Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Security 2010 Virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 jgmoney0

jgmoney0

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 13 April 2010 - 09:19 PM

So I've been infected with this Desktop Security 2010 virus. I get all these security notices and pop ups saying I have hundreds of threats and stuff. I followed all the preparation guidelines, but when I run gmer.exe, my computer wont let me get through the scan, it either freezes or nearly freezes and stops the scan.

Here are the logs that you asked me to produce in the preparation section.

The DDS.txt is below and the Attach.txt is attached.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jason at 17:18:20.81 on Tue 04/13/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1269 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\Desktop Security 2010.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\securitycenter.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\ocLF.exe
C:\program files\common files\apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe
C:\program files\microsoft silverlight\3.0.50106.0\zh-hans\resourcessystem.exe
C:\program files\common files\apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe
C:\program files\quicktime\qtsystem\quicktimevr.resources\pt.lproj\recursosquicktimerecursosquicktime.exe
C:\program files\itunes\ituneshelper.resources\ituneshelperituneshelper.exe
C:\program files\microsoft silverlight\3.0.50106.0\zh-hans\resourcessystem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jason\Local Settings\temp\m.21701.tmp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Jason\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWinlogon: Shell=c:\documents and settings\jason\application data\desktop security 2010\Desktop Security 2010.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: VMN Toolbar: {078fed71-52f2-4a49-a0ab-6453e2ca72ba} - c:\program files\vmndtx\vmndx.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Security Helper {D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD}: {d63f58e9-b8bb-4dba-b2a0-44f72c2a61bd} - c:\program files\vmndtx\auxi\vmndAu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: VMN Toolbar: {078fed71-52f2-4a49-a0ab-6453e2ca72ba} - c:\program files\vmndtx\vmndx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [h22eqeuwdfka] c:\documents and settings\jason\local settings\temp\m.21701.tmp.exe
uRun: [SecurityCenter] c:\documents and settings\jason\application data\desktop security 2010\securitycenter.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ocLF] c:\docume~1\jason\locals~1\temp\ocLF.exe
mRun: [SyncUICoreSyncUICoreLocalized] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe
mRun: [resourcesmscorrc] c:\program files\microsoft silverlight\3.0.50106.0\zh-hans\resourcessystem.exe
mRun: [MobileMeSyncUICore] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe
mRun: [QuickTimeRecursosQuickTime] c:\program files\quicktime\qtsystem\quicktimevr.resources\pt.lproj\recursosquicktimerecursosquicktime.exe
mRun: [iTunesiTunesHelper] c:\program files\itunes\ituneshelper.resources\ituneshelperituneshelper.exe
mRun: [mscorlibSilverlight] c:\program files\microsoft silverlight\3.0.50106.0\zh-hans\resourcessystem.exe
mRunServices: [ocLF] c:\docume~1\jason\locals~1\temp\ocLF.exe
mRunServices: [iTunesHelperiTunes9.0.3.15] c:\program files\itunes\ituneshelper.resources\ituneshelperituneshelper.exe
mRunServices: [QuickTimeRecursosQuickTime] c:\program files\quicktime\qtsystem\quicktimevr.resources\pt.lproj\recursosquicktimerecursosquicktime.exe
mRunServices: [SecurityCenterMcSubMgr] c:\program files\mcafee\msc\mcsubmgr\9,3,137,0\mcafeesecuritycenter.exe
mRunServices: [QuickTimeQuickTimeResources7.6.4] c:\program files\quicktime\qtsystem\quicktimeh264.resources\pl.lproj\quicktimequicktimeresources7.6.4.exe
mRunServices: [SyncUICoreLocalizedMobileMe] c:\program files\common files\apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe
mRunServices: [iTunesiTunesHelper] c:\program files\itunes\ituneshelper.resources\ituneshelperituneshelper.exe
mRunServices: [resourcesMicrosoft] c:\program files\microsoft silverlight\3.0.50106.0\zh-hans\resourcessystem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: turbotax.com
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} - hxxp://messenger.zone.msn.com/binary/Upwords.cab31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158636037250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab31267.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:\docume~1\jason\locals~1\temp\887.tmp
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
AppInit_DLLs: c:\windows\system32\yajorupo.dll c:\windows\system32\norefose.dll c:\windows\system32\yebalino.dll c:\windows\system32\mugorazi.dll c:\windows\system32\bazekava.dll c:\windows\system32\nohopimi.dll c:\windows\system32\suhokamo.dll c:\windows\system32\hajutuki.dll c:\windows\system32\wojelipu.dll c:\windows\system32\wadavuro.dll c:\windows\system32\pisiwufu.dll c:\windows\system32\zabotepi.dll c:\windows\system32\zutakopo.dll c:\windows\system32\yazataso.dll c:\windows\system32\gopubeme.dll c:\windows\system32\gevimoji.dll konazuki.dll c:\windows\system32\bemogeva.dll c:\windows\system32\fuwubidu.dll c:\windows\system32\sopikahu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: fonadidev - {5fc68504-31ea-4bb6-8c70-c7fe767b2c36} - c:\windows\system32\yebalino.dll
SSODL: titizinuy - {f19b380d-3fa0-4a2e-8f5a-cf9acba5e588} - No File
SSODL: bahadured - {da5a1030-fedf-4bb6-a77a-d44f63a46167} - c:\windows\system32\bazekava.dll
SSODL: lopayuyar - {fb37ee86-64d1-4cf2-b5ad-3207132b2931} - c:\windows\system32\nohopimi.dll
SSODL: ranopudik - {d17ed1e7-f734-47d1-935e-66b05bbc40ac} - No File
SSODL: jewijumiv - {15db9780-02c7-4a62-a93d-0778b39d6c7b} - c:\windows\system32\hajutuki.dll
SSODL: munutofor - {78bc512b-1acd-451c-8e05-460c6029ca89} - c:\windows\system32\wojelipu.dll
SSODL: milapihov - {e21cac5d-44a1-4e6c-ad8e-48663c0697a2} - c:\windows\system32\wadavuro.dll
SSODL: jutisanir - {0163d963-d451-4616-a63a-9a5dd84a16f5} - c:\windows\system32\wupubeyu.dll
SSODL: powilawol - {54894235-d6e3-4808-8350-43df54fd5062} - No File
SSODL: yaluhevut - {6df8b13f-831e-4174-a264-d28e8eea210f} - c:\windows\system32\gevimoji.dll
SSODL: wukuzoyap - {8937c430-1218-47bc-976f-907b93df5cdb} - No File
STS: jugezatag: {5fc68504-31ea-4bb6-8c70-c7fe767b2c36} - c:\windows\system32\yebalino.dll
STS: {f19b380d-3fa0-4a2e-8f5a-cf9acba5e588} - No File
STS: tokatiluy: {da5a1030-fedf-4bb6-a77a-d44f63a46167} - c:\windows\system32\bazekava.dll
STS: jugezatag: {fb37ee86-64d1-4cf2-b5ad-3207132b2931} - c:\windows\system32\nohopimi.dll
STS: {d17ed1e7-f734-47d1-935e-66b05bbc40ac} - No File
STS: mujuzedij: {15db9780-02c7-4a62-a93d-0778b39d6c7b} - c:\windows\system32\hajutuki.dll
STS: kupuhivus: {78bc512b-1acd-451c-8e05-460c6029ca89} - c:\windows\system32\wojelipu.dll
STS: gahurihor: {e21cac5d-44a1-4e6c-ad8e-48663c0697a2} - c:\windows\system32\wadavuro.dll
STS: tokatiluy: {60c9c282-1737-4472-80aa-19f4162a8fc7} - c:\windows\system32\wupubeyu.dll
STS: kupuhivus: {0163d963-d451-4616-a63a-9a5dd84a16f5} - c:\windows\system32\wupubeyu.dll
STS: {54894235-d6e3-4808-8350-43df54fd5062} - No File
STS: tokatiluy: {6df8b13f-831e-4174-a264-d28e8eea210f} - c:\windows\system32\gevimoji.dll
STS: {8937c430-1218-47bc-976f-907b93df5cdb} - No File
STS: {6148acda-d887-4e2a-bb6e-e547399f8cf8} - No File
STS: gahurihor: {cdc195b9-3a79-4224-8102-055199c9e64f} - c:\windows\system32\sopikahu.dll
LSA: Notification Packages = scecli c:\windows\system32\yajorupo.dll kuyigiba.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\itjajcmh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - component: c:\documents and settings\jason\application data\mozilla\firefox\profiles\itjajcmh.default\extensions\{924c2e74-df1a-4616-8505-980061d62d40}\components\dtTransparency.dll
FF - plugin: c:\documents and settings\jason\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\jason\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\jason\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www3.yoog.com/search.php?q=
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-13 217032]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-20 214664]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-13 112592]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-1-20 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-20 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-20 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-20 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-20 40552]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S2 gupdate1c9de6a36ca70ca;Google Update Service (gupdate1c9de6a36ca70ca);c:\program files\google\update\GoogleUpdate.exe [2009-5-26 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-28 38224]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-20 34248]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-13 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-13 1142224]

=============== Created Last 30 ================

2010-04-13 14:37:48 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-13 14:37:47 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-13 14:37:47 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-13 14:37:47 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-13 14:37:47 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-13 14:37:47 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-13 14:37:47 131 ----a-w- c:\windows\IDB.zip
2010-04-13 14:37:47 1152444 ----a-w- c:\windows\UDB.zip
2010-04-13 14:35:34 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-13 14:35:34 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-13 14:35:27 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-13 14:35:27 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-13 14:35:27 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-13 14:35:27 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-13 14:35:20 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-13 14:35:20 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-13 14:35:11 0 d-----w- c:\program files\Spyware Doctor
2010-04-13 14:35:11 0 d-----w- c:\program files\common files\PC Tools
2010-04-13 14:35:11 0 d-----w- c:\docume~1\jason\applic~1\PC Tools
2010-04-13 14:35:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-13 03:10:33 0 d-----w- c:\docume~1\jason\applic~1\Desktop Security 2010
2010-04-11 23:54:16 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-11 23:50:43 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-04-11 23:50:23 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-11 23:50:23 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-11 23:49:49 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-04-11 23:49:49 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-04-11 23:49:48 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-04-11 23:49:48 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-04-11 23:49:48 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-04-11 23:49:48 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-04-11 23:49:47 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-04-11 23:48:38 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-11 23:47:50 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-04-11 23:45:20 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-04-11 20:21:27 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-11 20:21:26 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-03-30 08:17:57 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-17 04:25:04 66936 --sha-w- c:\windows\slinfo_0.drv
2008-08-22 18:01:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 17:22:02.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 14 April 2010 - 02:49 PM

Hi

Welcome to Bleeping Computer,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

I will post back as soon as I have decided on the best course of action to take with your malware issues.

Thankyou for your patience,
K27.

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#3 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 14 April 2010 - 02:54 PM

Thank you. Its much appreciated.

#4 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 15 April 2010 - 12:53 AM

I also ran a scan with malwarebytes anti-malware and here is the log from that scan, maybe it can help.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3989

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/14/2010 10:36:44 PM
mbam-log-2010-04-14 (22-36-44).txt

Scan type: Quick scan
Objects scanned: 123329
Time elapsed: 17 minute(s), 1 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 22

Memory Processes Infected:
C:\program files\common files\Apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.
C:\program files\microsoft silverlight\3.0.50106.0\zh-Hans\resourcessystem.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.
C:\program files\common files\Apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.
C:\program files\quicktime\QTSystem\quicktimevr.resources\pt.lproj\recursosquicktimerecursosquicktime.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.
C:\program files\iTunes\ituneshelper.resources\ituneshelperituneshelper.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.
C:\program files\microsoft silverlight\3.0.50106.0\zh-Hans\resourcessystem.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\securitycenter.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syncuicoresyncuicorelocalized (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mobilemesyncuicore (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\resourcesmscorrc (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscorlibsilverlight (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quicktimerecursosquicktime (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\itunesituneshelper (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\securitycenter (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Rogue.DesktopSecurity2010) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\Desktop Security 2010.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Jason\Start Menu\Programs\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Delete on reboot.

Files Infected:
C:\program files\common files\Apple\mobile device support\bin\syncuicore.resources\nl.lproj\resourcesyncuicore1500.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\program files\microsoft silverlight\3.0.50106.0\zh-Hans\resourcessystem.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\program files\quicktime\QTSystem\quicktimevr.resources\pt.lproj\recursosquicktimerecursosquicktime.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\program files\iTunes\ituneshelper.resources\ituneshelperituneshelper.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mcafee_fn2qG6invFN0Nw9 (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Jason\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\daily.cvd (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\Desktop Security 2010.exe (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\mfc71.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\MFC71ENU.DLL (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\msvcp71.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\msvcr71.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\pthreadVC2.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\securitycenter.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\securityhelper.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Application Data\Desktop Security 2010\taskmgr.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Start Menu\Programs\Desktop Security 2010.LNK (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.LNK (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jason\Local Settings\temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


#5 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 15 April 2010 - 03:27 PM

jgmoney0

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please:
  • Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
  • Anti Virus
  • Anti Spyware
  • If you have trouble disabling your firewall please post back before continuning which one you use and I will give you the instructioins.
    (If its a third party Firewall there should be a Icon on your task bar by the clock, right click that and choose Disable/Stop. If its the Windows built-in firewall you should be able to disable it via Control Panel.


Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
K27
The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#6 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 15 April 2010 - 08:06 PM

Here is my ComboFix Log.

ComboFix 10-04-14.04 - Jason 04/15/2010 17:28:52.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1419 [GMT -7:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jason\Local Settings\Application Data\ave.exe
c:\documents and settings\Jason\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\Jason\Local Settings\Application Data\vma.exe
c:\windows\system32\wupubeyu.dll
c:\windows\Tasks\czbavxsi.job
c:\windows\Tasks\nrcyvdop.job
c:\windows\Tasks\yanajocu.job

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 23:56 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Threat Expert
2010-04-15 23:56 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\avG
2010-04-15 23:56 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-15 10:38 . 2010-04-15 10:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-15 10:38 . 2010-04-15 10:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-15 05:47 . 2010-04-15 05:47 -------- d-----w- C:\spoolerlogs
2010-04-13 14:37 . 2010-01-22 16:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-13 14:37 . 2010-01-22 16:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-13 14:37 . 2010-01-22 16:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-13 14:37 . 2010-01-22 16:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-13 14:37 . 2009-10-28 08:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-13 14:37 . 2008-11-26 19:08 131 ----a-w- c:\windows\IDB.zip
2010-04-13 14:35 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-13 14:35 . 2010-03-10 18:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-13 14:35 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-13 14:35 . 2010-02-05 16:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-13 14:35 . 2010-04-14 00:06 -------- d-----w- c:\program files\Spyware Doctor
2010-04-13 14:35 . 2010-04-13 14:38 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-13 14:35 . 2010-04-13 14:35 -------- d-----w- c:\documents and settings\Jason\Application Data\PC Tools
2010-04-13 14:35 . 2010-04-13 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-11 23:54 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-11 23:50 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-11 23:50 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-11 23:49 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-04-11 23:49 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-04-11 23:49 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-04-11 23:49 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-04-11 23:49 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-04-11 23:49 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-04-11 23:49 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-04-11 23:48 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-11 23:45 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-04-11 20:35 . 2010-04-11 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-11 20:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-07 21:43 . 2010-04-07 21:43 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Google
2010-03-30 08:17 . 2010-03-30 08:17 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 00:50 . 2008-07-15 22:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 00:26 . 2008-06-26 19:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-15 23:59 . 2010-02-05 02:14 -------- d-----w- c:\documents and settings\Jason\Application Data\vmndtx
2010-04-15 05:18 . 2008-11-28 19:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 05:17 . 2009-01-04 00:57 -------- d-----w- c:\program files\ERUNT
2010-04-14 03:00 . 2007-01-20 22:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2010-04-14 02:38 . 2004-08-12 14:03 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-04-12 01:08 . 2010-02-09 07:17 -------- d-----w- c:\documents and settings\Jason\Application Data\BitTorrent
2010-04-01 20:36 . 2009-06-18 03:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-01 20:36 . 2007-04-28 08:54 -------- d-----w- c:\program files\DivX
2010-03-30 07:46 . 2008-11-28 19:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2008-11-28 19:38 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 21:26 . 2007-08-02 02:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2010-03-11 12:38 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-12 13:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-12 14:08 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-12 14:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-12 14:02 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-12 13:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-12 14:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 19:31 . 2010-02-07 19:31 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-07 19:25 . 2010-02-07 19:25 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-01 06:24 . 2010-02-01 06:24 50354 ----a-w- c:\documents and settings\Jason\Application Data\Facebook\uninstall.exe
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\documents and settings\Jason\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\documents and settings\Jason\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-11-17 04:25 . 2009-11-17 04:25 66936 --sha-w- c:\windows\slinfo_0.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078fed71-52f2-4a49-a0ab-6453e2ca72ba}]
2009-10-02 21:27 91608 ----a-w- c:\program files\vmndtx\vmndx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD}]
2009-09-17 19:37 248832 ----a-w- c:\program files\vmndtx\auxi\vmndAu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{078fed71-52f2-4a49-a0ab-6453e2ca72ba}"= "c:\program files\vmndtx\vmndx.dll" [2009-10-02 91608]

[HKEY_CLASSES_ROOT\clsid\{078fed71-52f2-4a49-a0ab-6453e2ca72ba}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-08-10 35416]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-17 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 23:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 20:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2006-08-16 00:42 3661824 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 23:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
2003-02-13 18:25 493024 ----a-w- c:\progra~1\CA\ETRUST~1\Realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 23:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-10 13:43 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares Ultra\\Ares Ultra.exe"=
"c:\\program files\\mozilla firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InoRT.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo
"8357:TCP"= 8357:TCP:BND
"26996:TCP"= 26996:TCP:BND
"27196:TCP"= 27196:TCP:BND
"16528:TCP"= 16528:TCP:BND

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/13/2010 7:35 AM 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/13/2010 7:37 AM 112592]
S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S2 gupdate1c9de6a36ca70ca;Google Update Service (gupdate1c9de6a36ca70ca);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2009 6:26 PM 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/13/2010 7:35 AM 366840]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:34]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 01:26]

2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 01:26]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-12 00:12]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-20 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: turbotax.com
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - component: c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\extensions\{924c2e74-df1a-4616-8505-980061d62d40}\components\dtTransparency.dll
FF - plugin: c:\documents and settings\Jason\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Jason\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Jason\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www3.yoog.com/search.php?q=
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
SharedTaskScheduler-{5fc68504-31ea-4bb6-8c70-c7fe767b2c36} - c:\windows\system32\yebalino.dll
SharedTaskScheduler-{f19b380d-3fa0-4a2e-8f5a-cf9acba5e588} - (no file)
SharedTaskScheduler-{da5a1030-fedf-4bb6-a77a-d44f63a46167} - c:\windows\system32\bazekava.dll
SharedTaskScheduler-{fb37ee86-64d1-4cf2-b5ad-3207132b2931} - c:\windows\system32\nohopimi.dll
SharedTaskScheduler-{d17ed1e7-f734-47d1-935e-66b05bbc40ac} - (no file)
SharedTaskScheduler-{15db9780-02c7-4a62-a93d-0778b39d6c7b} - c:\windows\system32\hajutuki.dll
SharedTaskScheduler-{78bc512b-1acd-451c-8e05-460c6029ca89} - c:\windows\system32\wojelipu.dll
SharedTaskScheduler-{e21cac5d-44a1-4e6c-ad8e-48663c0697a2} - c:\windows\system32\wadavuro.dll
SharedTaskScheduler-{60c9c282-1737-4472-80aa-19f4162a8fc7} - c:\windows\system32\wupubeyu.dll
SharedTaskScheduler-{0163d963-d451-4616-a63a-9a5dd84a16f5} - c:\windows\system32\wupubeyu.dll
SharedTaskScheduler-{54894235-d6e3-4808-8350-43df54fd5062} - (no file)
SharedTaskScheduler-{6df8b13f-831e-4174-a264-d28e8eea210f} - c:\windows\system32\gevimoji.dll
SharedTaskScheduler-{8937c430-1218-47bc-976f-907b93df5cdb} - (no file)
SharedTaskScheduler-{6148acda-d887-4e2a-bb6e-e547399f8cf8} - (no file)
SharedTaskScheduler-{cdc195b9-3a79-4224-8102-055199c9e64f} - c:\windows\system32\sopikahu.dll
SSODL-fonadidev-{5fc68504-31ea-4bb6-8c70-c7fe767b2c36} - c:\windows\system32\yebalino.dll
SSODL-titizinuy-{f19b380d-3fa0-4a2e-8f5a-cf9acba5e588} - (no file)
SSODL-bahadured-{da5a1030-fedf-4bb6-a77a-d44f63a46167} - c:\windows\system32\bazekava.dll
SSODL-lopayuyar-{fb37ee86-64d1-4cf2-b5ad-3207132b2931} - c:\windows\system32\nohopimi.dll
SSODL-ranopudik-{d17ed1e7-f734-47d1-935e-66b05bbc40ac} - (no file)
SSODL-jewijumiv-{15db9780-02c7-4a62-a93d-0778b39d6c7b} - c:\windows\system32\hajutuki.dll
SSODL-munutofor-{78bc512b-1acd-451c-8e05-460c6029ca89} - c:\windows\system32\wojelipu.dll
SSODL-milapihov-{e21cac5d-44a1-4e6c-ad8e-48663c0697a2} - c:\windows\system32\wadavuro.dll
SSODL-jutisanir-{0163d963-d451-4616-a63a-9a5dd84a16f5} - c:\windows\system32\wupubeyu.dll
SSODL-powilawol-{54894235-d6e3-4808-8350-43df54fd5062} - (no file)
SSODL-yaluhevut-{6df8b13f-831e-4174-a264-d28e8eea210f} - c:\windows\system32\gevimoji.dll
SSODL-wukuzoyap-{8937c430-1218-47bc-976f-907b93df5cdb} - (no file)
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-oxzisonylxf - c:\windows\system32\oxzisonylxf.exe
AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
AddRemove-{A4797CA9-34D3-FF27-BB67-6C64027A68C9} - c:\windows\system32\vbrwtzbgjkwnkgeqf.dll-uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 17:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x8A61BAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf758ecb8
\Driver\atapi -> atapi.sys @ 0xf74a6852
\Driver\iaStor -> iaStor.sys @ 0xf743e316
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf796fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
SendHandler -> NDIS.sys @ 0xf795a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(996)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2010-04-15 18:04:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 01:03

Pre-Run: 2,754,830,336 bytes free
Post-Run: 2,876,272,640 bytes free

- - End Of File - - A5E13CB7ED257013A7734BC8956F4847

Attached Files



#7 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 16 April 2010 - 01:33 PM

jgmoney0,

Your Combo-Fix log shows that that log was from the sixth (6th) time that Combo-Fix was run, can you please tell, were you having problems running CF or did you run CF that many times on you own.

YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur
while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO
    Then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.

Thanks,
K27
The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#8 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 17 April 2010 - 10:52 AM

This was the first time I've run Combofix in a long time, I had to run it in the past because I had previous problems with the computer but that was some time ago(a couple years). I've tried to run gmer.exe a couple times, it always ends up restarting my computer. So here is the initial quick scan. I'll try to run gmer.exe one more time.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-17 09:06:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jason\LOCALS~1\Temp\kwxoafod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA7CE678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA7CE6738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA7CE674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA7CE67CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA7CE6710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA7CE6724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA7CE679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA7CE6776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA7CE6762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA7CE67F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA7CE67E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA7CE67B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device -> \Driver\iastor \Device\Harddisk0\DR0 8A637AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by jgmoney0, 17 April 2010 - 11:08 AM.


#9 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 18 April 2010 - 11:22 AM


jgmoney0,

The quick scan results are enough for us to see the driver that is patched by the new TDL3 infection, Please proceed as follows,


we are going to run Combo-Fix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

QUOTE
killall::

FCopy::
c:\windows\$NtServicePackUninstall$\iastor.sys | C:\WINDOWS\system32\drivers\iastor.sys

Reg::
[HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-

File::
c:\StubInstaller.exe


Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks
K27.
The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#10 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 18 April 2010 - 04:53 PM

ComboFix 10-04-17.07 - Jason 04/18/2010 14:26:38.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1561 [GMT -7:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\StubInstaller.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
c:\StubInstaller.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-18 00:36 . 2010-04-18 00:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-16 02:21 . 2010-04-16 02:21 -------- d-----w- c:\documents and settings\Jason\Application Data\vmndtx
2010-04-16 01:58 . 2010-04-18 21:04 -------- d-----w- c:\program files\Baseball Mogul 2011
2010-04-16 01:58 . 2010-04-16 01:57 186930 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.exe
2010-04-15 23:56 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Threat Expert
2010-04-15 23:56 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\avG
2010-04-15 23:56 . 2010-04-15 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-15 10:38 . 2010-04-15 10:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-15 10:38 . 2010-04-15 10:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-04-15 05:47 . 2010-04-15 05:47 -------- d-----w- C:\spoolerlogs
2010-04-11 23:54 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-11 23:50 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-11 23:50 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-11 23:49 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-04-11 23:49 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-04-11 23:49 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-04-11 23:49 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-04-11 23:49 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-04-11 23:49 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-04-11 23:49 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-04-11 23:48 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-04-11 23:45 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-04-11 20:35 . 2010-04-11 20:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-11 20:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-07 21:43 . 2010-04-07 21:43 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Google
2010-03-30 08:17 . 2010-03-30 08:17 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 07:12 . 2010-02-09 07:17 -------- d-----w- c:\documents and settings\Jason\Application Data\BitTorrent
2010-04-18 05:45 . 2008-06-26 19:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 02:21 . 2008-12-17 08:03 -------- d-----w- c:\program files\Spybot SnD
2010-04-16 02:21 . 2005-10-22 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-16 02:20 . 2008-07-15 22:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 02:19 . 2008-12-28 01:52 -------- d-----w- c:\program files\Enigma Software Group
2010-04-16 02:18 . 2007-03-03 20:54 -------- d-----w- c:\program files\3DO
2010-04-16 02:17 . 2009-09-12 05:28 -------- d-----w- c:\program files\Full Tilt Poker.Net
2010-04-16 02:17 . 2005-03-11 05:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 02:16 . 2009-07-08 19:31 -------- d-----w- c:\program files\Diablo II
2010-04-16 02:15 . 2005-03-21 02:51 -------- d-----w- c:\program files\CA
2010-04-16 01:59 . 2010-04-16 01:58 958171 ----a-w- c:\program files\Uninst_Baseball Mogul 2011.log
2010-04-15 05:18 . 2008-11-28 19:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 05:17 . 2009-01-04 00:57 -------- d-----w- c:\program files\ERUNT
2010-04-14 03:00 . 2007-01-20 22:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2010-04-14 02:38 . 2004-08-12 14:03 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2010-04-01 20:36 . 2009-06-18 03:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-01 20:36 . 2007-04-28 08:54 -------- d-----w- c:\program files\DivX
2010-03-30 07:46 . 2008-11-28 19:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2008-11-28 19:38 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 21:26 . 2007-08-02 02:02 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2010-03-11 12:38 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-12 13:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-12 14:08 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-12 14:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-12 14:02 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-12 13:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-12 14:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 19:31 . 2010-02-07 19:31 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-07 19:25 . 2010-02-07 19:25 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-01 06:24 . 2010-02-01 06:24 50354 ----a-w- c:\documents and settings\Jason\Application Data\Facebook\uninstall.exe
2010-01-27 03:21 . 2010-01-27 03:21 847040 ----a-w- c:\documents and settings\Jason\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\documents and settings\Jason\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-11-17 04:25 . 2009-11-17 04:25 66936 --sha-w- c:\windows\slinfo_0.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-08-10 35416]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-17 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 23:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 20:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2006-08-16 00:42 3661824 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 23:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 19:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 23:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-10 13:43 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares Ultra\\Ares Ultra.exe"=
"c:\\program files\\mozilla firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\McAfee\\MPF\\MpfSrv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo
"8357:TCP"= 8357:TCP:BND
"26996:TCP"= 26996:TCP:BND
"27196:TCP"= 27196:TCP:BND
"16528:TCP"= 16528:TCP:BND

S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys --> c:\windows\system32\DRIVERS\tclondrv.sys [?]
S2 gupdate1c9de6a36ca70ca;Google Update Service (gupdate1c9de6a36ca70ca);c:\program files\Google\Update\GoogleUpdate.exe [5/26/2009 6:26 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:34]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 01:26]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 01:26]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-12 00:12]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-20 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\itjajcmh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - plugin: c:\documents and settings\Jason\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Jason\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Jason\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www3.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www3.yoog.com/search.php?q=
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD} - c:\program files\vmndtx\auxi\vmndAu.dll
MSConfigStartUp-Realtime Monitor - c:\progra~1\CA\ETRUST~1\realmon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 14:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A2D5AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
\Driver\iaStor -> iaStor.sys @ 0xf745e316
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf786cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7879a21
SendHandler -> NDIS.sys @ 0xf785787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2552)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6253\saHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2010-04-18 14:50:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-18 21:50
ComboFix2.txt 2010-04-16 01:04

Pre-Run: 4,607,176,704 bytes free
Post-Run: 3,884,941,312 bytes free

- - End Of File - - C02E25F7B49A293A9FB80DE8AC12C391

Attached Files

  • Attached File  log.txt   23.47KB   1 downloads


#11 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 19 April 2010 - 01:10 PM

jgmoney0,

Combo-Fix failed to replace the patched driver, we my have to use the recovery console, please tell me, do you have your Windows Installation disk.

Thanks,
K27
The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#12 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 19 April 2010 - 02:08 PM

I dont believe so. I'm at work right now so when I get home I'll check more soundly at home but I dont think I have it anymore.

#13 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 19 April 2010 - 06:40 PM

Sadly I cannot find my Windows CD.

#14 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 20 April 2010 - 04:02 PM

jgmoney0

Please go to Start > Run then type in cmd then hit the ok button.
In the black box that comes up please copy the text in bold below into the command prompt window and hit enter.

copy /y "c:\windows\$NtServicePackUninstall$\iastor.sys" C:\

If it works correctly you will see a 1 file(s) copied message.


Next:
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below between the dotted lines to the clipboard by highlighting it and then pressing Ctrl+C.
    ------------------------------------------------------------------------------------

    Files to move:
    c:\iastor.sys | C:\WINDOWS\system32\drivers\iastor.sys


    ------------------------------------------------------------------------------------
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.

Thanks
K27.
The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#15 jgmoney0

jgmoney0
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 20 April 2010 - 10:16 PM

I tried typing it in my command prompt and I get the same response every time, The syntax of the command is incorrect.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users