This topic is locked This topic is locked
75 replies to this topic

#1 prittidayzee

prittidayzee

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 27 February 2010 - 09:54 PM

Additional information is here: http://www.bleepingcomputer.com/forums/t/298724/cannot-downloadupdate-mbam/ ~ OB

My computer is a desktop and my OS is Windows XP. The browsers I use are Mozilla Firefox, MSN, and Internet Explorer. My antivirus/firewall software is McAfee. My antispyware software is Webroot Spysweeper. I have used the free version of MBAM in the past in emergencies when I have had difficulties that the other two programs couldn't solve. On 2-25-10, I started being unable to update McAfee. When I tried to load McAfee's homepage, I was told that the page couldn't be displayed. The same thing happened when I tried to load MBAM's homepage. Attempts to load all other antivirus homepages led to the same result or I was redirected to a random ad page. Attempts to redownload MBAM from links on this site seemed to work, until I hit the automatic update portion of the installation, which gave me an error 732 message. I cannot download RKill under the names RKill.exe, RKill.com, RKill.scr, RKill.pif, iExplore.exe, eXplorer.exe, uSeRiNiT.exe, or WiNlOgOn.exe. I have a copy of RKill on a CD from a clean computer and I cannot run that either. On 2-27-10 I woke up to find popups on my computer with the name "Security Central" on them. Running a scan from McAfee and MBAM turned up nothing. Running a scan from Webroot Spysweeper found "rogue security products". I quarantined and deleted the "rogue security products" and after that the popups stopped. Also, I could not find any listing for "Security Central" in the "Add/Remove Programs" menu. I don't know if "Security Central" is causing my problems or if it just took advantage of my computer's vulnerable state. Later in the day on 2-27-10 a blue screen with white letters covered my screen telling me to restart my computer because there had been a hard system error. This happened twice so far, each time the error message was different. Unfortunately I failed to copy down the messages because I panicked. Both times when I restarted the computer a popup from Mozilla Firefox appeared and directed me to hxxp://wer.microsoft.com/responses/Response.aspx/685/en-us/5.1.2600.2.00010300.3.0?SGD=8b880f70-5f41-41b5-89bb-907caafa157b which is a Microsoft Windows Error Reporting site about troubleshooting a problem with a device driver. Many thanks to Sashacat for trying to help me with this issue and directing me to this forum. Many thanks in advance to all who will be helping me with this issue.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Home at 19:47:16.00 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.105 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Home\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.164.231,93.188.161.72
TCP: {BFE3B744-F4D4-4757-AB2E-87578E2AC1DA} = 93.188.164.231,93.188.161.72
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\zltol4yh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2464976&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2464976&q=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\home\application data\mozilla\firefox\profiles\zltol4yh.default\extensions\{69d1a568-ffdf-4ef5-8919-7003582e0ee8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\home\application data\mozilla\firefox\profiles\zltol4yh.default\extensions\{69d1a568-ffdf-4ef5-8919-7003582e0ee8}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\home\application data\mozilla\firefox\profiles\zltol4yh.default\extensions\{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}\components\FFExternalAlert.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-3 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-26 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-3 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-3 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-6-15 1181040]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-3 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-3 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-3 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-3 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-3 34248]
S3 StandardAudio;Standard Audio Renderer Device Segment Service;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-02-28 00:44:30 0 ----a-w- c:\documents and settings\home\defogger_reenable
2010-02-28 00:34:07 0 d-----w- c:\program files\Cobian Backup 8
2010-02-27 18:55:54 2128 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-27 18:36:46 0 dc----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-02-27 18:33:42 0 d-----w- c:\program files\common files\iS3
2010-02-27 18:33:35 0 dc----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-02-27 18:11:20 0 d-----w- c:\program files\TrendMicro
2010-02-26 19:49:53 0 d--h--w- c:\windows\PIF
2010-02-26 01:28:35 0 d-sh--w- c:\documents and settings\home\PrivacIE
2010-02-25 12:21:21 0 d-sh--w- c:\documents and settings\home\IETldCache
2010-02-25 12:15:11 0 dc-h--w- c:\windows\ie8
2010-02-25 12:12:01 0 d--h--w- c:\windows\msdownld.tmp
2010-02-09 22:50:31 57436 ----a-w- c:\windows\DASShp.dll
2010-02-09 22:50:30 0 d-----w- c:\program files\Microsoft Reader
2010-02-09 05:23:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-09 03:58:31 0 dc----w- c:\docume~1\alluse~1\applic~1\Azureus
2010-02-09 03:58:20 0 d-----w- c:\program files\Isohunt-vuze
2010-02-09 03:58:19 0 d-----w- c:\docume~1\home\applic~1\Azureus
2010-02-09 03:57:02 0 d-----w- c:\program files\Vuze

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-04-07 15:33:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040720090408\index.dat

============= FINISH: 19:49:07.41 ===============

Edited by Orange Blossom, 28 February 2010 - 04:10 PM.
Deactivate link in case it's a fake site. ~ OB


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 01 March 2010 - 08:11 AM

Hello prittidayzee my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.



Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus/Isohunt-vuze/Vuze ).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



++++++++++++++++++++++++



1. Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.  
  • Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.  
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
  • Press OK twice to get out of the properties screen and reboot if it asks.


2. Please download a fresh copy of RKill by Grinler.
Link 1
Link 2
Link 3
Link 4
  • Save it to your desktop.
  • Close/disable your anti virus program so they do not interfere with RKill. (Tutorials on how to disable your anti virus program can be found HERE.)
  • Double click the RKILL icon to start the program. (For Windows VISTA, right click the icon and run as administrator)
  • A window will appear and close automatically once completed. This indicates a successful run.
  • Do not reboot your computer and continue with step 2.
Note:
  1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
  2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.



3. Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



~Semp





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 01 March 2010 - 06:59 PM

Do you recommend that I delete Vuze? I had Limewire previously, does that pose the same dangers to my computer?

I followed your instructions. Once I changed the IP setting, I was able to download the very first RKill link (finally!). I downloaded, updated and ran MBAM, no problems. It found and removed one threat: Trojan DNS Changer. Copy of MBAM's report follows,

Malwarebytes' Anti-Malware 1.44
Database version: 3810
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/1/2010 6:43:12 PM
mbam-log-2010-03-01 (18-43-12).txt

Scan type: Quick Scan
Objects scanned: 136448
Time elapsed: 19 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.231,93.188.161.72 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

THANK YOU SO MUCH!!!


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 02 March 2010 - 07:41 AM

QUOTE
Do you recommend that I delete Vuze? I had Limewire previously, does that pose the same dangers to my computer?

We do not recommend any kind of P2P programs, so if you will ask me... the answer is yes. smile.gif



1. We need to create a New FULL OTL Report
  1. Please download OTL from here if you have not done so already:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Change the "Extra Registry" option to "SafeList"
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



2. We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Open on your desktop.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 02 March 2010 - 06:17 PM

Done, done, and done.

Copy of OTL.txt:
OTL logfile created on: 3/2/2010 5:11:31 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Home\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 105.00 Mb Available Physical Memory | 21.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 22.74 Gb Free Space | 61.01% Space Free | Partition Type: NTFS
Drive D: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 52.31 Gb Total Space | 40.64 Gb Free Space | 77.68% Space Free | Partition Type: NTFS
Drive F: | 3.57 Gb Total Space | 1.71 Gb Free Space | 48.01% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-CPT9NVHPNF
Current User Name: Home
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/02 17:09:05 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Home\My Documents\Downloads\RootRepeal.exe
PRC - [2010/03/02 17:06:49 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home\My Documents\Downloads\OTL.exe
PRC - [2010/02/20 00:28:23 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/15 02:40:39 | 001,181,040 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2009/04/24 12:19:58 | 006,155,808 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
PRC - [2009/04/21 17:26:52 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2009/04/21 17:26:50 | 000,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SSU.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/02 17:06:49 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/15 02:40:39 | 001,181,040 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/04/21 17:26:52 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/12/23 01:35:35 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2007/10/18 10:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 09:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/04/21 17:27:04 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2009/04/21 17:27:04 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2009/04/21 17:27:02 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/05/28 10:02:16 | 000,020,848 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2008/04/13 13:45:38 | 000,031,744 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\wceusbsh.sys -- (wceusbsh)
DRV - [2007/11/13 05:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/09/28 13:30:57 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
DRV - [2007/09/28 13:30:49 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2007/06/15 02:47:26 | 001,127,936 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2005/01/10 10:15:30 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/01/10 10:15:24 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/23 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 07:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = Reg Error: Unknown registry data type
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = Reg Error: Unknown registry data type


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7070

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7070

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.google.com/toolbar/ie8/done.html
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer\SearchURL\w, = http://www.google.com/
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..\URLSearchHook: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Live Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Playdom Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2464976&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/firefox"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.1
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7070
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/26 11:24:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/27 16:44:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/20 00:28:36 | 000,000,000 | ---D | M]

[2009/04/29 08:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Home\Application Data\Mozilla\Extensions
[2009/04/29 08:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Home\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/03/02 07:12:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\extensions
[2009/09/02 08:28:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/02 07:09:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\extensions\personas@christopher.beard
[2008/11/18 21:27:25 | 000,001,739 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\searchplugins\aim-search.xml
[2010/01/05 11:32:28 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\searchplugins\conduit.xml
[2009/03/26 19:57:27 | 000,001,633 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\searchplugins\live-search.xml
[2008/10/03 17:29:52 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\searchplugins\search.xml
[2007/12/29 21:54:58 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\searchplugins\siteadvisor.xml
[2010/03/02 07:10:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/12/29 15:17:52 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe File not found
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Reg Error: Key error. File not found
O9 - Extra Button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe File not found
O9 - Extra 'Tools' menuitem : UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe File not found
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: //@mail.mar@/ ([]msn in Local intranet)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: //@signup.mar@/ ([]msn in My Computer)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1275210071-854245398-1596201891-1004 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 () - https://www.chaseidprotection.com/images/to..._end_secure.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (EM\) - File not found
O30 - LSA: Security Packages - (ages settings...) - File not found
O30 - LSA: Security Packages - (Packages s) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/23 01:39:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/26 13:04:39 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - F:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - F:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/02 17:05:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Desktop\Bleeping Computer 2
[2010/03/02 17:05:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Desktop\Bleeping Computer 1
[2010/03/02 03:05:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/27 19:34:07 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2010/02/27 13:36:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/02/27 13:33:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/02/27 13:33:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/02/27 13:11:20 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/02/26 14:49:53 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/02/25 20:28:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Home\PrivacIE
[2010/02/25 08:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/02/25 07:21:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/25 07:21:21 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Home\IETldCache
[2010/02/25 07:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/25 07:15:11 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/25 07:13:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Local Settings\Application Data\Google
[2010/02/25 07:12:01 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2010/02/17 03:34:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Local Settings\Application Data\agfhja
[2010/02/11 08:24:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Local Settings\Application Data\ulugqj
[2010/02/09 17:50:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\My Documents\My Library
[2010/02/09 17:50:31 | 000,057,436 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\DASShp.dll
[2010/02/09 17:50:30 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Reader
[2010/02/09 17:50:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2010/02/09 00:23:43 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/09 00:23:42 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/09 00:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/09 00:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/08 23:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\My Documents\Vuze Downloads
[2010/02/08 22:58:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/02/08 22:58:20 | 000,000,000 | ---D | C] -- C:\Program Files\Isohunt-vuze
[2010/02/08 22:58:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Application Data\Azureus
[2010/02/08 22:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\Vuze
[2009/11/09 10:24:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Soldiers_of_Solution
[2009/05/31 19:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/01/22 18:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/07/22 01:34:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Identities
[2008/03/20 01:22:29 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/12/29 15:15:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2007/12/29 14:33:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/12/23 01:42:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/12/23 01:39:07 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2002/04/11 01:41:06 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/02 17:10:05 | 000,000,912 | ---- | M] () -- C:\Documents and Settings\Home\Desktop\Shortcut to RootRepeal.lnk
[2010/03/02 17:07:32 | 000,000,871 | ---- | M] () -- C:\Documents and Settings\Home\Desktop\Shortcut to OTL.lnk
[2010/03/02 10:01:10 | 000,000,336 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/03/02 10:00:14 | 000,001,658 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_LA6446D0B11DB4D689EEE237FF1E49902.job
[2010/03/02 06:54:54 | 000,000,629 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/02 06:54:54 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/02 06:54:54 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/03/02 05:04:24 | 000,023,303 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/03/02 05:02:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 05:02:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/02 05:02:47 | 535,969,792 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/02 05:01:57 | 004,980,736 | ---- | M] () -- C:\Documents and Settings\Home\ntuser.dat
[2010/03/02 05:01:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Home\ntuser.ini
[2010/03/02 05:00:00 | 000,001,540 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L6B561B6AF4B14FF1B248B16AB97F511D.job
[2010/03/02 05:00:00 | 000,001,538 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_LDDD59015938F4686BECE172FC3C5B7DC.job
[2010/03/02 04:00:02 | 000,001,538 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L5C0D03A9C9F8487FABF8F4B38278C814.job
[2010/03/02 03:07:37 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/01 14:26:00 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/27 19:44:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Home\defogger_reenable
[2010/02/27 17:22:43 | 000,002,128 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/02/27 03:31:22 | 000,000,570 | ---- | M] () -- C:\Documents and Settings\Home\My Documents\My Sharing Folders.lnk
[2010/02/25 23:00:46 | 000,001,664 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_LE8276F1744104E62B6D28490B3FD16AB.job
[2010/02/11 18:23:23 | 000,080,696 | ---- | M] () -- C:\Documents and Settings\Home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/10 03:47:24 | 000,303,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/02 17:10:05 | 000,000,912 | ---- | C] () -- C:\Documents and Settings\Home\Desktop\Shortcut to RootRepeal.lnk
[2010/03/02 17:07:32 | 000,000,871 | ---- | C] () -- C:\Documents and Settings\Home\Desktop\Shortcut to OTL.lnk
[2010/02/27 19:44:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Home\defogger_reenable
[2010/02/27 13:55:54 | 000,002,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2009/04/21 17:26:56 | 000,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/01/20 12:50:40 | 000,000,065 | ---- | C] () -- C:\WINDOWS\FISHUI.INI
[2009/01/19 23:36:22 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2009/01/19 23:36:22 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2009/01/19 23:36:21 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2009/01/19 23:36:21 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\Ogg.dll
[2008/11/05 19:33:29 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\5cb9c261afffd8cc
[2008/11/05 19:33:19 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\7656e06c1d449090
[2008/11/05 19:33:04 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\3fbc7f1aa7eb71f4
[2008/11/05 19:32:54 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\9cb8e8cdb7bd8f66
[2008/11/05 19:32:44 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\d7af94eb99b2bcc3
[2008/11/05 19:32:19 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\fc141786cc64a19
[2008/11/05 19:31:59 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\f63b070ff5944c7
[2008/11/05 19:31:34 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\b727f97cd5d8b31
[2008/11/05 19:31:14 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\44ea227d3189a25
[2008/11/05 19:30:59 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\f37b579184154e2f
[2008/11/05 19:30:49 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\9e1c2aedd08d1be
[2008/11/05 19:30:39 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\bfa32b32cadaa8ec
[2008/11/05 19:30:14 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\f4ce14102c78090b
[2008/11/05 19:30:04 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\d140f9ccfa068efb
[2008/11/05 19:29:54 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\57adc92e36937452
[2008/11/05 19:29:38 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\2c05cbb2d98f0118
[2008/11/05 19:29:28 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\695fe352a22e7cb8
[2008/11/05 19:28:43 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\415f6ec3af22cc72
[2008/11/05 19:27:23 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\c86c2c0868be9936
[2008/11/05 19:27:03 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\62e70bef291df8d2
[2008/11/05 19:24:33 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\aa811763770c1b2f
[2008/11/05 19:24:23 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\8e1ed91c7fe11de2
[2008/11/05 19:23:58 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\a5691ccdee850915
[2008/11/05 19:23:38 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\ecc91e9452ec580
[2008/11/05 19:23:13 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\c76b63e688f6ee89
[2008/11/05 19:23:03 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\3baa68b0923c1d02
[2008/11/05 19:22:53 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\884a329bbd9b4a08
[2008/11/05 18:19:42 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\f4b219ddeb63a80
[2008/11/05 18:19:22 | 000,003,262 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\6717eef05d4629ff
[2008/11/05 18:19:04 | 000,000,038 | -H-- | C] () -- C:\Documents and Settings\Home\Local Settings\Application Data\Thumbs.db
[2008/09/13 12:09:19 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\Home\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/19 13:00:30 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/01/09 03:02:13 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/12/29 14:25:42 | 000,001,414 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2007/12/28 18:53:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/03 11:38:42 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2003/10/02 10:48:18 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2003/01/07 02:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FE29FBBF
< End of report >

Copy of Extras.txt:
OTL Extras logfile created on: 3/2/2010 5:11:31 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Home\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 105.00 Mb Available Physical Memory | 21.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 22.74 Gb Free Space | 61.01% Space Free | Partition Type: NTFS
Drive D: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 52.31 Gb Total Space | 40.64 Gb Free Space | 77.68% Space Free | Partition Type: NTFS
Drive F: | 3.57 Gb Total Space | 1.71 Gb Free Space | 48.01% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-CPT9NVHPNF
Current User Name: Home
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1275210071-854245398-1596201891-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"9244:TCP" = 9244:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"9244:TCP" = 9244:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1" = Spy Sweeper for MSN
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{44C05309-60F4-410B-BC32-31733CFF1A46}" = Microsoft Digital Image Standard 2006 Editor
"{4F1CECBC-670F-4DAA-81D6-944B12450917}" = DIGOpt
"{4FE542EB-FF0B-4739-94DD-25C8AE0AB252}" = Microsoft Digital Image Standard 2006 Library
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}" = Microsoft Works Suite Add-in for Microsoft Word
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C19BE821-89B1-4A96-AC7C-873810C0CB5F}" = ContentSAFER for Wizmax
"{C20CE592-B0F8-4D20-BF31-0151CA6331A6}" = Samsung Media Studio 5
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{F8D0829C-9C6F-11D3-8080-00C04FA329AA}" = Microsoft Works 6.0
"{FAF7F1D7-C0E7-47EA-8AAA-84E4F9EA3C94}" = Works Suite OS Pack
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CobBackup8" = Cobian Backup 8
"FoneSync" = FoneSync
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Isohunt-vuze Toolbar" = Isohunt-vuze Toolbar
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureItPrem_v12" = Microsoft Digital Image Standard 2006 Update
"Verizon Online Help and Support" = Verizon Online Help and Support
"Vuze" = Vuze
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2001Setup" = Microsoft Works 2001 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/1/2010 3:28:42 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:28:42 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:28:43 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:29:01 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 3/1/2010 3:29:01 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:29:02 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:29:02 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:29:02 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:29:02 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/1/2010 3:29:03 PM | Computer Name = HOME-CPT9NVHPNF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 2/27/2010 11:23:36 PM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 2/27/2010 11:23:36 PM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 3/1/2010 3:26:01 PM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 3/1/2010 3:26:01 PM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 3/1/2010 7:44:41 PM | Computer Name = HOME-CPT9NVHPNF | Source = SSIDRV | ID = 131098
Description = Failed to set monitor event rule.

Error - 3/1/2010 7:46:35 PM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 3/1/2010 7:46:35 PM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 3/2/2010 6:00:38 AM | Computer Name = HOME-CPT9NVHPNF | Source = SSIDRV | ID = 131098
Description = Failed to set monitor event rule.

Error - 3/2/2010 6:02:50 AM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 3/2/2010 6:02:50 AM | Computer Name = HOME-CPT9NVHPNF | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.


< End of report >

Copy of Root Repeal.txt:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/02 17:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6A6B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C06000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF329C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\$$$dq3e
Status: Size mismatch (API: 5482570, Raw: 5482180)

Path: c:\windows\temp\mcmsc_qlfhvelbgewoenr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_fek8llr8miqd3oh
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\SST-ADA2A90E-2362-41F8-BF28-881F26027A37.tmp
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f6ec60

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x82fb21b8

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x82f6f320

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x82f6f2a8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82f6ef30

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x82fb06a8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x82f6f398

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x82f6ecd8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f6eb70

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x82f6f500

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82f6edc8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x82f6f488

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82f6f1b8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x82f6ee40

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x82f6f410

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x82f6efa8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x82f6ed50

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x82f6f230

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x82f6eeb8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82f6ebe8

Stealth Objects
-------------------
Object: Hidden Module [Name: z00clicker.dll]
Process: firefox.exe (PID: 272) Address: 0x00e10000 Size: 225280

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b5ee40 Size: 449

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x82dc7c48 Size: 953

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82dc7218 Size: 1311

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x82dc17e8 Size: 2073

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x82dda850 Size: 1884

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x82db8ce8 Size: 792

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f63218 Size: 550

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82ebcd30 Size: 584

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x82ebc020 Size: 846

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x82a66708 Size: 1808

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82df03d8 Size: 3112

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82dbc020 Size: 894

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82db39c0 Size: 1601

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82db30c8 Size: 850

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82ebf1e8 Size: 3608

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829444f8 Size: 2603

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82944078 Size: 578

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82946218 Size: 3560

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82947390 Size: 3185

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8294a550 Size: 1892

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82a0f020 Size: 4065

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82dfe020 Size: 514

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8295c460 Size: 2978

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8295c320 Size: 3298

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8295c1e0 Size: 3618

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8295c0a0 Size: 3938

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8295b0a8 Size: 144

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8295bed8 Size: 298

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x8295bd98 Size: 618

Hidden Services
-------------------
Service Name: Logical Disk Manager (NDIS)
Image Path: C:\WINDOWS\system32\drivers\Logical Disk Manager (NDIS).sys

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x82dda3b0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x82a5a1b8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x82dda338

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x82a5a230

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x824255c0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x824712f0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8217c370

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x82466ad8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x820da220

==EOF==

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 03 March 2010 - 09:13 AM

Hi, MBR rootkit is present, please make sure to follow instructions carefully and in order I have posted them.


1. Download and save HelpAsst_mebroot_fix.exe
Double click (Run as administrator for Vista) to run the tool then tell me how it went.



2. Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).
  • Click Start > Run > then copy/paste the text below > Press Enter.
    C:\mbr.exe -f
  • A logfile (mbr.log) will be created on your screen (or find it at C:\mbr.log), post that log when you reply.
  • Please restart your computer immediately.



3. Please disable McAfee and run ComboFix.
How to disable McAfee:
  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)
  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820



Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note**:
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



~Semp






~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 03 March 2010 - 02:56 PM

I want to follow your instructions, but I am having trouble. I downloaded HelpAsst with seemingly no problems. When I doubleclick on it, it brings up a window that has blue inside of it with white letters. On the top it says C:\WINDOWS|system 32\cmd.exe. Inside it says HelpAssistant account does not exist Press any key to continue... When I press any key, it then closes the window. I did not download/run MBR.EXE or download/run ComboFix yet, since you told me to follow the instructions in order.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 03 March 2010 - 05:19 PM

That's normal... smile.gif

Please continue with the rest of my instructions. Thanks.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 03 March 2010 - 09:53 PM

Okay here is the copy of MBR.EXE's log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

When ComboFix was running a pop-up that you did not warn me about appeared. The title was "Windows- No Disk" the text within said "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c" with three options below to click on "Cancel, Try Again, and Continue". I clicked on Continue twice, no results. Try again once, no results. Cancel twice, no results. Try again once, no results. Continue once, ComboFix went back to doing it's thing.

Copy of ComboFix log:

ComboFix 10-03-03.03 - Home 03/03/2010 20:54:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.257 [GMT -5:00]
Running from: c:\documents and settings\Home\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\system\smss.exe.assembly
C:\smp.bat
c:\windows\system32\muzapp.exe
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IP_FW
-------\Legacy_LOGICAL_DISK_MANAGER_(NDIS)


((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 01:11 . 2010-03-04 01:11 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\WINDOWS
2010-03-04 01:11 . 2010-03-04 01:11 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\UserData
2010-03-04 00:55 . 2010-03-04 02:09 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF
2010-03-02 08:05 . 2010-03-02 08:10 -------- d-----w- c:\windows\ie8updates
2010-03-02 00:45 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-02 00:45 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-28 00:34 . 2010-02-28 00:35 -------- d-----w- c:\program files\Cobian Backup 8
2010-02-27 18:36 . 2010-02-27 18:36 -------- dc----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-27 18:33 . 2010-02-27 18:33 -------- d-----w- c:\program files\Common Files\iS3
2010-02-27 18:33 . 2010-02-27 22:44 -------- dc----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-27 18:11 . 2010-02-27 18:11 -------- d-----w- c:\program files\TrendMicro
2010-02-26 19:49 . 2010-02-26 19:49 -------- d--h--w- c:\windows\PIF
2010-02-26 13:10 . 2010-02-26 13:10 -------- dc----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-26 01:28 . 2010-02-26 01:28 -------- d-sh--w- c:\documents and settings\Home\PrivacIE
2010-02-25 12:40 . 2010-02-25 12:40 -------- dc----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-25 12:21 . 2010-02-25 12:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-25 12:21 . 2010-02-25 12:21 -------- d-sh--w- c:\documents and settings\Home\IETldCache
2010-02-25 12:21 . 2010-02-25 12:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-25 12:19 . 2010-02-25 12:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-25 12:15 . 2010-02-25 12:16 -------- dc-h--w- c:\windows\ie8
2010-02-25 12:13 . 2010-02-25 12:13 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Google
2010-02-25 12:12 . 2010-02-25 12:19 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-17 08:34 . 2010-02-17 08:35 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\agfhja
2010-02-15 15:20 . 2010-02-15 15:20 -------- dc----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-02-15 15:20 . 2010-02-15 15:20 -------- dc----w- c:\documents and settings\HelpAssistant\UserData
2010-02-15 14:56 . 2010-02-15 14:56 -------- dc----w- c:\documents and settings\HelpAssistant\Contacts
2010-02-11 13:24 . 2010-02-11 13:24 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\ulugqj
2010-02-09 22:50 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2010-02-09 22:50 . 2010-02-09 22:50 -------- d-----w- c:\program files\Microsoft Reader
2010-02-09 22:50 . 2010-02-09 22:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 03:58 . 2010-02-09 03:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Azureus
2010-02-09 03:58 . 2010-02-09 03:58 -------- d-----w- c:\program files\Isohunt-vuze
2010-02-09 03:58 . 2010-02-09 23:04 -------- d-----w- c:\documents and settings\Home\Application Data\Azureus
2010-02-09 03:57 . 2010-02-09 04:06 -------- d-----w- c:\program files\Vuze

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 02:04 . 2009-02-05 21:13 -------- d-----w- c:\program files\system
2010-03-03 18:54 . 2007-12-24 16:21 -------- d-----w- c:\documents and settings\Home\Application Data\MSN6
2010-03-01 20:09 . 2008-08-04 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 22:22 . 2010-02-27 18:55 2128 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-26 12:14 . 2008-01-28 22:17 -------- d-----w- c:\program files\Google
2010-02-25 11:58 . 2008-03-12 13:44 -------- d-----w- c:\program files\Windows Live
2010-02-16 13:26 . 2009-01-28 03:00 -------- d-----w- c:\program files\LimeWire
2010-02-11 23:23 . 2007-12-29 19:33 80696 ----a-w- c:\documents and settings\Home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 22:50 . 2008-01-05 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 05:24 . 2008-11-08 21:29 -------- d-----w- c:\program files\Java
2010-02-09 05:19 . 2009-11-07 00:37 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 15:37 . 2008-08-19 18:00 -------- d-----w- c:\documents and settings\Home\Application Data\Apple Computer
2010-01-25 16:36 . 2010-01-25 16:34 -------- dc----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-25 16:07 . 2010-01-25 16:06 -------- d-----w- c:\program files\Safari
2010-01-25 15:41 . 2010-01-25 15:39 -------- d-----w- c:\program files\QuickTime
2010-01-25 15:39 . 2009-01-20 05:51 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-07 21:07 . 2008-08-04 02:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-08-04 02:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2008-09-25 03:08 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2007-12-23 06:35 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-09-25 03:08 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-09-25 03:08 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-09-25 03:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-09-25 03:08 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-24 6155808]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Home^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Home\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9244:TCP"= 9244:TCP:Services

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 5:27 PM 29808]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/26/2008 3:04 AM 93320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
StandardAudio
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-04 16:22]

2010-03-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-04 16:22]

2009-02-18 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-02-06 02:01]

2010-03-03 c:\windows\Tasks\wrSpySweeper_L5C0D03A9C9F8487FABF8F4B38278C814.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_L5C0D03A9C9F8487FABF8F4B38278C814.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_L6B561B6AF4B14FF1B248B16AB97F511D.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_L6B561B6AF4B14FF1B248B16AB97F511D.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_LA6446D0B11DB4D689EEE237FF1E49902.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_LA6446D0B11DB4D689EEE237FF1E49902.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_LDDD59015938F4686BECE172FC3C5B7DC.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]

2010-03-03 c:\windows\Tasks\wrSpySweeper_LDDD59015938F4686BECE172FC3C5B7DC.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-12-29 17:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2464976&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-fouhwseh - c:\documents and settings\Home\Local Settings\Application Data\ulugqj\ycwksftav.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-mediacodec - c:\docume~1\Home\LOCALS~1\Temp\mediacodec.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 21:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82C43598]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8717f28
\Driver\ACPI -> ACPI.sys @ 0xf866acb8
\Driver\atapi -> 0x82c43598
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-03 21:33:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 02:33

Pre-Run: 23,624,454,144 bytes free
Post-Run: 23,541,510,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 29E545A7AC9B45A22662191431429197

After it was done running two icons reappeared on my desktop that I had deleted maybe a week ago: Internet Explorer and Spider Solitaire. Please let me know when I can reactivate my antivirus programs.

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 04 March 2010 - 08:10 AM

Hi there,

QUOTE
After it was done running two icons reappeared on my desktop that I had deleted maybe a week ago: Internet Explorer and Spider Solitaire. Please let me know when I can reactivate my antivirus programs.

Combofix resets some settings to their default in case they were modified by malware. You can reactivate your antivirus after doing the steps below, I will advice you to disable it again if needed. smile.gif


+++++++++++++++++++


1. Please download DeFogger to your desktop.
Double click DeFogger to run the tool. (For Vista, right click and run as administrator)
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.




2. Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (Right click on the file and choose extract all).
  • Double-Click (Run as administrator for Vista) TDSSKiller.exe to run it.
  • When it finished press any key to continue (Let reboot if needed).
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 04 March 2010 - 04:57 PM

Done and Done. Copy of TDDSKiller log follows:

16:53:12:050 4060 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
16:53:12:050 4060 ================================================================================
16:53:12:050 4060 SystemInfo:

16:53:12:050 4060 OS Version: 5.1.2600 ServicePack: 3.0
16:53:12:050 4060 Product type: Workstation
16:53:12:050 4060 ComputerName: HOME-CPT9NVHPNF
16:53:12:050 4060 UserName: Home
16:53:12:050 4060 Windows directory: C:\WINDOWS
16:53:12:050 4060 Processor architecture: Intel x86
16:53:12:050 4060 Number of processors: 1
16:53:12:050 4060 Page size: 0x1000
16:53:12:060 4060 Boot type: Normal boot
16:53:12:060 4060 ================================================================================
16:53:12:090 4060 UnloadDriverW: NtUnloadDriver error 2
16:53:12:090 4060 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:53:12:261 4060 Initialize success
16:53:12:261 4060
16:53:12:261 4060 Scanning Services ...
16:53:12:261 4060 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:53:12:271 4060 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:53:12:271 4060 wfopen_ex: Trying to KLMD file open
16:53:12:271 4060 wfopen_ex: File opened ok (Flags 2)
16:53:12:271 4060 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:53:12:271 4060 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:53:12:271 4060 wfopen_ex: Trying to KLMD file open
16:53:12:271 4060 wfopen_ex: File opened ok (Flags 2)
16:53:12:821 4060 GetAdvancedServicesInfo: Raw services enum returned 328 services
16:53:12:841 4060 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:53:12:841 4060 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:53:12:841 4060
16:53:12:841 4060 Scanning Kernel memory ...
16:53:12:841 4060 Devices to scan: 5
16:53:12:841 4060
16:53:12:841 4060 Driver Name: Disk
16:53:12:841 4060 IRP_MJ_CREATE : F8719BB0
16:53:12:841 4060 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:53:12:841 4060 IRP_MJ_CLOSE : F8719BB0
16:53:12:841 4060 IRP_MJ_READ : F8713D1F
16:53:12:841 4060 IRP_MJ_WRITE : F8713D1F
16:53:12:841 4060 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:53:12:841 4060 IRP_MJ_SET_INFORMATION : 804FA88E
16:53:12:841 4060 IRP_MJ_QUERY_EA : 804FA88E
16:53:12:841 4060 IRP_MJ_SET_EA : 804FA88E
16:53:12:841 4060 IRP_MJ_FLUSH_BUFFERS : F87142E2
16:53:12:841 4060 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:53:12:841 4060 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:53:12:841 4060 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:53:12:841 4060 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:53:12:841 4060 IRP_MJ_DEVICE_CONTROL : F87143BB
16:53:12:841 4060 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8717F28
16:53:12:841 4060 IRP_MJ_SHUTDOWN : F87142E2
16:53:12:841 4060 IRP_MJ_LOCK_CONTROL : 804FA88E
16:53:12:841 4060 IRP_MJ_CLEANUP : 804FA88E
16:53:12:841 4060 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:53:12:841 4060 IRP_MJ_QUERY_SECURITY : 804FA88E
16:53:12:841 4060 IRP_MJ_SET_SECURITY : 804FA88E
16:53:12:841 4060 IRP_MJ_POWER : F8715C82
16:53:12:841 4060 IRP_MJ_SYSTEM_CONTROL : F871A99E
16:53:12:841 4060 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:53:12:841 4060 IRP_MJ_QUERY_QUOTA : 804FA88E
16:53:12:841 4060 IRP_MJ_SET_QUOTA : 804FA88E
16:53:12:841 4060 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:53:12:841 4060 sion
16:53:12:871 4060 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:53:12:871 4060
16:53:12:871 4060 Driver Name: Disk
16:53:12:871 4060 IRP_MJ_CREATE : F8719BB0
16:53:12:871 4060 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:53:12:871 4060 IRP_MJ_CLOSE : F8719BB0
16:53:12:871 4060 IRP_MJ_READ : F8713D1F
16:53:12:871 4060 IRP_MJ_WRITE : F8713D1F
16:53:12:871 4060 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:53:12:871 4060 IRP_MJ_SET_INFORMATION : 804FA88E
16:53:12:871 4060 IRP_MJ_QUERY_EA : 804FA88E
16:53:12:871 4060 IRP_MJ_SET_EA : 804FA88E
16:53:12:871 4060 IRP_MJ_FLUSH_BUFFERS : F87142E2
16:53:12:871 4060 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:53:12:871 4060 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:53:12:871 4060 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:53:12:871 4060 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:53:12:871 4060 IRP_MJ_DEVICE_CONTROL : F87143BB
16:53:12:871 4060 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8717F28
16:53:12:871 4060 IRP_MJ_SHUTDOWN : F87142E2
16:53:12:871 4060 IRP_MJ_LOCK_CONTROL : 804FA88E
16:53:12:871 4060 IRP_MJ_CLEANUP : 804FA88E
16:53:12:871 4060 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:53:12:871 4060 IRP_MJ_QUERY_SECURITY : 804FA88E
16:53:12:871 4060 IRP_MJ_SET_SECURITY : 804FA88E
16:53:12:871 4060 IRP_MJ_POWER : F8715C82
16:53:12:871 4060 IRP_MJ_SYSTEM_CONTROL : F871A99E
16:53:12:871 4060 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:53:12:871 4060 IRP_MJ_QUERY_QUOTA : 804FA88E
16:53:12:871 4060 IRP_MJ_SET_QUOTA : 804FA88E
16:53:12:881 4060 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:53:12:881 4060 sion
16:53:12:901 4060 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:53:12:901 4060
16:53:12:901 4060 Driver Name: Disk
16:53:12:901 4060 IRP_MJ_CREATE : F8719BB0
16:53:12:901 4060 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:53:12:901 4060 IRP_MJ_CLOSE : F8719BB0
16:53:12:901 4060 IRP_MJ_READ : F8713D1F
16:53:12:901 4060 IRP_MJ_WRITE : F8713D1F
16:53:12:901 4060 IRP_MJ_QUERY_INFORMATION : 804FA88E
16:53:12:901 4060 IRP_MJ_SET_INFORMATION : 804FA88E
16:53:12:901 4060 IRP_MJ_QUERY_EA : 804FA88E
16:53:12:901 4060 IRP_MJ_SET_EA : 804FA88E
16:53:12:901 4060 IRP_MJ_FLUSH_BUFFERS : F87142E2
16:53:12:901 4060 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:53:12:901 4060 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:53:12:901 4060 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:53:12:901 4060 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:53:12:901 4060 IRP_MJ_DEVICE_CONTROL : F87143BB
16:53:12:901 4060 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8717F28
16:53:12:901 4060 IRP_MJ_SHUTDOWN : F87142E2
16:53:12:901 4060 IRP_MJ_LOCK_CONTROL : 804FA88E
16:53:12:901 4060 IRP_MJ_CLEANUP : 804FA88E
16:53:12:901 4060 IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:53:12:901 4060 IRP_MJ_QUERY_SECURITY : 804FA88E
16:53:12:901 4060 IRP_MJ_SET_SECURITY : 804FA88E
16:53:12:901 4060 IRP_MJ_POWER : F8715C82
16:53:12:901 4060 IRP_MJ_SYSTEM_CONTROL : F871A99E
16:53:12:901 4060 IRP_MJ_DEVICE_CHANGE : 804FA88E
16:53:12:901 4060 IRP_MJ_QUERY_QUOTA : 804FA88E
16:53:12:901 4060 IRP_MJ_SET_QUOTA : 804FA88E
16:53:12:901 4060 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
16:53:12:901 4060 sion
16:53:12:912 4060 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:53:12:912 4060
16:53:12:912 4060 Driver Name: atapi
16:53:12:912 4060 IRP_MJ_CREATE : F85CAB3A
16:53:12:912 4060 IRP_MJ_CREATE_NAMED_PIPE : F85CAB3A
16:53:12:912 4060 IRP_MJ_CLOSE : F85CAB3A
16:53:12:912 4060 IRP_MJ_READ : F85CAB3A
16:53:12:912 4060 IRP_MJ_WRITE : F85CAB3A
16:53:12:912 4060 IRP_MJ_QUERY_INFORMATION : F85CAB3A
16:53:12:912 4060 IRP_MJ_SET_INFORMATION : F85CAB3A
16:53:12:912 4060 IRP_MJ_QUERY_EA : F85CAB3A
16:53:12:912 4060 IRP_MJ_SET_EA : F85CAB3A
16:53:12:912 4060 IRP_MJ_FLUSH_BUFFERS : F85CAB3A
16:53:12:912 4060 IRP_MJ_QUERY_VOLUME_INFORMATION : F85CAB3A
16:53:12:912 4060 IRP_MJ_SET_VOLUME_INFORMATION : F85CAB3A
16:53:12:912 4060 IRP_MJ_DIRECTORY_CONTROL : F85CAB3A
16:53:12:912 4060 IRP_MJ_FILE_SYSTEM_CONTROL : F85CAB3A
16:53:12:912 4060 IRP_MJ_DEVICE_CONTROL : F85CAB3A
16:53:12:912 4060 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82C43598
16:53:12:912 4060 IRP_MJ_SHUTDOWN : F85CAB3A
16:53:12:912 4060 IRP_MJ_LOCK_CONTROL : F85CAB3A
16:53:12:912 4060 IRP_MJ_CLEANUP : F85CAB3A
16:53:12:912 4060 IRP_MJ_CREATE_MAILSLOT : F85CAB3A
16:53:12:912 4060 IRP_MJ_QUERY_SECURITY : F85CAB3A
16:53:12:912 4060 IRP_MJ_SET_SECURITY : F85CAB3A
16:53:12:912 4060 IRP_MJ_POWER : F85CAB3A
16:53:12:912 4060 IRP_MJ_SYSTEM_CONTROL : F85CAB3A
16:53:12:912 4060 IRP_MJ_DEVICE_CHANGE : F85CAB3A
16:53:12:912 4060 IRP_MJ_QUERY_QUOTA : F85CAB3A
16:53:12:912 4060 IRP_MJ_SET_QUOTA : F85CAB3A
16:53:12:912 4060 siohd: 0
16:53:12:932 4060 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:53:12:932 4060
16:53:12:932 4060 Driver Name: atapi
16:53:12:932 4060 IRP_MJ_CREATE : F85CAB3A
16:53:12:932 4060 IRP_MJ_CREATE_NAMED_PIPE : F85CAB3A
16:53:12:932 4060 IRP_MJ_CLOSE : F85CAB3A
16:53:12:932 4060 IRP_MJ_READ : F85CAB3A
16:53:12:932 4060 IRP_MJ_WRITE : F85CAB3A
16:53:12:932 4060 IRP_MJ_QUERY_INFORMATION : F85CAB3A
16:53:12:932 4060 IRP_MJ_SET_INFORMATION : F85CAB3A
16:53:12:932 4060 IRP_MJ_QUERY_EA : F85CAB3A
16:53:12:932 4060 IRP_MJ_SET_EA : F85CAB3A
16:53:12:942 4060 IRP_MJ_FLUSH_BUFFERS : F85CAB3A
16:53:12:942 4060 IRP_MJ_QUERY_VOLUME_INFORMATION : F85CAB3A
16:53:12:942 4060 IRP_MJ_SET_VOLUME_INFORMATION : F85CAB3A
16:53:12:942 4060 IRP_MJ_DIRECTORY_CONTROL : F85CAB3A
16:53:12:942 4060 IRP_MJ_FILE_SYSTEM_CONTROL : F85CAB3A
16:53:12:942 4060 IRP_MJ_DEVICE_CONTROL : F85CAB3A
16:53:12:942 4060 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82C43598
16:53:12:942 4060 IRP_MJ_SHUTDOWN : F85CAB3A
16:53:12:942 4060 IRP_MJ_LOCK_CONTROL : F85CAB3A
16:53:12:942 4060 IRP_MJ_CLEANUP : F85CAB3A
16:53:12:942 4060 IRP_MJ_CREATE_MAILSLOT : F85CAB3A
16:53:12:942 4060 IRP_MJ_QUERY_SECURITY : F85CAB3A
16:53:12:942 4060 IRP_MJ_SET_SECURITY : F85CAB3A
16:53:12:942 4060 IRP_MJ_POWER : F85CAB3A
16:53:12:942 4060 IRP_MJ_SYSTEM_CONTROL : F85CAB3A
16:53:12:942 4060 IRP_MJ_DEVICE_CHANGE : F85CAB3A
16:53:12:942 4060 IRP_MJ_QUERY_QUOTA : F85CAB3A
16:53:12:942 4060 IRP_MJ_SET_QUOTA : F85CAB3A
16:53:12:942 4060 siohd: 0
16:53:12:952 4060 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:53:12:952 4060
16:53:12:952 4060 Completed
16:53:12:952 4060
16:53:12:952 4060 Results:
16:53:12:952 4060 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:53:12:952 4060 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:53:12:952 4060 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:53:12:952 4060
16:53:12:972 4060 KLMD(ARK) unloaded successfully


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 05 March 2010 - 06:11 AM

Hi,

After running the next steps below, please tell me the current status of your computer.


++++++++++++++++++++


1. Please disable your McAfee again by following the same Instructions of my previous post then CF script below.
We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/299078/security-central/

Collect::
c:\windows\system32\drivers\kgpcpy.cfg

File::
c:\windows\msdownld.tmp

Folder::
c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF
c:\documents and settings\HelpAssistant
c:\documents and settings\Home\Local Settings\Application Data\agfhja
c:\documents and settings\Home\Local Settings\Application Data\ulugqj

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-

DDS::
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

FileLook::
C:\WINDOWS\system32\DRIVERS\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



2. Please download Profiles by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply.


3. Please copy the contents of the code box below, open notepad and paste it there (Do not include the word Code).
  • On the top toolbar in notepad select file, then save as. In the box that opens type in look.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the look.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.
CODE
@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
cls




~Semp


------------------------------
Edit - Add DDS:: to script

Edited by sempai, 05 March 2010 - 06:16 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 08 March 2010 - 08:18 PM

Sorry it took me so long to write back. I was sick sad.gif

Here is the ComboFix log:
ComboFix 10-03-08.01 - Home 03/08/2010 19:09:27.2.1 - x86
Running from: c:\documents and settings\Home\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\msdownld.tmp"

file zipped: c:\windows\system32\drivers\kgpcpy.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Home\Local Settings\Application Data\agfhja
c:\documents and settings\Home\Local Settings\Application Data\ulugqj
c:\windows\system32\drivers\kgpcpy.cfg

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-04 01:11 . 2010-03-04 01:11 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\WINDOWS
2010-03-04 01:11 . 2010-03-04 01:11 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\UserData
2010-03-04 01:11 . 2010-03-04 01:11 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\PrivacIE
2010-03-04 01:04 . 2010-03-04 01:04 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\IETldCache
2010-03-04 01:04 . 2010-03-04 01:04 -------- dc----w- c:\documents and settings\HelpAssistant.HOME-CPT9NVHPNF\Contacts
2010-03-02 08:05 . 2010-03-02 08:10 -------- d-----w- c:\windows\ie8updates
2010-03-02 00:45 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-02 00:45 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-28 00:34 . 2010-02-28 00:35 -------- d-----w- c:\program files\Cobian Backup 8
2010-02-27 18:36 . 2010-02-27 18:36 -------- dc----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-27 18:33 . 2010-02-27 18:33 -------- d-----w- c:\program files\Common Files\iS3
2010-02-27 18:33 . 2010-02-27 22:44 -------- dc----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-27 18:11 . 2010-02-27 18:11 -------- d-----w- c:\program files\TrendMicro
2010-02-26 19:49 . 2010-02-26 19:49 -------- d--h--w- c:\windows\PIF
2010-02-26 13:10 . 2010-02-26 13:10 -------- dc----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-26 01:28 . 2010-02-26 01:28 -------- d-sh--w- c:\documents and settings\Home\PrivacIE
2010-02-25 12:40 . 2010-02-25 12:40 -------- dc----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-25 12:21 . 2010-02-25 12:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-25 12:21 . 2010-02-25 12:21 -------- d-sh--w- c:\documents and settings\Home\IETldCache
2010-02-25 12:21 . 2010-02-25 12:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-25 12:19 . 2010-02-25 12:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-25 12:15 . 2010-02-25 12:16 -------- dc-h--w- c:\windows\ie8
2010-02-25 12:13 . 2010-02-25 12:13 -------- d-----w- c:\documents and settings\Home\Local Settings\Application Data\Google
2010-02-25 12:12 . 2010-02-25 12:19 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-15 15:20 . 2010-02-15 15:20 -------- dc----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-02-15 15:20 . 2010-02-15 15:20 -------- dc----w- c:\documents and settings\HelpAssistant\UserData
2010-02-15 14:56 . 2010-02-15 14:56 -------- dc----w- c:\documents and settings\HelpAssistant\Contacts
2010-02-09 22:50 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2010-02-09 22:50 . 2010-02-09 22:50 -------- d-----w- c:\program files\Microsoft Reader
2010-02-09 22:50 . 2010-02-09 22:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 03:58 . 2010-02-09 03:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Azureus
2010-02-09 03:58 . 2010-02-09 03:58 -------- d-----w- c:\program files\Isohunt-vuze
2010-02-09 03:58 . 2010-02-09 23:04 -------- d-----w- c:\documents and settings\Home\Application Data\Azureus
2010-02-09 03:57 . 2010-02-09 04:06 -------- d-----w- c:\program files\Vuze

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 13:34 . 2007-12-24 16:21 -------- d-----w- c:\documents and settings\Home\Application Data\MSN6
2010-03-04 02:04 . 2009-02-05 21:13 -------- d-----w- c:\program files\system
2010-03-01 20:09 . 2008-08-04 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-26 12:14 . 2008-01-28 22:17 -------- d-----w- c:\program files\Google
2010-02-25 11:58 . 2008-03-12 13:44 -------- d-----w- c:\program files\Windows Live
2010-02-16 13:26 . 2009-01-28 03:00 -------- d-----w- c:\program files\LimeWire
2010-02-11 23:23 . 2007-12-29 19:33 80696 ----a-w- c:\documents and settings\Home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 22:50 . 2008-01-05 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 05:24 . 2008-11-08 21:29 -------- d-----w- c:\program files\Java
2010-02-09 05:19 . 2009-11-07 00:37 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 15:37 . 2008-08-19 18:00 -------- d-----w- c:\documents and settings\Home\Application Data\Apple Computer
2010-01-25 16:36 . 2010-01-25 16:34 -------- dc----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-25 16:07 . 2010-01-25 16:06 -------- d-----w- c:\program files\Safari
2010-01-25 15:41 . 2010-01-25 15:39 -------- d-----w- c:\program files\QuickTime
2010-01-25 15:39 . 2009-01-20 05:51 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-07 21:07 . 2008-08-04 02:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-08-04 02:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2008-09-25 03:08 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2001-08-23 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2007-12-23 06:35 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-09-25 03:08 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\DRIVERS\atapi.sys ---
Company: Microsoft Corporation
File Description: IDE/ATAPI Port Driver
File Version: 5.1.2600.5512 (xpsp.080413-2108)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: atapi.sys
File size: 96512
Created time: 2008-09-25 03:08
Modified time: 2008-04-13 18:40
MD5: 9F3A2F5AA6875C72BF062C712CFA2674
SHA1: A719156E8AD67456556A02C34E762944234E7A44


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-04-24 6155808]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Home^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Home\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"9244:TCP"= 9244:TCP:Services

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 5:27 PM 29808]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/26/2008 3:04 AM 93320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
StandardAudio
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-04 16:22]

2010-03-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-04 16:22]

2009-02-18 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-02-06 02:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\zltol4yh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2464976&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 19:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-08 19:45:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 00:45
ComboFix2.txt 2010-03-04 02:33

Pre-Run: 23,366,557,696 bytes free
Post-Run: 23,260,110,848 bytes free

- - End Of File - - E58DC0F6700B4624CE644273A343EFF5

Here is the profiles log:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\S-1-5-21-1275210071-854245398-1596201891-1004

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\S-1-5-21-1275210071-854245398-1596201891-1004\Software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer\Main

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.HOME-CPT9NVHPNF

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Home

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer\Main

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer\Search

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1004\S-1-5-21-1275210071-854245398-1596201891-1004\Software\Microsoft\Internet Explorer\SearchURL

SystemRoot REG_SZ C:\WINDOWS

Here is the lookbat log:
User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 3/8/2010 7:27 PM
Password expires Never
Password changeable 3/8/2010 7:27 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/8/2010 7:27 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

Thank you for your patience and continued advice.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:50 PM

Posted 09 March 2010 - 09:32 AM

Hi, no worries... hope your doing OK now. smile.gif


++++++++++++++++++++++++++


1. Disable Remote Desktop.
  • Right-click My Computer and click Properties.
  • Click the Remote tab.
  • In the Remote Desktop section, unchecked Allow users to connect remotely to this computer, and then click OK.


2. Please delete your old copy of HelpAsst_mebroot_fix.exe, then download and run a new copy.
Download and save HelpAsst_mebroot_fix.exe
Double click (Run as administrator for Vista) to run the tool then tell me how it went.

next...
Please copy the contents of the code box below, open notepad and paste it there (Do not include the word Code).
  • On the top toolbar in notepad select file, then save as. In the box that opens type in look.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the look.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.

CODE
@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
cls



3. Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.

Please copy the contents of the code box below, open notepad and paste it there (Do not include the word Code).
  • On the top toolbar in notepad select file, then save as. In the box that opens type in fix.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the fix.bat icon on your desktop and double click it.

CODE
@echo off
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1275210071-854245398-1596201891-1000" /f
attrib -s -h -r C:\docume~\HelpAssistant.HOME-CPT9NVHPNF\* /s /d
del /s/q C:\docume~\HelpAssistant.HOME-CPT9NVHPNF\*.*
rmdir /s/q C:\docume~\HelpAssistant.HOME-CPT9NVHPNF
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant

Next...
Please locate profiles.exe on your desktop, run it again and post its the new log.



4. We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    :Reg
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "3246:TCP"=-
    "2479:TCP"=-
    "9244:TCP"=-

    :Commands
    [emptytemp]
    [Reboot]

  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.


The logs I need to see when you reply are:
  1. Result of look.bat
  2. New log of profiles.exe
  3. Result of OTL fix


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 prittidayzee

prittidayzee
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:50 AM

Posted 09 March 2010 - 05:12 PM

I ran all of the scans/fixes you ask. After running OTL fix and rebooting, I opened all the logs so that Icould copy/paste them back to you. I then tried to open mozilla firefox. It took forever trying to load and then the screen just froze up and dissolved into white squares. At a loss for anything else to do, I turned off the computer and turned it back on. Now when it tries to load there are white lines across the starup page. It does load but beofre the desktop appears it turns to white squares and then goes black. HELP!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users