Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I'm Still Infected


  • This topic is locked This topic is locked
16 replies to this topic

#1 JeffFrom Pittsburgh

JeffFrom Pittsburgh

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 13 June 2010 - 11:49 PM

Hello everyone. I was recommended to this site by a friend who told me that the community here was wonderful and helped her tremendously when her computer was attacked. I'm hoping you folks would be so kind as to help me out as well.

I'm running a Pentium-4 1.8GHz with 680MB RAM and WinXP Home SP3. I know, old computer, but with a kid in college, I can't look to get a new one right now.

I had been running McAfee Internet Security (available free from Comcast) for the past year or so. Comcast changed their security software affiliation recently to Norton, so I had to uninstall McAfee and install Norton Security Suite. I installed, uninstalled, and reinstalled it numerous times, but the software would not activate. One of their techs took control of my system and said I had some files missing, most likely from a virus problem I ran into on this PC about two years ago. He had run a program from Microsoft that was supposed to find missing files and replace them, but no missing files were found. He then told me that something was screwed up on my computer and he could help me no further until I reinstalled Windows. For obvious reasons, I'm looking to do this only as a last resort. However, I can't access Windows applications like Volume Control, Notepad, or Defragmenter, so it seems something is either missing or corrupted.

I tried a couple of free antivirus programs on my PC and really seemed to like Avira AntiVir Free Personal until a virus slipped through its active virus guard and infected my computer with backdoor.tidserv. It disabled the Avira software, but knowing enough to try to combat some of these problems, I was able to get the virus off...I think. I'm left with what seems to be a browser hijacker left on my system. When I open Internet Explorer, I get some popup windows to what seem to be various, random sites. As a matter of fact, when I followed a Google link to this site, it redirected me somewhere - three different sites on three different occasions.

However, I now have a few security programs on my machine and they all come up with clean scan results. They are:
- Malwarebytes Anti-Malware
- McAfee Internet Security
- Spybot Search & Destroy
- Hijack This!
- SDFix

I've been using Hijack This! to keep an eye on my PC for years and, on occasion, have found some hijackers. This time, it seems to catch nothing. I've attached my latest Hijack This! and Malwarebytes scan logs, both of which were produced today. Since these scans, I've seen no change to the hijacking of my browser and overall performance/speed degradation (the PC ran a lot better two weeks ago).

Can someone please help me out with this?

Thanks in advance,

JeffFromPittsburgh

*** BEGIN JUN 13 HIJACK THIS! LOG ***

Logfile of HijackThis v1.97.7
Scan saved at 12:45:29 AM, on 6/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\MSIMN.EXE
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100611142557.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: Comcast Universal Caller ID.lnk = D:\Program Files\Comcast Universal Caller ID\Comcast Universal Caller ID.exe
O4 - Startup: PUSHDMA2.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://axiomtek.webex.com/client/T26L/webex/ieatgpc.cab

*** END JUN 13 HIJACK THIS! LOG ***



*** BEGIN JUN 13 MALWAREBYTES LOG ***

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4187

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/13/2010 7:35:14 AM
mbam-log-2010-06-13 (07-35-14).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 243488
Time elapsed: 2 hour(s), 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*** END JUN 13 MALWAREBYTES LOG ***

Yep. definitely still infected. When I got up this morning, after having left my PC powered on all night, I had the following files sitting on my desktop: shortcuts to nudetube.com, pornotube.com, and youporn.com along with spam001.exe, spam003.exe, and troj000.exe. All this while McAfee was running.

I performed a Google Search on "spam001.exe" and "troj000.exe" and a couple links told me that this was most likey a TDSS Rootkit. I downloaded the Kaspersky TDSSKiller and it seemed to do the trick, at least after only a couple of reboots. Can anyone recommend a solution that will tell me if there are any other remnants left on my machine?

===========

Merged posts. ~ OB

Edited by Orange Blossom, 19 August 2010 - 01:09 AM.
Since a log is posted, I am moving this from the XP forum to Malware Removal ~ Elise


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 16 June 2010 - 08:21 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the required logs when you reply and we will begin from there. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2010 - 12:29 PM

"DDS.txt" log below, "attach.txt" from DDS and "ark.txt" from GMER are attached. Thanks very much for your help on this!!

Jeff



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff Laskowski at 10:05:55.79 on Wed 06/16/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.80 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Outlook Express\MSIMN.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Documents and Settings\Jeff Laskowski\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.msn.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100611142557.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\jeffla~1\startm~1\programs\startup\comcas~1.lnk - d:\program files\comcast universal caller id\Comcast Universal Caller ID.exe
StartupFolder: c:\documents and settings\jeff laskowski\start menu\programs\startup\PUSHDMA2.EXE
uPolicies-explorer: HideClock = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://axiomtek.webex.com/client/T26L/webex/ieatgpc.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeffla~1\applic~1\mozilla\firefox\profiles\q8aon3fp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.oowrestling.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\jeff laskowski\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385880]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [2003-9-10 7936]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2003-9-10 62311]
R1 kid_sys;Kensington Input Devices Class filter driver;c:\windows\system32\drivers\KID_SYS.sys [2003-10-15 11920]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-11 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-11 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-11 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-11 141792]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2003-9-10 4538]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-11 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-11 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-11 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-11 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-6-11 88480]
S3 BP_FX_AT;BACKPACK USB;c:\windows\system32\drivers\BP_fx_at.sys [2003-9-10 32640]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2003-9-10 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2003-9-10 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2003-9-6 109676]
S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2003-9-10 9085]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-6-11 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-11 83496]
S3 ntxpusb;Gravis USB device driver;c:\windows\system32\drivers\ntxpusb.sys [2003-10-15 266432]
S3 pmxscan;Visioneer USB Service;c:\windows\system32\drivers\usbscan.sys [2003-11-30 15104]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-06-14 06:38:37 1199 ----a-w- c:\docume~1\alluse~1\applic~1\pragmamfeklnmal.dll
2010-06-14 05:34:35 0 d-----w- c:\windows\PRAGMAetycbcxrit
2010-06-13 04:37:44 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-13 04:34:00 0 d-----w- c:\windows\ERUNT
2010-06-13 04:24:51 0 d-----w- C:\SDFix
2010-06-11 17:58:49 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-11 17:58:39 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-11 17:58:39 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-11 17:58:39 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-11 17:58:38 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-11 17:58:38 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-11 17:58:38 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-11 17:58:38 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-11 17:57:56 0 d-----w- c:\program files\common files\Mcafee
2010-06-11 17:57:28 0 d-----w- c:\program files\McAfee.com
2010-06-11 17:56:52 0 d-----w- c:\program files\McAfee
2010-06-10 18:13:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 18:13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 18:03:33 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-10 18:03:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-10 18:03:06 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-09 05:04:27 218 ----a-w- c:\documents and settings\jeff laskowski\.recently-used.xbel
2010-05-28 05:54:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 08:07:50 262144 ---ha-w- c:\documents and settings\jeff laskowski\ntuser.dat.LOG1
2010-05-27 08:07:50 0 ---ha-w- c:\documents and settings\jeff laskowski\ntuser.dat.LOG2
2010-05-21 20:20:07 0 d-----w- c:\program files\Windows Resource Kits
2010-05-21 20:13:03 447 ----a-w- c:\documents and settings\jeff laskowski\reset.cmd
2010-05-20 22:22:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton VRQ
2010-05-20 21:56:08 0 d-----w- c:\program files\Symantec
2010-05-20 21:56:08 0 d-----w- c:\program files\common files\Symantec Shared
2010-05-20 21:55:17 0 d-----w- c:\windows\system32\drivers\N360
2010-05-20 21:45:27 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-05-20 21:38:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-05-20 20:34:04 0 d-----w- c:\windows\LMIB.tmp
2010-05-20 20:11:41 0 d-----w- c:\docume~1\alluse~1\applic~1\old
2010-05-20 19:13:24 0 d-----w- c:\windows\LMI1B.tmp
2010-05-20 17:53:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-06-14 13:32:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:13:00 87608 ----a-w- c:\docume~1\jeffla~1\applic~1\inst.exe
2010-04-20 05:13:00 47360 ----a-w- c:\docume~1\jeffla~1\applic~1\pcouffin.sys
2010-04-20 05:02:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-04-16 16:09:08 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-04-16 16:09:07 3073024 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-04-16 16:09:07 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-04-16 16:09:05 251904 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-04-16 16:09:05 1025024 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-04-06 08:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2000-02-04 08:19:00 40960 ----a-w- c:\windows\inf\vizpnp\Vipersti.dll
2000-02-04 08:19:00 18112 ----a-w- c:\windows\inf\vizpnp\Pmxscan.sys

============= FINISH: 10:10:12.23 ===============


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 16 June 2010 - 05:30 PM

Hi,

There's no attach file, can you attach them again for me please. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 17 June 2010 - 07:58 AM

Sorry about that. Missed a step.

Attached File  ark.txt   67.33KB   10 downloads
Attached File  Attach.txt   17.52KB   12 downloads

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 17 June 2010 - 08:56 AM

Hi,

You have a nasty TDSS Pragma rootkit. My recommendation for this kind of infection is doing a reformat because of its backdoor functionality.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


===================================


Please do the next instructions only if you do not wish to reformat.


1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy




2. Please go to Control panel > Add Remove Programs and uninstall Symantec Technical Support Web Controls or any other programs related to Symante/Norton. Then run the Norton removal tool HERE. Make sure to choose the appropriate removal tool for the Norton product that you've previously used.




3. Please follow the instruction on how to disable McAfee so it will not interfere while we run ComboFix. After doing all the steps, please re enable it again so you will stay protected while waiting for my response, I will advice you to disable it again if needed. Thanks.


How to disable McAfee:
  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.
    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)
  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820




Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 17 June 2010 - 05:21 PM

Wow! Big decision here! I have quite a bit of data that I'd need to backup on a second drive in this PC. I don't know enough about the reformatting process to know if my second hard drive, which is used only for storage, would need to be backed up as well. If it does, this would be a long and involved process.

I understand that, if we go the route of fixing the problem, that there's no way to guarantee tat the problem wouldn't resurface. Would I know if the problem resurfaced? In other words, would anti-virus software pick up the rootkit if it installed itself on my PC again? It would seem that if I could catch it, then I'd be okay, and if it didn't surface after a period of time, there's a reasonable chance I'd be safe.

Completely reformatting the PC, to me, would be an absolute last resort. Your answers to the questions above will go a long way in determining if I've hit that point of "last resort" yet.

Thanks,

Jeff



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 17 June 2010 - 05:43 PM

Hi,

There's no guarantee that it will be pick up by AV products, besides there's no 100% detection on any AV products so relying on them alone is not a good idea, you need to practice safe internet.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 18 June 2010 - 11:48 PM

Okay, I went through your process in the following order:

- Disabled Spybot Search Destroy "TeaTimer."
- Uninstalled Symantec Technical Support Web Controls
- Downloaded and ran Norton Removal Tool (reboot required)
- Disabled McAfee Internet Security by individually turning off Real-Time Scanning, Scheduled Scanning, Firewall, and Anti-Spam. I have McAfee Internet Secutiry, not McAfee Security Centre, so the process to shut everything off was different, but when I was asked when to turn them back on, I always chose "never."
- Downloaded and ran ComboFix, which then installed the Microsoft Windows Recovery Console. No reboots were necessary during or after running ComboFix (I hope that's a good thing!).
- Immediately upon the creation and display of the ComboFix log, I turned McAfee Internet Security features back on.

Here's my ComboFix log:

ComboFix 10-06-18.03 - Jeff Laskowski 06/19/2010 0:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.206 [GMT -4:00]
Running from: c:\documents and settings\Jeff Laskowski\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JEFFLA~1\LOCALS~1\Temp\wscsvc32.exe
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Jeff Laskowski\Application Data\EurekaLog
c:\documents and settings\Jeff Laskowski\Application Data\EurekaLog\EurekaLog.ini
c:\documents and settings\Jeff Laskowski\Application Data\inst.exe
c:\windows\calc.exe
c:\windows\PRAGMAetycbcxrit
c:\windows\PRAGMAetycbcxrit\PRAGMAcfg.ini
c:\windows\PRAGMAetycbcxrit\PRAGMAsrcr.dat
c:\windows\system32\42KJE738.ocx
c:\windows\system32\Cache
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\skinboxer43.dll
c:\windows\winhelp.ini
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-14 05:30 . 2010-06-14 05:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-06-14 03:34 . 2010-06-14 03:34 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-13 04:37 . 2010-06-13 04:37 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-13 04:34 . 2010-06-13 04:34 -------- d-----w- c:\windows\ERUNT
2010-06-13 04:24 . 2010-06-13 05:06 -------- d-----w- C:\SDFix
2010-06-11 20:05 . 2010-06-11 20:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-11 17:58 . 2010-04-27 21:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-11 17:58 . 2010-04-27 21:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-11 17:58 . 2010-04-27 21:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-11 17:58 . 2010-04-27 21:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-11 17:58 . 2010-04-27 21:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-11 17:58 . 2010-04-27 21:16 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-11 17:58 . 2010-04-27 21:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-11 17:58 . 2010-04-27 21:16 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-11 17:57 . 2010-06-11 17:59 -------- d-----w- c:\program files\Common Files\Mcafee
2010-06-11 17:57 . 2010-06-11 17:57 -------- d-----w- c:\program files\McAfee.com
2010-06-11 17:56 . 2010-06-11 18:00 -------- d-----w- c:\program files\McAfee
2010-06-11 17:48 . 2010-06-11 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-11 16:04 . 2010-06-11 16:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-10 18:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 18:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 18:03 . 2010-06-10 18:03 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-10 18:03 . 2010-06-10 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-10 18:03 . 2010-06-10 18:03 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-10 13:31 . 2010-06-10 18:31 -------- d-----w- c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\wwptgh
2010-05-28 05:54 . 2010-05-28 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 20:20 . 2010-05-21 20:20 -------- d-----w- c:\program files\Windows Resource Kits
2010-05-21 20:13 . 2010-05-21 20:16 447 ----a-w- c:\documents and settings\Jeff Laskowski\reset.cmd
2010-05-20 22:22 . 2010-05-20 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton VRQ
2010-05-20 21:55 . 2010-05-27 18:52 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-20 21:45 . 2010-05-20 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-20 21:38 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-20 21:38 . 2010-05-20 21:42 -------- d-----w- c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\NPE
2010-05-20 20:34 . 2010-05-21 02:16 -------- d-----w- c:\windows\LMIB.tmp
2010-05-20 20:11 . 2010-05-20 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\old
2010-05-20 19:13 . 2010-05-20 20:46 -------- d-----w- c:\windows\LMI1B.tmp
2010-05-20 17:53 . 2010-05-20 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 22:21 . 2008-10-20 04:22 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\uTorrent
2010-06-17 13:01 . 2010-03-25 21:04 146 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\GSAK\data\babel.bat
2010-06-17 01:13 . 2008-11-10 16:45 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\.purple
2010-06-14 13:32 . 2001-08-18 11:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-06-09 03:15 . 2008-11-10 00:49 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\gtk-2.0
2010-06-09 03:02 . 2003-07-14 05:00 297304 ----a-w- c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-02 13:21 . 2006-08-27 16:54 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\Canon
2010-05-28 05:34 . 2008-11-07 15:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-27 03:37 . 2006-03-04 03:07 -------- d-----w- c:\program files\StreamCast
2010-05-15 14:22 . 2008-05-03 04:47 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\DVD Flick
2010-05-12 19:26 . 2010-05-12 19:26 1065 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2010-05-12 17:47 . 2010-05-12 17:47 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\Tific
2010-05-12 17:44 . 2010-05-12 17:44 -------- d-----w- c:\program files\Windows Sidebar
2010-05-02 05:22 . 2002-02-20 23:46 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 21:16 . 2010-01-06 00:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-01-06 00:04 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-20 05:30 . 2001-08-18 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:13 . 2010-04-20 05:02 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\Vso
2010-04-20 05:13 . 2010-04-20 05:02 47360 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\pcouffin.sys
2010-04-20 05:13 . 2010-04-20 05:02 47360 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\pcouffin.sys
2010-04-20 05:02 . 2010-04-20 05:02 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-16 16:09 . 2004-12-07 21:37 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2005-03-05 22:37 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-14 07:25 . 2009-08-06 20:26 38784 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-25 20:42 . 2010-03-25 20:31 136 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\GSAK\babel.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate]
2003-12-13 17:17 61440 ----a-w- c:\program files\LIVEUPDATE\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"d:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28478:TCP"= 28478:TCP:eMule TCP
"28488:UDP"= 28488:UDP:eMule UDP

R1 BpCdrVsd;BpCdrVsd;c:\windows\SYSTEM32\DRIVERS\BPCDRVSD.SYS [9/10/2003 5:43 PM 7936]
R1 bpfinder;BACKPACK Finder;c:\windows\SYSTEM32\DRIVERS\bpfinder.sys [9/10/2003 5:36 PM 62311]
R1 kid_sys;Kensington Input Devices Class filter driver;c:\windows\SYSTEM32\DRIVERS\KID_SYS.sys [10/15/2003 9:23 PM 11920]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [6/11/2010 1:58 PM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/11/2010 1:59 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [6/11/2010 1:58 PM 141792]
R3 bpflt;BACKPACK Filter;c:\windows\SYSTEM32\DRIVERS\bpflt.sys [9/10/2003 5:36 PM 4538]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [6/11/2010 1:58 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [6/11/2010 1:58 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [6/11/2010 1:58 PM 88480]
S3 BP_FX_AT;BACKPACK USB;c:\windows\SYSTEM32\DRIVERS\BP_fx_at.sys [9/10/2003 5:36 PM 32640]
S3 bppccard;BACKPACK PC Card;c:\windows\SYSTEM32\DRIVERS\bppccard.sys [9/10/2003 5:36 PM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\SYSTEM32\DRIVERS\bppnpdrv.sys [9/10/2003 5:36 PM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\SYSTEM32\DRIVERS\bpusbdrv.sys [9/6/2003 12:01 AM 109676]
S3 bpusbflt;BACKPACK USB Filter;c:\windows\SYSTEM32\DRIVERS\bpusbflt.sys [9/10/2003 5:36 PM 9085]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [6/11/2010 1:58 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [6/11/2010 1:58 PM 83496]
S3 ntxpusb;Gravis USB device driver;c:\windows\SYSTEM32\DRIVERS\ntxpusb.sys [10/15/2003 9:23 PM 266432]
S3 pmxscan;Visioneer USB Service;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [11/30/2003 6:00 PM 15104]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: musicmatch.com
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Jeff Laskowski\Application Data\Mozilla\Firefox\Profiles\q8aon3fp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.oowrestling.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Jeff Laskowski\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
SafeBoot-klmdb.sys
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - d:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
AddRemove-HyperLoad - c:\program files\Nabisco\HyperLoad\Uninst.isu
AddRemove-Micro Solutions SpeedyCD - c:\program files\SpeedyCD\Uninstall\SPEEDYCD.ISU



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 00:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-19 00:43:56
ComboFix-quarantined-files.txt 2010-06-19 04:43

Pre-Run: 833,224,704 bytes free
Post-Run: 1,238,462,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - ADDD819C7D26018168A930EFC92A0980


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 19 June 2010 - 01:24 AM

Hi,


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case µTorrent).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



===========================================


1. Please download and run this tool => http://noahdfear.net/downloads/PragmaFix.exe
A log file will pop up or find it at C:\PragmaFix.log. Please post the contents of that log for my review.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

DirLook::
c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\wwptgh
c:\windows\LMIB.tmp
c:\documents and settings\All Users\Application Data\old
c:\windows\LMI1B.tmp

Folder::
c:\documents and settings\All Users\Application Data\Norton VRQ
c:\windows\system32\drivers\N360
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\NPE

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



===========================================


How's the computer running now?


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 19 June 2010 - 05:20 PM

Okay, I went through your process in the following order:

- Downloaded and ran PragmaFix.exe
- Disabled McAfee Internet Security by individually turning off Real-Time Scanning, Scheduled Scanning, Firewall, and Anti-Spam. When I was asked when to turn them back on, I always chose "never."
- Created CFScript.txt per your instructions above and saved it to my desktop.
- Downloaded ComboFix and saved it to my desktop.
- Dragged the CFScript.txt icon onto the ComboFix.exe icon, which then ran ComboFix using that script. This required a reboot during execution.
- Immediately upon the creation and display of the ComboFix log, I turned McAfee Internet Security features back on.

Here are my PragmaFix and ComboFix logs:

********************************************************

PragmaFix:

Sat 06/19/2010 17:35:21.48

No embedded null keys found

********************************************************

ComboFix:

ComboFix 10-06-18.03 - Jeff Laskowski 06/19/2010 17:51:21.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.335 [GMT -4:00]
Running from: c:\documents and settings\Jeff Laskowski\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff Laskowski\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Norton VRQ
c:\documents and settings\All Users\Application Data\Norton VRQ\symdata.xml
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI
c:\documents and settings\All Users\Application Data\Norton\{3A7FA539-8005-4603-87D2-SOS1-NSS-v4}-0.dat
c:\documents and settings\All Users\Application Data\Norton\{3A7FA539-8005-4603-87D2-SOS1-NSS-v4}-0.log
c:\documents and settings\All Users\Application Data\Norton\00000083\00000033\00000249\cltLMS1.dat
c:\documents and settings\All Users\Application Data\Norton\00000083\00000033\00000249\cltLMS2.dat
c:\documents and settings\All Users\Application Data\Norton\00000083\00000033\1122\key.txt
c:\documents and settings\All Users\Application Data\Norton\NPE\NPEsettings.dat
c:\documents and settings\All Users\Application Data\Norton\URLS-{3A7FA539-8005-4603-87D2-SOS1-NSS-v4}-0.txt
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\05-20-2010-18h22m27s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\05-20-2010-18h32m28s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\05-20-2010-18h32m37s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-20-17h45m27s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-20-17h45m36s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-20-18h04m43s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-20-18h04m47s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-20-18h04m59s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-20-18h52m30s.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-08h43m27s\BHCA-0x0BD0.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-08h43m27s\Install.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-08h43m27s\NortonInstall-2010-05-27-08h43m27s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-08h43m27s\SymIMexe-0x0BEC.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-08h43m27s\tuIH-0x0C30.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-08h43m34s\SymNRT 5-27-2010 8h43m31s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m00s\Patch-2010-05-27-10h34m00s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m00s\Patch.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m01s\Patch-2010-05-27-10h34m00s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m01s\Patch.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m07s\BHCA-0x07EC.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m07s\Patch-2010-05-27-10h34m01s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-10h34m07s\Patch.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-14h52m04s\Patch-2010-05-27-14h52m04s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-14h52m04s\Patch.1.mft
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-14h52m04s\SymIMexe-0x088C.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\2010-05-27-14h52m04s\tuIH-0x08E0.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\Url.txt
c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\NPE\Info20100520173827.xml
c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\NPE\NPETraceSession.etl
c:\windows\system32\drivers\N360
c:\windows\system32\drivers\N360\0401000.020\Cat.DB
c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\NPE . . . . failed to delete
c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\NPE\bootlog_NPETraceSession.etl . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 21:35 . 2006-11-01 17:06 162616 ----a-w- c:\windows\RegDelNull.exe
2010-06-14 05:30 . 2010-06-14 05:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-06-14 03:34 . 2010-06-14 03:34 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-13 04:37 . 2010-06-13 04:37 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-13 04:34 . 2010-06-13 04:34 -------- d-----w- c:\windows\ERUNT
2010-06-13 04:24 . 2010-06-13 05:06 -------- d-----w- C:\SDFix
2010-06-11 20:05 . 2010-06-11 20:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-11 17:58 . 2010-04-27 21:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-11 17:58 . 2010-04-27 21:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-11 17:58 . 2010-04-27 21:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-11 17:58 . 2010-04-27 21:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-11 17:58 . 2010-04-27 21:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-11 17:58 . 2010-04-27 21:16 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-11 17:58 . 2010-04-27 21:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-11 17:58 . 2010-04-27 21:16 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-11 17:57 . 2010-06-11 17:59 -------- d-----w- c:\program files\Common Files\Mcafee
2010-06-11 17:57 . 2010-06-11 17:57 -------- d-----w- c:\program files\McAfee.com
2010-06-11 17:56 . 2010-06-11 18:00 -------- d-----w- c:\program files\McAfee
2010-06-11 17:48 . 2010-06-19 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-11 16:04 . 2010-06-11 16:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-10 18:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 18:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 18:03 . 2010-06-10 18:03 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-10 18:03 . 2010-06-10 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-10 18:03 . 2010-06-10 18:03 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-10 13:31 . 2010-06-10 18:31 -------- d-----w- c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\wwptgh
2010-05-28 05:54 . 2010-05-28 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-21 20:20 . 2010-05-21 20:20 -------- d-----w- c:\program files\Windows Resource Kits
2010-05-21 20:13 . 2010-05-21 20:16 447 ----a-w- c:\documents and settings\Jeff Laskowski\reset.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 17:46 . 2008-10-20 04:22 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\uTorrent
2010-06-17 13:01 . 2010-03-25 21:04 146 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\GSAK\data\babel.bat
2010-06-17 01:13 . 2008-11-10 16:45 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\.purple
2010-06-14 13:32 . 2001-08-18 11:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-06-09 03:15 . 2008-11-10 00:49 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\gtk-2.0
2010-06-09 03:02 . 2003-07-14 05:00 297304 ----a-w- c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-02 13:21 . 2006-08-27 16:54 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\Canon
2010-05-28 05:34 . 2008-11-07 15:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-27 03:37 . 2006-03-04 03:07 -------- d-----w- c:\program files\StreamCast
2010-05-20 21:23 . 2010-05-20 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\old
2010-05-20 17:53 . 2010-05-20 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-15 14:22 . 2008-05-03 04:47 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\DVD Flick
2010-05-12 19:26 . 2010-05-12 19:26 1065 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2010-05-12 17:47 . 2010-05-12 17:47 -------- d-----w- c:\documents and settings\Jeff Laskowski\Application Data\Tific
2010-05-12 17:44 . 2010-05-12 17:44 -------- d-----w- c:\program files\Windows Sidebar
2010-05-02 05:22 . 2002-02-20 23:46 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 21:16 . 2010-01-06 00:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-01-06 00:04 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-20 05:30 . 2001-08-18 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:13 . 2010-04-20 05:02 47360 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\pcouffin.sys
2010-04-20 05:13 . 2010-04-20 05:02 47360 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\pcouffin.sys
2010-04-20 05:02 . 2010-04-20 05:02 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-16 16:09 . 2004-12-07 21:37 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2005-03-05 22:37 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-14 07:25 . 2009-08-06 20:26 38784 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-25 20:42 . 2010-03-25 20:31 136 ----a-w- c:\documents and settings\Jeff Laskowski\Application Data\GSAK\babel.bat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\old ----

2010-05-20 20:14 . 2010-05-20 20:53 6212 ----a-w- c:\documents and settings\All Users\Application Data\old\00000083\00000033\00000249\cltLMS2.dat
2010-05-20 20:14 . 2010-05-20 20:53 6180 ----a-w- c:\documents and settings\All Users\Application Data\old\00000083\00000033\00000249\cltLMS1.dat
2010-05-20 20:11 . 2010-05-20 20:11 174 ----a-w- c:\documents and settings\All Users\Application Data\old\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI
2010-05-20 20:11 . 2010-05-20 20:48 13 ----a-w- c:\documents and settings\All Users\Application Data\old\00000083\00000033\1122\key.txt

---- Directory of c:\documents and settings\Jeff Laskowski\Local Settings\Application Data\wwptgh ----


---- Directory of c:\windows\LMI1B.tmp ----

2010-05-20 20:45 . 2010-05-20 20:45 6597 ----a-w- c:\windows\LMI1B.tmp\chat.rtf
2010-05-20 20:45 . 2010-05-20 20:45 689 ----a-w- c:\windows\LMI1B.tmp\rescue.log

---- Directory of c:\windows\LMIB.tmp ----

2010-05-20 20:35 . 2010-05-20 20:34 177464 ----a-w- c:\windows\LMIB.tmp\LMIRhook.000.dll
2010-05-20 20:34 . 2010-05-20 22:52 615 ----a-w- c:\windows\LMIB.tmp\session.log
2010-05-20 20:34 . 2010-05-20 20:34 2347320 ----a-w- c:\windows\LMIB.tmp\rarcc.dll
2010-05-20 20:34 . 2010-05-20 20:34 1041736 ----a-w- c:\windows\LMIB.tmp\ICSAgent32.dll
2010-05-20 20:34 . 2010-05-21 02:32 269672 ----a-w- c:\windows\LMIB.tmp\rescue.log
2010-05-20 20:34 . 2010-05-20 20:34 7608 ----a-w- c:\windows\LMIB.tmp\logo.bmp
2010-05-20 20:34 . 2010-05-21 02:16 356 ----a-w- c:\windows\LMIB.tmp\params.txt
2010-05-20 20:34 . 2010-05-20 20:34 22486 ----a-w- c:\windows\LMIB.tmp\rescue.ico
2010-05-20 20:34 . 2010-05-20 20:34 81720 ----a-w- c:\windows\LMIB.tmp\ra64app.exe
2010-05-20 20:34 . 2010-05-20 20:34 177464 ----a-w- c:\windows\LMIB.tmp\rahook.dll
2010-05-20 20:34 . 2010-05-20 20:34 1738544 ----a-w- c:\windows\LMIB.tmp\lmi_rescue.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate]
2003-12-13 17:17 61440 ----a-w- c:\program files\LIVEUPDATE\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"d:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28478:TCP"= 28478:TCP:eMule TCP
"28488:UDP"= 28488:UDP:eMule UDP

R1 BpCdrVsd;BpCdrVsd;c:\windows\SYSTEM32\DRIVERS\BPCDRVSD.SYS [9/10/2003 5:43 PM 7936]
R1 bpfinder;BACKPACK Finder;c:\windows\SYSTEM32\DRIVERS\bpfinder.sys [9/10/2003 5:36 PM 62311]
R1 kid_sys;Kensington Input Devices Class filter driver;c:\windows\SYSTEM32\DRIVERS\KID_SYS.sys [10/15/2003 9:23 PM 11920]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [6/11/2010 1:58 PM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [6/11/2010 1:59 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [6/11/2010 1:58 PM 141792]
R3 bpflt;BACKPACK Filter;c:\windows\SYSTEM32\DRIVERS\bpflt.sys [9/10/2003 5:36 PM 4538]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [6/11/2010 1:58 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [6/11/2010 1:58 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [6/11/2010 1:58 PM 88480]
S3 BP_FX_AT;BACKPACK USB;c:\windows\SYSTEM32\DRIVERS\BP_fx_at.sys [9/10/2003 5:36 PM 32640]
S3 bppccard;BACKPACK PC Card;c:\windows\SYSTEM32\DRIVERS\bppccard.sys [9/10/2003 5:36 PM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\SYSTEM32\DRIVERS\bppnpdrv.sys [9/10/2003 5:36 PM 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\SYSTEM32\DRIVERS\bpusbdrv.sys [9/6/2003 12:01 AM 109676]
S3 bpusbflt;BACKPACK USB Filter;c:\windows\SYSTEM32\DRIVERS\bpusbflt.sys [9/10/2003 5:36 PM 9085]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [6/11/2010 1:58 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [6/11/2010 1:58 PM 83496]
S3 ntxpusb;Gravis USB device driver;c:\windows\SYSTEM32\DRIVERS\ntxpusb.sys [10/15/2003 9:23 PM 266432]
S3 pmxscan;Visioneer USB Service;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [11/30/2003 6:00 PM 15104]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [6/11/2010 1:57 PM 271480]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: musicmatch.com
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Jeff Laskowski\Application Data\Mozilla\Firefox\Profiles\q8aon3fp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.oowrestling.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Jeff Laskowski\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 18:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2052)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-19 18:18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 22:18

Pre-Run: 1,337,962,496 bytes free
Post-Run: 1,317,453,824 bytes free

- - End Of File - - 9566B278061374C3926A54496975E876


********************************************************

The computer seems to be running as well as it should be. I say that because, running a Pent-4 1.8GHz with 640MB RAM, the computer will never be "fast." I plan on keeping a very close eye on things moving forward to determine if some strange or unexpected things start happening. If they do, I'm going to bite the bullet and reformat my PC and reinstall Windows. Is this a process that you have documented or is it a matter of following

I really do try to practice "safe internet," as you mentioned. With that said, some things that I do aren't necessarily what someone with your knowledge would call "safe." For example, my P2P activity is limited to downloading from private trackers content that is made specifically for one community. I haven't been using it much lately, but when I do use uTorrent, it's only to download and watch hockey games, then I delete them. I've downloaded video files from these sources (sources being individual uploaders to the one private tracker I visit) for years and I've never had an issue. I also hadn't used uTorrent for a few weeks when the infection became known, so I can be reasonably (but obviously, not 100%) certain that the infection didn't come from P2P activity. Unfortunately, I'm not the only one in the family that uses this computer, so who knows how this nasty trojan infested itself onto my system.

Please let me know what, if needed, the next step would be, and as always, thank you very much for your assistance.

Jeff




#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 20 June 2010 - 04:03 AM

Hi,

Log looks OK, let's see if we can find some remnants.


==========================================

1. Click Start > Run > Copy/Paste the text in bold below into the run box > press OK.
PragmaFix -cleanup



2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of  Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.



3. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.



4. Please run another DDS scan and post the latest report for my review.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 20 June 2010 - 10:34 AM

I performed the following tasks in this order:

- Ran PragmaFix cleanup. Within seconds, the window read "Cleanup complete." No reboot was required.
- Downloaded and installed JDK 6 Update 20.
- Went to Control Panel => Add/Remove Programs to look for older versions of Java. I found three listings, two of which I just installed and the third is one I'm not sure about. They were "Java ™ 6 Update 20,", "Java ™ SE Development Kit 6 Update 20," and "Java DB 10.5.3.0." I don't know what Java DB is or, more importantly, whether it's associated with the installation I just performed. Can you answer this?
- Tried to run Kaspersky Online Scanner, but the browser (Firefox) was hanging up before getting an Unresponsive Script Error (A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: chrome://saff/content/saffplg.js:144). After a few minutes, the Online Scanner found my System Information and allowed my to accept the user agreement, which I did. From there, Kaspersky Online Scanner tried to update virus definitions and gave me the following error: "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."
- Rebooted computer and tried to run Kaspersky Online Scanner again. Got the same script error again four times, even though I selected "Stop Script" when the error occurred. After a few minutes, I was allowed to accept the user agreement and clicked "Accept." I again got the error stating my connection was interrupted. Is something blocking my connection to the Kaspersky website? I kept getting the script error, but after about 8 minutes, Kaspersky started updating. At this point, the PC is running very slowly. Windows Task Manager is showing that the CPU is running at 100% load and that Firefox is taking between 80-98% of the CPU resources. After about an hour, I'm showing a database update of 98135KB, of which I've downloaded 91KB. I'm assuming we're going to be here for a while!
- Closed Firefox and tried running Kaspersky Online Scanner in Internet Explorer. The database ran much more quickly and was downloaded and began scanning after about fifteen minutes. PC performance seemed to be back to normal expectations. It found no threats. Here is the Kaspersky Log Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, June 20, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, June 20, 2010 13:42:10
Records in database: 4301923
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 133875
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 04:35:29

No threats found. Scanned area is clean.

Selected area has been scanned.

- Ran DDS.scr. Here is the report for this scan. I've also attached "attach.txt" for your review as well.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff Laskowski at 22:39:05.71 on Sun 06/20/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.265 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Jeff Laskowski\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100611142557.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\jeffla~1\startm~1\programs\startup\comcas~1.lnk - d:\program files\comcast universal caller id\Comcast Universal Caller ID.exe
StartupFolder: c:\documents and settings\jeff laskowski\start menu\programs\startup\PUSHDMA2.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: musicmatch.com
DPF: Microsoft XML Parser for Java
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://axiomtek.webex.com/client/T26L/webex/ieatgpc.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeffla~1\applic~1\mozilla\firefox\profiles\q8aon3fp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.oowrestling.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\jeff laskowski\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385880]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [2003-9-10 7936]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2003-9-10 62311]
R1 kid_sys;Kensington Input Devices Class filter driver;c:\windows\system32\drivers\KID_SYS.sys [2003-10-15 11920]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-11 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-11 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-11 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-11 141792]
R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2003-9-10 4538]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-11 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-11 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-11 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-11 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-6-11 88480]
S3 BP_FX_AT;BACKPACK USB;c:\windows\system32\drivers\BP_fx_at.sys [2003-9-10 32640]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2003-9-10 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2003-9-10 19670]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2003-9-6 109676]
S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2003-9-10 9085]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-6-11 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-11 83496]
S3 ntxpusb;Gravis USB device driver;c:\windows\system32\drivers\ntxpusb.sys [2003-10-15 266432]
S3 pmxscan;Visioneer USB Service;c:\windows\system32\drivers\usbscan.sys [2003-11-30 15104]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-11 271480]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

=============== Created Last 30 ================

2010-06-20 15:14:15 0 d-----w- c:\program files\Sun
2010-06-20 15:13:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-20 15:13:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 04:18:55 0 d-sha-r- C:\cmdcons
2010-06-19 04:14:55 98816 ----a-w- c:\windows\sed.exe
2010-06-19 04:14:55 77312 ----a-w- c:\windows\MBR.exe
2010-06-19 04:14:55 256512 ----a-w- c:\windows\PEV.exe
2010-06-19 04:14:55 161792 ----a-w- c:\windows\SWREG.exe
2010-06-13 04:37:44 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-13 04:34:00 0 d-----w- c:\windows\ERUNT
2010-06-13 04:24:51 0 d-----w- C:\SDFix
2010-06-11 17:58:49 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-11 17:58:39 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-11 17:58:39 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-11 17:58:39 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-11 17:58:38 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-11 17:58:38 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-11 17:58:38 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-11 17:58:38 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-11 17:57:56 0 d-----w- c:\program files\common files\Mcafee
2010-06-11 17:57:28 0 d-----w- c:\program files\McAfee.com
2010-06-11 17:56:52 0 d-----w- c:\program files\McAfee
2010-06-10 18:13:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 18:13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 18:03:33 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-10 18:03:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-10 18:03:06 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-09 05:04:27 218 ----a-w- c:\documents and settings\jeff laskowski\.recently-used.xbel
2010-05-28 05:54:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 08:07:50 262144 ---ha-w- c:\documents and settings\jeff laskowski\ntuser.dat.LOG1
2010-05-27 08:07:50 0 ---ha-w- c:\documents and settings\jeff laskowski\ntuser.dat.LOG2

==================== Find3M ====================

2010-06-14 13:32:37 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-05-21 20:16:04 447 ----a-w- c:\documents and settings\jeff laskowski\reset.cmd
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:13:00 47360 ----a-w- c:\docume~1\jeffla~1\applic~1\pcouffin.sys
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-04-16 16:09:08 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-04-16 16:09:07 3073024 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-04-16 16:09:07 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-04-16 16:09:05 251904 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-04-16 16:09:05 1025024 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-04-06 08:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2000-02-04 08:19:00 40960 ----a-w- c:\windows\inf\vizpnp\Vipersti.dll
2000-02-04 08:19:00 18112 ----a-w- c:\windows\inf\vizpnp\Pmxscan.sys

============= FINISH: 22:41:09.21 ===============


*********************************************************

I will be traveling on business through Thursday night. I will be away from this PC during this period. Please reply at your convenience, but please understand that I will not be able to perform further tasks until Friday morning. Please do not close this thread due to lack of response. Again, I very much appreciate all of your help on this problem. You truly have been a life-saver!!

Thanks again,

Jeff

Attached File  Attach2.txt   19.29KB   6 downloads

Edited by JeffFrom Pittsburgh, 20 June 2010 - 09:46 PM.


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:08 AM

Posted 20 June 2010 - 10:50 AM

Hi,

Please preview your post first, it happened twice already that you've posted an incomplete reply. Thanks.

If you still can't run Kaspersky scanner, please try ESET instead then run another DDS scan and post the new log.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Edited by sempai, 20 June 2010 - 11:00 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 JeffFrom Pittsburgh

JeffFrom Pittsburgh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 20 June 2010 - 09:48 PM

I updated my last post. Sorry for the mistake on my part.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users