Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser pop ups after maware-bytes scam removed


  • This topic is locked This topic is locked
11 replies to this topic

#1 hep181

hep181

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:ny
  • Local time:03:29 AM

Posted 05 April 2010 - 10:08 PM

Hello all.
Please help me with this issue. My son was on a gaming site and must have DL something bad. I noticed that I was getting pop-up ads in firefox today. I tried to run Malwarebytes and the program would not launch. I ran a full system scan with McAfee and it showed the PC as clean. I used a work around by renaming mbam.exe file and it was able to get malwarebytes to run. I did a scan and found 5 malware.packer.gen files. I deleted them and restated the computer as it asked. During shutdown the PC was hung up at logoff screen. I had to do a forced shutdown. Once restarted the I started getting the popups again. I rescanned with malwarebytes and found and deleted a trojan.agen and spyware.Zbot. I am still getting the popups. This think is really dug in. Please help.

I have been getting the BSOD every time I try to run the GMER prog. I hope the log is enough.


Here is my Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:11 PM, on 4/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Safe mode with network support

Running processes:
C:WindowsExplorer.EXE
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5630E
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5630E
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GT5630E
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAdobe Acrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~1MICROS~2Office12GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesCommon FilesMcAfeeSystemCoreScriptSn.20100318121354.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.5.4723.1820swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:windowssystem32BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:Program FilesHPDigital ImagingSmart Web Printinghpswp_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [auditadmin] C:windowsoptionsauditadmin.cmd
O4 - HKLM..Run: [CCUTRAYICON] C:Program FilesIntelIntelDHCCUCCU_TrayIcon.exe
O4 - HKLM..Run: [NMSSupport] "C:Program FilesCommon FilesIntelIntelDHNMSSupportIntelHCTAgent.exe" /startup
O4 - HKLM..Run: [IAAnotif] "C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe"
O4 - HKLM..Run: [Adobe Version Cue CS2] "C:Program FilesAdobeAdobe Version Cue CS2ControlPanelVersionCueCS2Tray.exe"
O4 - HKLM..Run: [Acrobat Assistant 7.0] "C:Program FilesAdobeAdobe Acrobat 7.0DistillrAcrotray.exe"
O4 - HKLM..Run: [NA1Messenger] C:UPSWSTDPolicyMgrNA1Msgr.exe
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [HPUsageTracking] C:Program FilesHPHP UTbinhppusg.exe "C:Program FilesHPHP UT"
O4 - HKLM..Run: [hpbdfawep] C:Program FilesHPDfawepbinhpbdfawep.exe 1
O4 - HKLM..Run: [TrueImageMonitor.exe] C:Program FilesAcronisTrueImageHomeTrueImageMonitor.exe
O4 - HKLM..Run: [AcronisTimounterMonitor] C:Program FilesAcronisTrueImageHomeTimounterMonitor.exe
O4 - HKLM..Run: [Acronis Scheduler2 Service] "C:Program FilesCommon FilesAcronisSchedule2schedhlp.exe"
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesCommon FilesJavaJava Updatejusched.exe"
O4 - HKLM..Run: [UVS10 Preload] C:Program FilesUlead SystemsUlead VideoStudio SE DVDuvPL.exe
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-MalwareRUa0qBEUY.exe" /runcleanupscript
O4 - HKLM..Run: [mcui_exe] "C:Program FilesMcAfee.comAgentmcagent.exe" /runkey
O4 - HKLM..RunOnce: [Launcher] %WINDIR%SMINSTlauncher.exe
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe
O4 - HKCU..Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:Program FilesCommon FilesNeroLibNMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU..Run: [swg] "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe"
O4 - HKCU..Run: [godunugus] Rundll32.exe "c:progra~2yiduvupoyiduvupo.dll",a
O4 - HKCU..Run: [rabasafobe] Rundll32.exe "C:ProgramDatafajuzosifajuzosi.dll",s
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:UPSWSTDMessagesWSTDMessaging.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:Program FilesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:Program FilesHPDigital ImagingSmart Web Printinghpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:PROGRA~1MICROS~2Office12GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:Program FilesCommon FilesAcronisSchedule2schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:Program FilesAdobeAdobe Version Cue CS2binVersionCueCS2.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:Program FilesIntelIntelDHCCUAlertService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:Program FilesCommon FilesAOLACSAOLAcsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:Program FilesAPCAPC PowerChute Personal Editionmainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:Program FilesCommon FilesIntelIntelDHNMSAdpPluginsDQLWinService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:Program FilesIntelIntelDHIntel Media ServerMedia ServerbinISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:Program FilesIntelIntelDHIntel Media ServerMedia Serverbinmediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:Program FilesIntelIntelDHIntel Media ServerShellsMCLServiceATL.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:Program FilesCommon FilesMcafeeMcSvcHostMcSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeMcSvcHostMcSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeMcSvcHostMcSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeMcSvcHostMcSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:Program FilesMcAfeeVirusScanmcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeMcSvcHostMcSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeSystemCoremcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeSystemCoremfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeSystemCoremfevtps.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:Program FilesNeroNero8Nero BackItUpNBService.exe
O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesNeroLibNMIndexingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:Program FilesIntelIntelDHIntel Media ServerShellsRemote UI Service.exe
O23 - Service: Syntek STK1150 Service (StkASSrv) - Syntek America Inc. - C:WindowsSystem32StkASv2K.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:Program FilesCommon FilesAcronisFomatikTrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:Windowssystem32DRIVERSxaudio.exe

--
End of file - 14361 bytes

I ran Malwarebytes and it shows clean,, Mcafe and cleaned 3 viruses? named Artemis! (with a random sting of letters/numbers after it). Ther were quarantined. Im still gettin pop ups. Please help


My DDS file
DDS (Ver_10-03-17.01) - NTFSx86
Run by Robin at 1:25:52.28 on Wed 04/07/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3045.778 [GMT -4:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32Dwm.exe
C:Windowssystem32spoolDRIVERSW32X863HP1006MC.EXE
C:Windowssystem32taskeng.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:Program FilesCommon FilesAcronisSchedule2schedul2.exe
C:Program FilesAdobeAdobe Version Cue CS2binVersionCueCS2.exe
C:Program FilesIntelIntelDHCCUAlertService.exe
C:Program FilesAPCAPC PowerChute Personal Editionmainserv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCommon FilesIntelIntelDHNMSAdpPluginsDQLWinService.exe
C:Windowssystem32svchost.exe -k hpdevmgmt
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
C:Program FilesCommon FilesMcAfeeSystemCoremfevtps.exe
C:Windowssystem32rundll32.exe
C:Program FilesNeroNero8Nero BackItUpNBService.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32StkASv2K.exe
C:Program FilesCommon FilesAcronisFomatikTrueImageTryStartService.exe
C:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Windowssystem32DRIVERSxaudio.exe
C:Program FilesIntelIntelDHIntel Media ServerMedia ServerbinISSM.exe
C:Program FilesIntelIntelDHIntel Media ServerShellsMCLServiceATL.exe
C:Program FilesCommon FilesMcAfeeSystemCoremcshield.exe
C:Program FilesCommon FilesMcAfeeSystemCoremfefire.exe
C:Program FilesCommon FilesMcafeeMcSvcHostMcSvHost.exe
C:Windowssystem32WUDFHost.exe
C:Program FilesIntelIntelDHIntel Media ServerMedia Serverbinmediaserver.exe
C:Program FilesIntelIntelDHIntel Media ServerShellsRemote UI Service.exe
C:Program FilesAdobeAdobe Version Cue CS2datadatabasebinmysqld-nt.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesCommon FilesIntelIntelDHNMSSupportIntelHCTAgent.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesAdobeAdobe Version Cue CS2ControlPanelVersionCueCS2Tray.exe
C:Program FilesAdobeAdobe Acrobat 7.0Distillracrotray.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesHPHP UTbinhppusg.exe
C:Program FilesAcronisTrueImageHomeTrueImageMonitor.exe
C:Program FilesAcronisTrueImageHomeTimounterMonitor.exe
C:Program FilesCommon FilesAcronisSchedule2schedhlp.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:WindowsSystem32igfxtray.exe
C:WindowsSystem32igfxpers.exe
C:Program FilesiTunesiTunesHelper.exe
C:Windowssttray.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesMcAfee.comAgentmcagent.exe
C:Windowsehomeehtray.exe
C:Program FilesCommon FilesNeroLibNMIndexStoreSvr.exe
C:Windowsehomeehmsas.exe
C:Program FilesCommon FilesNeroLibNMIndexingService.exe
C:Program FilesIntelIntelDHCCUCCU_Engine.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Program FilesHPDigital Imagingbinhpqbam08.exe
C:Program FilesHPDigital Imagingbinhpqgpc01.exe
C:Program FilesCommon FilesJavaJava Updatejucheck.exe
C:PROGRA~1McAfeeMSMMcSmtFwk.exe
C:PROGRA~1COMMON~1McAfeeMSCMcUICnt.exe
C:Program FilesCommon FilesMcAfeeCoremchost.exe
C:Program FilesAdobeAdobe Acrobat 7.0AcrobatAcrobat.exe
C:UsersRobinAppDataLocalTempAdobelm_Cleanup.0001
C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
C:UsersRobinAppDataLocalTempAdobelm_Cleanup.0001
C:WindowsSystem32svchost.exe -k HPZ12
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMalwarebytes' Anti-Malwarembam.exe
C:Windowssystem32MacromedFlashFlashUtil10c.exe
C:UsersRobinDesktopdds.scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5630E
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5630E
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5630E
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeadobe acrobat 7.0activexAcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:progra~1micros~2office12GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filescommon filesmcafeesystemcoreScriptSn.20100318121354.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.4723.1820swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:windowssystem32BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll
uRun: [ehTray.exe] c:windowsehomeehTray.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesnerolibNMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [godunugus] Rundll32.exe "c:progra~2yiduvupoyiduvupo.dll",a
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [auditadmin] c:windowsoptionsauditadmin.cmd
mRun: [CCUTRAYICON] c:program filesintelinteldhccuCCU_TrayIcon.exe
mRun: [NMSSupport] "c:program filescommon filesintelinteldhnmssupportIntelHCTAgent.exe" /startup
mRun: [IAAnotif] "c:program filesintelintel matrix storage managerIaanotif.exe"
mRun: [Adobe Version Cue CS2] "c:program filesadobeadobe version cue cs2controlpanelVersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:program filesadobeadobe acrobat 7.0distillrAcrotray.exe"
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [HPUsageTracking] c:program fileshphp utbinhppusg.exe "c:program fileshphp ut"
mRun: [hpbdfawep] c:program fileshpdfawepbinhpbdfawep.exe 1
mRun: [TrueImageMonitor.exe] c:program filesacronistrueimagehomeTrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:program filesacronistrueimagehomeTimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:program filescommon filesacronisschedule2schedhlp.exe"
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [UVS10 Preload] c:program filesulead systemsulead videostudio se dvduvPL.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [mcui_exe] "c:program filesmcafee.comagentmcagent.exe" /runkey
mRunOnce: [Launcher] %WINDIR%SMINSTlauncher.exe
StartupFolder: c:usersrobinappdataroamingmicros~1windowsstartm~1programsstartuponenot~1.lnk - c:program filesmicrosoft officeoffice12ONENOTEM.EXE
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupadobea~1.lnk - c:windowsinstaller{ac76ba86-1033-0000-7760-000000000002}SC_Acrobat.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupadobeg~1.lnk - c:program filescommon filesadobecalibrationAdobe Gamma Loader.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupapcups~1.lnk - c:program filesapcapc powerchute personal editionDisplay.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:program filesadobeadobe acrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:progra~1micros~2office10EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:progra~1micros~2office12GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:progra~1googlegoogle~1GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:progra~1micros~2office12GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:usersrobinappdataroamingmozillafirefoxprofileso3ipw2p7.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolradio-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=05-12-2009&tb_mrud=05-04-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolradio-ab-en-us&tb_uuid=100000000000000002&tb_oid=05-12-2009&tb_mrud=05-04-2010&query=
FF - component: c:program filesmcafeesiteadvisorcomponentsMcFFPlg.dll
FF - component: c:usersrobinappdataroamingmozillafirefoxprofileso3ipw2p7.defaultextensions{a7c6cf7f-112c-4500-a7ea-39801a327e5f}platformwinnt_x86-msvccomponentsipc.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdnu.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdnupdater2.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:program filesviewpointviewpoint experience technologynpViewpoint.dll
FF - plugin: c:program filesvistacodecpackrmbrowserpluginsnppl3260.dll
FF - plugin: c:program filesvistacodecpackrmbrowserpluginsnprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2009-5-13 385536]
R1 mfenlfk;McAfee NDIS Light Filter;c:windowssystem32driversmfenlfk.sys [2010-3-18 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:windowssystem32driversmfewfpk.sys [2010-3-18 160720]
R2 DQLWinService;DQLWinService;c:program filescommon filesintelinteldhnmsadppluginsDQLWinService.exe [2006-10-29 208896]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:program filesmcafeesiteadvisorMcSACore.exe [2009-6-28 93320]
R2 MCLServiceATL;Intel® Application Tracker;c:program filesintelinteldhintel media servershellsMCLServiceATL.exe [2006-11-18 174552]
R2 McMPFSvc;McAfee Personal Firewall;"c:program filescommon filesmcafeemcsvchostMcSvHost.exe" /McCoreSvc [2010-3-18 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:program filescommon filesmcafeemcsvchostMcSvHost.exe" /McCoreSvc [2010-3-18 271480]
R2 McProxy;McAfee Proxy Service;"c:program filescommon filesmcafeemcsvchostMcSvHost.exe" /McCoreSvc [2010-3-18 271480]
R2 McShield;McShield;c:program filescommon filesmcafeesystemcoremcshield.exe [2010-3-18 170144]
R2 mfefire;McAfee Firewall Core Service;c:program filescommon filesmcafeesystemcoremfefire.exe [2010-3-18 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:program filescommon filesmcafeesystemcoremfevtps.exe [2010-3-18 141792]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:windowssystem32driversnmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:windowssystem32driversnmsunidr.sys [2006-10-19 7424]
R3 cfwids;McAfee Inc. cfwids;c:windowssystem32driverscfwids.sys [2010-3-18 55456]
R3 IntelDH;IntelDH Driver;c:windowssystem32driversIntelDH.sys [2007-9-21 5504]
R3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2009-6-28 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2009-6-28 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:windowssystem32driversmfefirek.sys [2010-3-18 312584]
S?4 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2010-2-19 38224]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-14 135664]
S3 DVXUSBKS;DVXCEL Streaming Class Driver;c:windowssystem32driversDVXUSBKS.sys [2010-1-18 46397]
S3 DVXUSBLD;DVXUSBLD;c:windowssystem32driversDVXUSBLD.SYS [2010-1-18 65305]
S3 FontCache;Windows Font Cache Service;c:windowssystem32svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:program filesgooglegoogle desktop searchGoogleDesktop.exe [2007-9-21 29744]
S3 mferkdet;McAfee Inc. mferkdet;c:windowssystem32driversmferkdet.sys [2010-3-18 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2009-6-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2009-6-28 40552]
S3 mosuport;USB Serial/Parallel Ports;c:windowssystem32driversmosuport.sys [2008-2-2 882432]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:windowssystem32driversNETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-04-05 15:04:04 0 d-----r- c:programdatayiduvupo
2010-03-18 16:13:54 9344 ----a-w- c:windowssystem32driversmfeclnk.sys
2010-03-18 16:13:46 95568 ----a-w- c:windowssystem32driversmfeapfk.sys
2010-03-18 16:13:46 83496 ----a-w- c:windowssystem32driversmferkdet.sys
2010-03-18 16:13:46 64304 ----a-w- c:windowssystem32driversmfenlfk.sys
2010-03-18 16:13:46 55456 ----a-w- c:windowssystem32driverscfwids.sys
2010-03-18 16:13:46 312584 ----a-w- c:windowssystem32driversmfefirek.sys
2010-03-18 16:13:46 160720 ----a-w- c:windowssystem32driversmfewfpk.sys
2010-03-17 01:39:46 0 d-----w- c:program filesNetpromax
2010-03-11 08:01:05 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-03-11 08:01:03 411648 ----a-w- c:windowssystem32drivershttp.sys
2010-03-11 08:01:03 30720 ----a-w- c:windowssystem32httpapi.dll

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-03-18 16:14:11 51200 ----a-w- c:windowsinfinfpub.dat
2010-03-18 16:14:11 143360 ----a-w- c:windowsinfinfstrng.dat
2010-03-18 16:14:10 143360 ----a-w- c:windowsinfinfstor.dat
2010-03-15 14:08:00 103784 ----a-w- c:usersrobinGoToAssistDownloadHelper.exe
2010-02-24 14:16:06 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:windowssystem32ieUnatt.exe
2010-01-25 12:00:35 471552 ----a-w- c:windowssystem32secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:windowssystem32secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:windowssystem32secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:windowssystem32secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:windowssystem32msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:windowssystem32RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:windowssystem32RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:windowssystem32RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:windowssystem32tzres.dll
2010-01-17 20:14:35 77350 ----a-w- c:windowshpqins05.dat
2009-11-17 08:20:31 665600 ----a-w- c:windowsinfdrvindex.dat
2008-11-01 15:45:18 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-10-15 07:27:53 245760 --sha-w- c:windowsserviceprofileslocalserviceappdataroamingmicrosoftwindowsietldcacheindex.dat
2009-11-23 13:12:46 245760 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowsietldcacheindex.dat
2009-11-26 17:32:46 245760 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowsietldcacheindex.dat

============= FINISH: 1:26:54.68 ===============

Attached Files


Edited by Budapest, 07 April 2010 - 12:37 AM.
Merged posts ~BP


BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 08 April 2010 - 09:35 PM

Hello hep181,

I do see the infection, but would like to see a report from a rootkit scanner before we begin.


Download GMER Rootkit Scanner from here


  • Extract the contents of the zipped file to desktop.
  • Disable your onboard Anti Virus and any other Active protection programs you have installed.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please note:

If (and only if) there are problems using gmer as indicated above, save a scan from the initial startup scan.


  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the gmer.exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
  • In any case, after the initial scan is complete, click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in reply


Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 hep181

hep181
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:ny
  • Local time:03:29 AM

Posted 08 April 2010 - 10:44 PM

Ried,
Thank you for your response. Attached you will find the DDS file and the OTL file. Every time I run the GMER i get the BSOD several minutes into the scan. I have tried the GMER many times, even in safe mode. I have attached the initial starup gmer scan.

Steps I took: I found the file yiduvupo file in c:/ProgramData/ and deleted the file in safe mode. I also disabled the "godunugus" rundlll32.exe from startup. I do not get the pop ups, bit I fell that the virus is still floating around.

All your help is greatly appreciated.

Hep

Attached Files

  • Attached File  OTL.Txt   118.94KB   0 downloads
  • Attached File  DDS.txt   27.39KB   1 downloads
  • Attached File  ark.txt   1.58KB   1 downloads

Edited by hep181, 09 April 2010 - 09:33 AM.


#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 09 April 2010 - 03:14 PM

You're welcome. smile.gif

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 hep181

hep181
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:ny
  • Local time:03:29 AM

Posted 09 April 2010 - 11:43 PM

Ried,

I had some luck today with running the gmer. It took 6 hours to complete and I was able to get a log and attache it.
I have run the combofix and attached the log also.

Thanks again.

Hep.

ComboFix 10-04-09.01 - Andy 04/10/2010 0:05.1.4 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3045.1899 [GMT -4:00]
Running from: c:\users\Andy\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3940893328-3631755183-1074097039-1009
c:\$recycle.bin\S-1-5-21-3940893328-3631755183-1074097039-500
C:\autorun.inf
C:\setup.exe
c:\users\Andy\AppData\Roaming\inst.exe
c:\windows\SMINST\HPCD.sys.bak2
c:\windows\system32\Config.ini
c:\windows\Tasks\aoaifmze.job
c:\windows\Tasks\czoyfnfw.job
c:\windows\Tasks\pbmlizpt.job
c:\windows\Tasks\qvwhvglv.job
c:\windows\Tasks\rjfihyqu.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 04:25 . 2010-04-10 04:27 -------- d-----w- c:\users\Andy\AppData\Local\temp
2010-04-10 04:25 . 2010-04-10 04:25 -------- d-----w- c:\users\Robin\AppData\Local\temp
2010-04-10 04:25 . 2010-04-10 04:25 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2010-04-10 04:25 . 2010-04-10 04:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-05 01:05 . 2010-04-07 11:11 -------- d-----w- c:\program files\7-Zip
2010-03-18 16:13 . 2010-01-05 22:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-03-18 16:13 . 2010-01-05 22:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-18 16:13 . 2010-01-05 22:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-18 16:13 . 2010-01-05 22:04 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-03-18 16:13 . 2010-01-05 22:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-03-18 16:13 . 2010-01-05 22:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-03-18 16:13 . 2010-01-05 22:04 160720 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-03-17 01:39 . 2010-03-17 01:39 45056 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{2FADDA3D-9174-4485-AA71-85A050DE1EFA}\FXClient.exe1_2FADDA3D91744485AA7185A050DE1EFA.exe
2010-03-17 01:39 . 2010-03-17 01:39 45056 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{2FADDA3D-9174-4485-AA71-85A050DE1EFA}\FXClient.exe_2FADDA3D91744485AA7185A050DE1EFA.exe
2010-03-17 01:39 . 2010-03-17 01:39 3310 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{2FADDA3D-9174-4485-AA71-85A050DE1EFA}\ARPPRODUCTICON.exe
2010-03-17 01:39 . 2010-03-17 01:39 -------- d-----w- c:\program files\Netpromax
2010-03-11 08:01 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 08:01 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-11 08:01 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 02:10 . 2008-01-09 02:48 242048 ----a-w- c:\users\Andy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-07 05:08 . 2008-01-11 16:21 242048 ----a-w- c:\users\Robin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-07 04:39 . 2007-09-21 17:07 -------- d-----w- c:\program files\Microsoft.NET
2010-04-06 13:19 . 2010-02-24 19:56 1356 ----a-w- c:\users\Robin\AppData\Local\d3d9caps.dat
2010-04-05 23:37 . 2010-02-19 06:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 00:33 . 2010-02-19 06:36 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-01 07:22 . 2009-06-29 01:29 -------- d-----w- c:\program files\McAfee.com
2010-03-30 04:46 . 2010-02-19 06:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-02-19 06:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 14:29 . 2009-06-29 01:29 -------- d-----w- c:\program files\McAfee
2010-03-24 14:29 . 2007-09-21 17:29 -------- d-----w- c:\programdata\McAfee
2010-03-24 14:28 . 2009-06-29 01:29 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-23 14:18 . 2008-01-12 14:42 -------- d-----w- c:\users\Andy\AppData\Roaming\mIRC
2010-03-15 14:08 . 2009-06-28 16:24 103784 ----a-w- c:\users\Robin\GoToAssistDownloadHelper.exe
2010-03-13 18:24 . 2009-01-31 22:35 -------- d-----w- c:\users\Robin\AppData\Roaming\FotkiDesktop
2010-03-11 08:24 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-24 14:16 . 2009-12-19 13:52 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 13:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 13:04 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 13:04 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 13:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 15:29 . 2010-02-20 15:29 -------- d-----w- c:\program files\Trend Micro
2010-02-19 16:15 . 2010-02-19 16:15 -------- d-----w- c:\users\Andy\AppData\Roaming\Malwarebytes
2010-02-19 06:26 . 2010-02-19 06:26 -------- d-----w- c:\users\Robin\AppData\Roaming\Malwarebytes
2010-02-19 06:25 . 2010-02-19 06:25 -------- d-----w- c:\programdata\Malwarebytes
2010-02-19 06:08 . 2010-02-17 03:10 -------- d-sh--w- c:\users\Robin\AppData\Roaming\lowsec
2010-02-14 16:51 . 2007-09-21 17:08 -------- d-----w- c:\program files\Google
2010-02-14 13:02 . 2010-02-14 13:02 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7DE7.tmp.exe
2010-02-12 02:11 . 2009-01-07 22:59 -------- d-----w- c:\users\Andy\AppData\Roaming\FotkiDesktop
2010-02-11 18:17 . 2010-02-11 18:17 5896 ----a-w- c:\users\Andy\FeaturedProducts_v1.6.4.zip
2010-01-25 12:00 . 2010-02-24 13:26 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 13:26 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 13:26 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 13:26 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 13:26 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 13:26 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 13:26 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 13:26 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 13:26 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 13:27 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-17 20:14 . 2010-01-17 19:46 77350 ----a-w- c:\windows\hpqins05.dat
2008-08-13 11:22 . 2008-08-13 11:22 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-01-05 22:04 . 2010-03-18 16:13 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2008-01-15 16:24 . 2008-01-15 16:24 0 --sha-w- c:\windows\S8A7986C2(187).tmp
2008-01-15 16:24 . 2008-01-15 16:24 48 --sh--w- c:\windows\S8A7986C2.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"googletalk"="c:\users\Andy\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 39408]
"updateMgr"="c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"auditadmin"="c:\windows\options\auditadmin.cmd" [2007-04-06 476]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 140568]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-01 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-04 1179952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Yankee Clipper III.lnk - c:\program files\YCIII\YankClip.exe [2008-2-10 1368064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-12 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-1-20 267520]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bug Shooting.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bug Shooting.lnk
backup=c:\windows\pss\Bug Shooting.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=c:\windows\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
backup=c:\windows\pss\UPS WorldShip PLD Reminder Utility.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Fotki Desktop.lnk]
path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fotki Desktop.lnk
backup=c:\windows\pss\Fotki Desktop.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
2006-11-16 23:04 2348584 ----a-w- c:\program files\BigFix\bigfix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-08-13 11:22 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-10-08 21:50 41824 ----a-w- c:\program files\Common Files\AOL\1206287151\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 19:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-06-02 07:55 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-05-04 18:14 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-12-14 00:10 1688872 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-12-03 19:21 2213160 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-03-14 23:50 233472 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:61,21,cc,b1,b2,53,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 135664]
R3 DVXUSBKS;DVXCEL Streaming Class Driver;c:\windows\system32\DRIVERS\DVXUSBKS.sys [2003-08-29 46397]
R3 DVXUSBLD;DVXUSBLD;c:\windows\system32\drivers\DVXUSBLD.SYS [2003-10-14 65305]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-13 29744]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-01-05 83496]
R3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\DRIVERS\mosuport.sys [2007-03-09 882432]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R4 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-01-05 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-01-05 160720]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]
S2 McMPFSvc;McAfee Personal Firewall;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2009-12-15 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2009-12-15 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-01-05 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-01-05 141792]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-01-05 55456]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-09-21 5504]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-01-05 312584]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 16:50]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 16:50]

2010-04-08 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 19:28]

2010-04-10 c:\windows\Tasks\User_Feed_Synchronization-{023EB521-C7B5-431A-B2D0-7A1565094C8C}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5630E
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\g6i7hmx0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - component: c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\g6i7hmx0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
MSConfigStartUp-godunugus - c:\progra~2\yiduvupo\yiduvupo.dll
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 00:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Andy\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-04-10 00:33:52
ComboFix-quarantined-files.txt 2010-04-10 04:33

Pre-Run: 28,314,505,216 bytes free
Post-Run: 36,853,014,528 bytes free

- - End Of File - - BF27FD07AB2C7CC49E3872699656FDAA

Attached Files


Edited by Ried, 09 April 2010 - 11:51 PM.


#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 10 April 2010 - 12:03 AM

Hi Hep,

How is the system behaving now?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 hep181

hep181
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:ny
  • Local time:03:29 AM

Posted 10 April 2010 - 11:25 AM

Ried:

The system is running is stable. I have not had any system problems other than the pop ups, but I knew that there as a virus infection. My main concern is that all there is not any traces of virus/maleware.
Hep


#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 10 April 2010 - 09:20 PM

Are the pop ups gone now?

Regardless, I think it would be prudent to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.




Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 hep181

hep181
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:ny
  • Local time:03:29 AM

Posted 11 April 2010 - 10:04 AM

Ried:
Below is the Kaspersky scan report. Thank you for your help.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, April 11, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 11, 2010 00:53:41
Records in database: 3933653
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 335505
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 08:40:36


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1

Selected area has been scanned.


#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 11 April 2010 - 10:42 AM

Hi Hep,

Kaspersky is only alerting to the presence of an IRC client on the machine. If you installed mIRC, it is of no concern.

If there aren't any more problems, we have some final housekeeping to tend to now. Please do not skip this step as it will implement some important cleanup procedures, one of which is resetting your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs if you don't already have them:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

**Kindly respond one more time and let me know if we may consider this thread resolved.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 hep181

hep181
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:ny
  • Local time:03:29 AM

Posted 11 April 2010 - 11:04 AM

Ried,
I unistalled the combofix and everything looks good here.

I would like to thank you very much for all of your help with this matter. All too often I (all of us) rely too heavy on McAfee (norton, etc...) to help save us from these virus/malware programs that are lurking out these in cyber space and all too many times McAfee (et al.) fail to protect us from these predators. You are part of an invaluable service provided and I commend you for your services.

Sincerely;
Hep thumbup.gif

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 13 April 2010 - 12:06 AM

You're most welcome, and thank you for the kind words. Take care, Hep. smile.gif

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users