Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Redirect Virus (in addition to all search engines/search results being in German)


  • This topic is locked This topic is locked
20 replies to this topic

#1 Avenger40

Avenger40

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 May 2010 - 09:52 PM

Hey all,

I have a nasty redirect virus/malware on my computer that I have been trying to delete for 2 days now. The symptoms are as follows:

-Google and Yahoo are in German (and therefore all websites I visit through those search engines are in German). For example, when I type "Yahoo" in my Google search bar it directs me to google.de, and then when I click Yahoo the entire website is in German. It does this with other sites such as CNET, etc. as well.
-Clicking links often results in multiple redirects
-I have Spybot and AVG 9 Free. Spybot has detected around 200 malicious files but when I attempt to remove them, I get an error saying something about the System32 host files.
-I have checked for the TDSSServ.sys and didnt see one.

I would appreciate ANY and ALL assistance. It is driving me crazy! I want to avoid wiping at all costs if I can, as it is a computer I received through college with a laptop lease program which I have since bought out and it has several programs on it thanks to the University which arent standard.

THANK YOU!

P.S. I have the DSS files below and attached. When I attempted to obtain the GMER file, my computer froze the first time and on the next two attempts I received the following blue screen with the message:

"STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down.
=================================


DDS (Ver_10-03-17.01) - NTFSx86
Run by MSUUSER at 22:16:24.56 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.219 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MSUUSER\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway Viper-C
uStart Page = hxxp://www.moreheadstate.edu/
uSearch Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway Viper-C
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\msuuser\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-28 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-28 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-28 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-28 285392]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-4-10 104000]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-16 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2007-3-16 9600]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

=============== Created Last 30 ================

2010-05-11 02:13:58 0 ----a-w- c:\documents and settings\msuuser\defogger_reenable
2010-05-10 22:29:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll.prepare
2010-05-10 22:19:25 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-10 22:18:18 0 d-----w- c:\program files\Bonjour
2010-05-10 22:15:13 0 d-----w- c:\program files\Shared
2010-05-10 21:32:02 0 d-----w- C:\ComboFix(2)
2010-05-10 21:28:43 732 ----a-w- c:\windows\system32\.crusader
2010-05-10 21:27:31 0 d-----w- C:\RECYCLER(2)
2010-05-10 19:13:38 0 d-----w- c:\docume~1\msuuser\applic~1\SafeReturner
2010-05-10 19:13:30 0 d-----w- c:\program files\Safe Returner
2010-05-10 19:02:23 0 d-----w- C:\cmdcons
2010-05-10 14:28:32 0 d-----w- c:\docume~1\msuuser\applic~1\Malwarebytes
2010-05-10 14:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-10 04:05:49 9452 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-10 04:05:49 625440 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-10 04:05:49 3308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-10 04:05:49 23840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 00:28:38 0 d-----w- c:\windows\system32\NtmsData
2010-05-09 23:43:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 23:43:31 0 d-----w- c:\docume~1\msuuser\applic~1\SUPERAntiSpyware.com
2010-05-09 23:30:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-09 14:22:54 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-05-09 03:12:51 12464 ----a-w- c:\windows\system32\avgrsstx(2)(2).dll

==================== Find3M ====================

2010-05-10 22:29:32 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-10 22:29:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2008-09-29 01:47:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 22:17:15.38 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 11 May 2010 - 07:07 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



====================================



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or McAfee.

Important note: It is important to run the removal tool after you uninstall the AV that you wish to remove.
AVG removal tool --> HERE
McAfee removal tool --> HERE



====================================



Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.






~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 11 May 2010 - 03:15 PM

Thank you for your help! The ComboFix log is posted below. I attempted to remove Mcaffe with the remover tool you directed me to (MCPR) as it had Aalready been removed from my add/remove programs list. However, when I ran MCPR it gave me an error that stated that McAfee Tools were still in use (something like that). I went to Program Files and found a McAfee folder, but when I attempted to delete it I received an error stating that "AgentRes.dll is not able to be deleted at this time". So something must be wrong there!
--------------------------------------------------------

ComboFix 10-05-10.05 - MSUUSER 05/11/2010 16:02:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.261 [GMT -4:00]
Running from: c:\documents and settings\MSUUSER\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET29.tmp
c:\program files\Internet Explorer\SET2A.tmp
c:\program files\Shared
c:\windows\system32\_000007_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 19:34 . 2010-05-11 19:34 -------- d-----w- c:\windows\LastGood
2010-05-10 22:29 . 2010-05-10 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-10 22:19 . 2010-05-10 22:19 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-10 22:18 . 2010-05-10 22:18 -------- d-----w- c:\program files\Bonjour
2010-05-10 21:32 . 2010-05-10 22:14 -------- d-----w- C:\ComboFix(2)
2010-05-10 21:27 . 2010-05-10 22:14 -------- d-----w- C:\RECYCLER(2)
2010-05-10 19:13 . 2010-05-10 22:15 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\SafeReturner
2010-05-10 19:13 . 2010-05-10 22:15 -------- d-----w- c:\program files\Safe Returner
2010-05-10 14:28 . 2010-05-10 14:28 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\Malwarebytes
2010-05-10 14:28 . 2010-05-10 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 04:05 . 2010-05-10 05:16 625440 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-10 04:05 . 2010-05-10 05:16 23840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 00:28 . 2010-05-10 22:16 -------- d-----w- c:\windows\system32\NtmsData
2010-05-09 23:43 . 2010-05-10 22:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 23:43 . 2010-05-09 23:43 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\SUPERAntiSpyware.com
2010-05-09 23:30 . 2010-05-10 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-09 14:22 . 2010-05-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-09 05:17 . 2010-05-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 03:12 . 2010-05-09 03:12 12464 ----a-w- c:\windows\system32\avgrsstx(2)(2).dll
2010-05-09 03:06 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 19:57 . 2007-04-27 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 22:43 . 2008-07-25 20:45 -------- d-----w- c:\program files\CCleaner
2010-05-10 22:29 . 2009-11-28 17:02 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-10 22:29 . 2009-11-28 17:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-10 22:29 . 2009-11-28 17:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-10 22:16 . 2007-08-28 23:59 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\GetRightToGo
2010-05-10 05:16 . 2010-05-10 04:05 9452 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-10 05:16 . 2010-05-10 04:05 3308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-09 02:51 . 2007-03-16 06:43 -------- d-----w- c:\program files\Google
2010-03-10 06:15 . 2010-05-09 01:53 420352 ----a-w- c:\windows\system32\SET5F.tmp
2010-02-25 15:54 . 2010-02-25 15:54 11070976 ----a-w- c:\windows\system32\SET26.tmp
2010-02-25 06:24 . 2010-05-09 01:53 916480 ----a-w- c:\windows\system32\SET1B.tmp
2010-02-25 06:24 . 2010-05-09 01:52 1209344 ----a-w- c:\windows\system32\SET1C.tmp
2010-02-25 06:24 . 2010-05-09 01:52 5944832 ----a-w- c:\windows\system32\SET1F.tmp
2010-02-25 06:24 . 2010-05-09 01:53 594432 ----a-w- c:\windows\system32\SET21.tmp
2010-02-25 06:24 . 2010-05-09 01:53 55296 ----a-w- c:\windows\system32\SET20.tmp
2010-02-25 06:24 . 2010-05-09 01:53 184320 ----a-w- c:\windows\system32\SET25.tmp
2010-02-25 06:24 . 2010-05-09 01:52 1985536 ----a-w- c:\windows\system32\SET24.tmp
2010-02-24 13:11 . 2006-06-22 21:06 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-06-22 21:06 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-22 21:06 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-06-22 21:06 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-26 68296]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-09-14 577536]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\MSUUSER\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-3-17 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-10 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 17:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DS\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/28/2009 1:02 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/28/2009 1:02 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/10/2010 6:29 PM 308064]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [3/16/2007 2:36 AM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [3/16/2007 2:36 AM 9600]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2007-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moreheadstate.edu/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 16:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
Completion time: 2010-05-11 16:07:34
ComboFix-quarantined-files.txt 2010-05-11 20:07
ComboFix2.txt 2010-05-10 19:08

Pre-Run: 64,278,773,760 bytes free
Post-Run: 64,254,881,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 569E5A4501C051BF70B5C778149CDFBE


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 12 May 2010 - 05:25 AM

Hi,

Please open your task manager (right click on your taskbar > task manager) > Click processes Tab > Kill the following process below one at a time by right clicking on them and click "End Process".
  1. FrameworkService.exe
  2. naPrdMgr.exe
  3. UdaterUI.exe
  4. McTray.exe
After killing the said Processes please try running the McAfee removal tool again. Let me know how it went.


======================================


1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    C:\WINDOWS\system32\wdfmgr.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
uURLSearchHooks: H - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 12 May 2010 - 03:21 PM

I ended the 4 processes and attempted to run MCPR again and I received the same error message.
================

Here is the virscan.org log:

VirSCAN.org Scanned Report :
Scanned time : 2010/05/12 15:44:53 (EDT)
Scanner results: Scanners did not find malware!
File Name : wdfmgr.exe
File Size : 38912 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : c81b8635dee0d3ef5f64b3dd643023a5
SHA1 : f60b2c02776bb414b58a6416ac6f11772947ebfe
Online report : http://virscan.org/report/dd9f8ed97010da42...0fdd025f26.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.56 -
AhnLab V3 2010.05.13.00 2010.05.13 2010-05-13 1.41 -
AntiVir 8.2.1.242 7.10.7.96 2010-05-12 0.25 -
Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
Arcavir 2009 201005121519 2010-05-12 0.04 -
Authentium 5.1.1 201005121532 2010-05-12 1.34 -
AVAST! 4.7.4 100512-1 2010-05-12 0.01 -
AVG 8.5.793 271.1.1/2869 2010-05-12 0.24 -
BitDefender 7.81008.5874512 7.31633 2010-05-13 3.73 -
ClamAV 0.95.3 10991 2010-05-12 0.01 -
Comodo 3.13.579 4828 2010-05-12 0.89 -
CP Secure 1.3.0.5 2010.05.13 2010-05-13 0.05 -
Dr.Web 5.0.2.3300 2010.05.13 2010-05-13 7.10 -
F-Prot 4.4.4.56 20100512 2010-05-12 1.34 -
F-Secure 7.02.73807 2010.05.12.05 2010-05-12 0.12 -
Fortinet 4.0.14 11.931 2010-05-12 0.14 -
GData 21.140/21.48 20100512 2010-05-12 6.95 -
ViRobot 20100512 2010.05.12 2010-05-12 0.41 -
Ikarus T3.1.01.84 2010.05.12.75846 2010-05-12 6.31 -
JiangMin 13.0.900 2010.05.11 2010-05-11 1.20 -
Kaspersky 5.5.10 2010.05.12 2010-05-12 0.08 -
KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.66 -
McAfee 5400.1158 5980 2010-05-12 0.02 -
Microsoft 1.5703 2010.05.12 2010-05-12 6.67 -
Norman 6.04.12 6.04.00 2010-05-12 6.01 -
Panda 9.05.01 2010.05.12 2010-05-12 1.77 -
Trend Micro 9.120-1004 7.162.16 2010-05-12 0.03 -
Quick Heal 10.00 2010.05.12 2010-05-12 1.52 -
Rising 20.0 22.47.02.04 2010-05-12 1.19 -
Sophos 3.07.1 4.53 2010-05-13 3.29 -
Sunbelt 3.9.2421.2 6294 2010-05-12 6.15 -
Symantec 1.3.0.24 20100512.005 2010-05-12 0.05 -
nProtect 20100512.01 8245011 2010-05-12 7.43 -
The Hacker 6.5.2.0 v00278 2010-05-09 0.39 -
VBA32 3.12.12.4 20100511.2022 2010-05-11 2.47 -
VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 2.32 -
=================

When attempting to run HostsXpert, I received an error stating:

"ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts"

I will mention that the "Make Hosts Writable?" option was absent from the program


=================
ComboFix 10-05-10.05 - MSUUSER 05/12/2010 16:05:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.348 [GMT -4:00]
Running from: c:\documents and settings\MSUUSER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MSUUSER\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 19:53 . 2010-05-12 19:59 -------- d-----w- C:\HostsXpert
2010-05-12 19:46 . 2010-05-12 19:46 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-12 19:44 . 2010-05-12 19:44 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-05-12 19:40 . 2010-05-12 19:40 -------- d-----w- c:\windows\LastGood
2010-05-10 22:29 . 2010-05-10 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-10 22:19 . 2010-05-10 22:19 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-10 22:18 . 2010-05-10 22:18 -------- d-----w- c:\program files\Bonjour
2010-05-10 21:32 . 2010-05-10 22:14 -------- d-----w- C:\ComboFix(2)
2010-05-10 21:27 . 2010-05-10 22:14 -------- d-----w- C:\RECYCLER(2)
2010-05-10 19:13 . 2010-05-10 22:15 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\SafeReturner
2010-05-10 19:13 . 2010-05-10 22:15 -------- d-----w- c:\program files\Safe Returner
2010-05-10 14:28 . 2010-05-10 14:28 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\Malwarebytes
2010-05-10 14:28 . 2010-05-10 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 04:05 . 2010-05-10 05:16 625440 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-10 04:05 . 2010-05-10 05:16 23840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 00:28 . 2010-05-10 22:16 -------- d-----w- c:\windows\system32\NtmsData
2010-05-09 23:43 . 2010-05-10 22:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 23:43 . 2010-05-09 23:43 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\SUPERAntiSpyware.com
2010-05-09 23:30 . 2010-05-10 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-09 14:22 . 2010-05-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-09 05:17 . 2010-05-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 03:12 . 2010-05-09 03:12 12464 ----a-w- c:\windows\system32\avgrsstx(2)(2).dll
2010-05-09 03:06 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 19:45 . 2009-11-28 17:02 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-11 19:57 . 2007-04-27 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 22:43 . 2008-07-25 20:45 -------- d-----w- c:\program files\CCleaner
2010-05-10 22:29 . 2009-11-28 17:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-10 22:29 . 2009-11-28 17:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-10 22:16 . 2007-08-28 23:59 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\GetRightToGo
2010-05-10 05:16 . 2010-05-10 04:05 9452 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-10 05:16 . 2010-05-10 04:05 3308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-09 02:51 . 2007-03-16 06:43 -------- d-----w- c:\program files\Google
2010-03-10 06:15 . 2006-06-22 21:06 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-22 21:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-22 21:06 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-06-22 21:06 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-06-22 21:06 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-11_20.05.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-12 19:39 . 2010-05-12 19:39 16384 c:\windows\Temp\Perflib_Perfdata_170.dat
+ 2006-11-08 01:03 . 2010-02-25 06:24 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 01:03 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-06-22 21:07 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
- 2006-06-22 21:06 . 2008-04-14 00:12 474112 c:\windows\system32\shlwapi.dll
+ 2006-06-22 21:06 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
+ 2006-11-08 01:03 . 2010-02-25 06:24 594432 c:\windows\system32\msfeeds.dll
- 2006-11-08 01:03 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
+ 2006-06-22 21:06 . 2010-02-25 06:24 184320 c:\windows\system32\iepeers.dll
- 2006-06-22 21:06 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
- 2008-08-13 02:47 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-13 02:47 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2006-06-22 21:06 . 2010-02-25 06:24 1209344 c:\windows\system32\urlmon.dll
+ 2006-06-22 21:06 . 2010-02-25 06:24 5944832 c:\windows\system32\mshtml.dll
- 2006-10-17 15:57 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
+ 2006-10-17 15:57 . 2010-02-25 06:24 1985536 c:\windows\system32\iertutil.dll
+ 2009-08-15 20:58 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2009-08-15 20:58 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2006-11-08 01:03 . 2010-02-25 15:54 11070976 c:\windows\system32\ieframe.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-26 68296]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-09-14 577536]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\MSUUSER\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-3-17 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-10 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 17:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DS\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/28/2009 1:02 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/28/2009 1:02 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/10/2010 6:29 PM 308064]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [3/16/2007 2:36 AM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [3/16/2007 2:36 AM 9600]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2007-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moreheadstate.edu/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 16:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1656)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-12 16:16:13
ComboFix-quarantined-files.txt 2010-05-12 20:16
ComboFix2.txt 2010-05-11 20:07
ComboFix3.txt 2010-05-10 19:08

Pre-Run: 64,139,214,848 bytes free
Post-Run: 64,109,326,336 bytes free

- - End Of File - - 0F0EBE971794957521EFCB4000DBF29E


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 13 May 2010 - 05:00 AM

Hi,

Please download Revo uninstaller Pro version. It's a trial for 30 days but fully functional. You can try using the Forced Uninstall feature to uninstall mcAfee.


============================


1. Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




2. Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 14 May 2010 - 04:35 PM

I downloaded the Revo Uninstaller Pro, but McAfee does not appear on the program list so I do not know how to search for any of it's files or how to force uninstall it. I'd appreciate any assistance.
==========================
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4102

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/14/2010 5:31:15 PM
mbam-log-2010-05-14 (17-31-15).txt

Scan type: Quick scan
Objects scanned: 131904
Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=====================

I downloaded GMER, and everything seemed to be scanning ok the first time. I began the scan as I went to bed and it was running smoothly. However, the next morning, it was still scanning the same file and seemed to be stuck. So, I restarted the program and received this error on a blue screen:

"STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 14 May 2010 - 07:23 PM

Hi Avenger40,

We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

Folder::
C:\Program Files\McAfee

Driver::
McAfeeFramework
mferkdk


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 14 May 2010 - 10:39 PM

As I attempted to run ComboFix I received the following Warning:

"Parasite Found!!

The follwing file was found attempting to attach itself to ComboFix. It shall be disabled. Take note of it as we may need it later.

C:\PROGRA~1\PHAROS~1\Core\PRNTRACK.DLL "
================================

ComboFix 10-05-14.06 - MSUUSER 05/14/2010 23:24:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.317 [GMT -4:00]
Running from: c:\documents and settings\MSUUSER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MSUUSER\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\McAfee
c:\program files\McAfee\Common Framework\0409\AgentRes.dll
c:\program files\McAfee\Common Framework\0409\AgentRes64.dll
c:\program files\McAfee\Common Framework\0409\CmaUIRes.dll
c:\program files\McAfee\Common Framework\0409\ScrptRes.dll
c:\program files\McAfee\Common Framework\0409\UpdRes.dll
c:\program files\McAfee\Common Framework\Agent.dll
c:\program files\McAfee\Common Framework\Agent64.dll
c:\program files\McAfee\Common Framework\AgentPlugin.dll
c:\program files\McAfee\Common Framework\applib.dll
c:\program files\McAfee\Common Framework\applib64.dll
c:\program files\McAfee\Common Framework\Cleanup.exe
c:\program files\McAfee\Common Framework\ClientUI.dll
c:\program files\McAfee\Common Framework\cmalib.dll
c:\program files\McAfee\Common Framework\cmalib64.dll
c:\program files\McAfee\Common Framework\CmdAgent.exe
c:\program files\McAfee\Common Framework\ComponentFrameworkCallback64.dll
c:\program files\McAfee\Common Framework\ComponentPolicyEnforcement64.dll
c:\program files\McAfee\Common Framework\ComponentSubSystem.dll
c:\program files\McAfee\Common Framework\ComponentSubSystem64.dll
c:\program files\McAfee\Common Framework\ComponentUserInterface.dll
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\Common Framework\FrmInst.exe
c:\program files\McAfee\Common Framework\FrmPlugin.dll
c:\program files\McAfee\Common Framework\GenEvtInf.dll
c:\program files\McAfee\Common Framework\GenEvtInf64.dll
c:\program files\McAfee\Common Framework\InternetManager.dll
c:\program files\McAfee\Common Framework\InternetManager64.dll
c:\program files\McAfee\Common Framework\JrMac.dll
c:\program files\McAfee\Common Framework\ListenServer.dll
c:\program files\McAfee\Common Framework\Logging.dll
c:\program files\McAfee\Common Framework\Logging64.dll
c:\program files\McAfee\Common Framework\Management.dll
c:\program files\McAfee\Common Framework\Management64.dll
c:\program files\McAfee\Common Framework\McScanCheck.exe
c:\program files\McAfee\Common Framework\McScript.exe
c:\program files\McAfee\Common Framework\McScript_InUse.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\Common Framework\mcurial.dll
c:\program files\McAfee\Common Framework\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\McAfee\Common Framework\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\McAfee\Common Framework\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\McAfee\Common Framework\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\McAfee\Common Framework\msvcp71.dll
c:\program files\McAfee\Common Framework\msvcr71.dll
c:\program files\McAfee\Common Framework\naCmnLib64.dll
c:\program files\McAfee\Common Framework\naCmnLib71.dll
c:\program files\McAfee\Common Framework\nagshr32.dll
c:\program files\McAfee\Common Framework\naicrt32.dll
c:\program files\McAfee\Common Framework\nailog.dll
c:\program files\McAfee\Common Framework\nailog64.dll
c:\program files\McAfee\Common Framework\naInet.dll
c:\program files\McAfee\Common Framework\naInet64.dll
c:\program files\McAfee\Common Framework\naisign.dll
c:\program files\McAfee\Common Framework\naitcpp.dll
c:\program files\McAfee\Common Framework\naPolicyManager.dll
c:\program files\McAfee\Common Framework\naPolicyManager64.dll
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr64.exe
c:\program files\McAfee\Common Framework\naSPIPE.dll
c:\program files\McAfee\Common Framework\naSPIPE64.dll
c:\program files\McAfee\Common Framework\naXML64.dll
c:\program files\McAfee\Common Framework\naXML71.dll
c:\program files\McAfee\Common Framework\nmcomn32.dll
c:\program files\McAfee\Common Framework\patchw32.dll
c:\program files\McAfee\Common Framework\PcrPlug.dll
c:\program files\McAfee\Common Framework\PoEvtInf.dll
c:\program files\McAfee\Common Framework\Scheduler.dll
c:\program files\McAfee\Common Framework\Scheduler64.dll
c:\program files\McAfee\Common Framework\ScriptSubSys.dll
c:\program files\McAfee\Common Framework\SecureFrameworkFactory.dll
c:\program files\McAfee\Common Framework\SecureFrameworkFactory64.dll
c:\program files\McAfee\Common Framework\TCHelper.dll
c:\program files\McAfee\Common Framework\TCSubSys.dll
c:\program files\McAfee\Common Framework\UdaterUI.exe
c:\program files\McAfee\Common Framework\unicows.dll
c:\program files\McAfee\Common Framework\UpdateSubSys.dll
c:\program files\McAfee\Common Framework\UpdPlug.dll
c:\program files\McAfee\Common Framework\UserSpace.dll
c:\program files\McAfee\Common Framework\XMLWrap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCAFEEFRAMEWORK
-------\Legacy_MFERKDK
-------\Service_McAfeeFramework
-------\Service_mferkdk


((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 21:14 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 21:14 . 2010-05-14 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 21:14 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-13 22:38 . 2010-05-13 22:38 -------- d-----w- c:\documents and settings\MSUUSER\Local Settings\Application Data\VS Revo Group
2010-05-13 22:37 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-05-13 22:37 . 2010-05-13 22:37 -------- d-----w- c:\program files\VS Revo Group
2010-05-12 19:53 . 2010-05-12 20:20 -------- d-----w- C:\HostsXpert
2010-05-12 19:46 . 2010-05-12 19:46 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-12 19:44 . 2010-05-12 19:44 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-05-10 22:29 . 2010-05-10 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-10 22:19 . 2010-05-10 22:19 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-10 22:18 . 2010-05-10 22:18 -------- d-----w- c:\program files\Bonjour
2010-05-10 21:32 . 2010-05-10 22:14 -------- d-----w- C:\ComboFix(2)
2010-05-10 21:27 . 2010-05-10 22:14 -------- d-----w- C:\RECYCLER(2)
2010-05-10 19:13 . 2010-05-10 22:15 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\SafeReturner
2010-05-10 19:13 . 2010-05-10 22:15 -------- d-----w- c:\program files\Safe Returner
2010-05-10 14:28 . 2010-05-10 14:28 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\Malwarebytes
2010-05-10 14:28 . 2010-05-10 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 04:05 . 2010-05-10 05:16 625440 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-10 04:05 . 2010-05-10 05:16 23840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 00:28 . 2010-05-10 22:16 -------- d-----w- c:\windows\system32\NtmsData
2010-05-09 23:43 . 2010-05-10 22:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 23:43 . 2010-05-09 23:43 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\SUPERAntiSpyware.com
2010-05-09 23:30 . 2010-05-10 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-09 14:22 . 2010-05-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-09 05:17 . 2010-05-10 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 03:12 . 2010-05-09 03:12 12464 ----a-w- c:\windows\system32\avgrsstx(2)(2).dll
2010-05-09 03:06 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 19:45 . 2009-11-28 17:02 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-11 19:57 . 2007-04-27 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-10 22:43 . 2008-07-25 20:45 -------- d-----w- c:\program files\CCleaner
2010-05-10 22:29 . 2009-11-28 17:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-10 22:29 . 2009-11-28 17:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-10 22:16 . 2007-08-28 23:59 -------- d-----w- c:\documents and settings\MSUUSER\Application Data\GetRightToGo
2010-05-10 05:16 . 2010-05-10 04:05 9452 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-10 05:16 . 2010-05-10 04:05 3308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-09 02:51 . 2007-03-16 06:43 -------- d-----w- c:\program files\Google
2010-03-10 06:15 . 2006-06-22 21:06 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-22 21:07 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-06-22 21:06 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-06-22 21:06 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-26 68296]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-09-14 577536]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\MSUUSER\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-3-17 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-10 22:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 17:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DS\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/28/2009 1:02 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/28/2009 1:02 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/10/2010 6:29 PM 308064]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [3/16/2007 2:36 AM 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [3/16/2007 2:36 AM 9600]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [5/13/2010 6:37 PM 27064]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2007-04-10 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.moreheadstate.edu/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 23:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\WININET.dll
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-14 23:35:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 03:35
ComboFix2.txt 2010-05-12 20:16
ComboFix3.txt 2010-05-11 20:07
ComboFix4.txt 2010-05-10 19:08

Pre-Run: 63,926,013,952 bytes free
Post-Run: 63,797,833,728 bytes free

- - End Of File - - 5E6E2E6977E9752BA543493B2697A3BE


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 14 May 2010 - 11:07 PM

Hi,

Can you please now run the removal tool for McAfee?

How's the computer running now?


=====================================


1. Please run another DDS scan and post the DDS.txt and attach the attach.txt for my review.



2. Please try GMER again.

Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


If you still can't run GMER, please use Rootrepeal instead.
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Open on your desktop.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 16 May 2010 - 02:26 PM

The McAfee removal tool still would not run. I once again received the message that stated it could not be removed because McAfee tools/files were still running/in use.
===============
The computer is running a little more smoothly now! It no longer redirects, and I am no longer redirected to google.de when searching, in additon to all websites remaining in English instead of German. Both the primary symptoms of the problem are gone, but I want to make sure it is entirely gone! Also, I'd like to know how to efficiently remove all the tools I've downloaded and any recommendations you have for continued protection. I sincerely appreciate all your help!
===============
GMER would once again not run, so below you will find the DDS file, and attached you will find the Attach.txt and the RootRepeal file
===============

DDS (Ver_10-03-17.01) - NTFSx86
Run by MSUUSER at 14:44:45.57 on Sun 05/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.450 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\MSUUSER\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.moreheadstate.edu/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\msuuser\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-28 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-28 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-28 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-10 308064]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-16 18816]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [2007-3-16 9600]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-5-13 27064]

=============== Created Last 30 ================

2010-05-14 21:14:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 21:14:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 21:14:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 22:37:59 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-05-13 22:37:57 0 d-----w- c:\program files\VS Revo Group
2010-05-12 19:53:13 0 d-----w- C:\HostsXpert
2010-05-11 20:01:31 0 d-sha-r- C:\cmdcons
2010-05-11 20:00:18 98816 ----a-w- c:\windows\sed.exe
2010-05-11 20:00:18 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 20:00:18 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 20:00:18 161792 ----a-w- c:\windows\SWREG.exe
2010-05-11 02:13:58 0 ----a-w- c:\documents and settings\msuuser\defogger_reenable
2010-05-10 22:29:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-10 22:19:25 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-10 22:18:18 0 d-----w- c:\program files\Bonjour
2010-05-10 21:32:02 0 d-----w- C:\ComboFix(2)
2010-05-10 21:28:43 732 ----a-w- c:\windows\system32\.crusader
2010-05-10 21:27:31 0 d-----w- C:\RECYCLER(2)
2010-05-10 19:13:38 0 d-----w- c:\docume~1\msuuser\applic~1\SafeReturner
2010-05-10 19:13:30 0 d-----w- c:\program files\Safe Returner
2010-05-10 14:28:32 0 d-----w- c:\docume~1\msuuser\applic~1\Malwarebytes
2010-05-10 14:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-10 04:05:49 9452 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-10 04:05:49 625440 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-10 04:05:49 3308 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-10 04:05:49 23840 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-10 00:28:38 0 d-----w- c:\windows\system32\NtmsData
2010-05-09 23:43:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-09 23:43:31 0 d-----w- c:\docume~1\msuuser\applic~1\SUPERAntiSpyware.com
2010-05-09 23:30:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-09 14:22:54 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-05-09 03:12:51 12464 ----a-w- c:\windows\system32\avgrsstx(2)(2).dll
2010-05-09 03:06:09 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-05-12 19:45:31 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-10 22:29:26 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-09-29 01:47:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 14:45:36.60 ===============

Attached Files



#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 17 May 2010 - 08:46 AM

Hi,

QUOTE
Also, I'd like to know how to efficiently remove all the tools I've downloaded and any recommendations you have for continued protection.

I will instruct you on how to properly remove them on the last part when everything is fixed.


Can you please try to run the removal tool for McAfee on safe mode.

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.



=============================================

Though your log already appears to be clean, let's try running other rootkit scanner to make sure that rootkit is not present.


1. Please try running Gmer again, this time make sure that only "sections box" is checked.



2. Scan with Vba32Arkit.
  • Save Vba32Arkit.zip to your desktop.
  • Extract the zip file to a folder named Vba.
  • Open the Vba folder and double click Vba32Arkit.exe to run the tool.
  • Press the Start button and let Vba32Arkit to make a FULL SCAN of your system.
  • After scanning press the File button -> Logging State -> Click start to save the logfile.
  • When prompted to view generated log file, select No and then exit the tool.
  • Attach the log file when you reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 May 2010 - 06:51 PM

The McAfee removal tool would not work and gave me the same error message in Safe Mode
========
GMER once again gave me the blue screen with the "Fatal System Error" I have described previously. Attached you will fine the Vba log.

Attached Files



#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:27 PM

Posted 18 May 2010 - 08:44 AM

Hi,

Please go to Start > All Programs > Accessories > System Tools > Scheduled task > if you can see any task related to McAfee, please delete it and try running the removal tool again.



========================================


1. Download TFC (Temp File Cleaner) to your desktop.
  • Close any other windows.
  • Double click the TFC icon to run the program.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once it's finished it should reboot your machine, if not, do this yourself to ensure a complete clean.
Note: TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.




2. When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). I need to see the file to find the cause of the crash.
Use Windows Advanced Search to find the file, to do that:
  • Click the Start button then click Search and the Search window will open.
  • Click All Files or Folders.
  • Type mini*.dmp at the box where it say's "All or part of the file name".
  • Look through your hard drive.
  • Under the More options Tab, put a check at the Following:
Search system folders
Search hidden files and folders
Search subfolders
  • Then click search to search.
  • Zip the file and attach it to your reply. To attach the file:
        * When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
        * Highlight the zip-file and click Open then press the green UPLOAD button.




3. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Avenger40

Avenger40
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 20 May 2010 - 06:41 AM

There were no McAfee processes on the Scheduled Tasks screen
=====
I downloaded and ran TFC on my computer
=====
I did the search for the "mini*.dmp" file, but my search returned no results and I ensured that I followed all instructions closely!
=====
The Kaspersky online virus scan revealed no threats, so the log was blank




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users