Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Security Suite


  • This topic is locked This topic is locked
25 replies to this topic

#1 atloss

atloss

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 15 June 2010 - 03:58 PM

Hi,
I have followed the instructions on this site for " How to remove AV Security S." BUT it did not work I used the rkill followed by Malwarebytes Anti-Malware as instructed but when I rebooted it was back. There i am on the next step and will be forwarding the appropiate logs as described in your article.
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Charles R Schultz at 10:06:58.76 on Tue 06/15/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2480 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Charles R Schultz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
uInternet Settings,ProxyServer = http=127.0.0.1:1192
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518141653.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: egreetings.com Toolbar: {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p3 /q c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\zlkdtc7y\04_27_~1.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\e83405fj\199999~1.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\esymgd10\click_~4.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\esymgd10\__0384~1.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\e83405fj\ron_09~1.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\esymgd10\geo_09~1.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\zlkdtc7y\__ord_~4.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\h829i4km\__ord_~2.sh! c:\docume~1\charle~1\locals~1\tempor~1\content.ie5\esymgd10\FA%3D5~2.SH!
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Comrade.exe] c:\program files\gamespy\comrade\Comrade.exe
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [Google Update] "c:\documents and settings\charles r schultz\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [wyiowvipucmvq] c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
uRun: [V71IQL7HI7] c:\windows\Jrifib.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "e:\adobe\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MBkLogonHook]
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [wyiowvipucmvq] c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\magic-i.lnk - e:\new folder\arcsoft\hp webcam\arcsoft\magic-i 3\Magic-i.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242486472437
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242486464187
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-9 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-9 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-9 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-9 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-9 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-9 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-9 88480]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-8 93320]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-9 271480]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-9 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-9 170144]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-9 55456]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-9 152320]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-9 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-9 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-9 83496]
S3 taterto2.scr;taterto2.scr;\??\c:\windows\system32\drivers\taterto2.scr.sys --> c:\windows\system32\drivers\taterto2.scr.sys [?]

=============== Created Last 30 ================

2010-06-15 11:59:05 118 ----a-w- c:\windows\wininit.ini
2010-06-10 11:05:18 175104 ----a-w- c:\windows\Jrifib.exe
2010-06-09 18:15:48 175104 ----a-w- c:\windows\Jrifia.exe
2010-06-09 18:15:44 70656 ----a-w- c:\windows\system32\ernel32.dll
2010-06-09 12:06:29 0 d-----w- c:\program files\XVIDCodecPack
2010-06-08 19:02:30 0 d-----w- c:\program files\IObit

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 18:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-02 21:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 21:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-02-22 12:06:49 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-18 12:27:09 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-18 12:27:09 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-18 12:27:09 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 10:08:00.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 15 June 2010 - 06:09 PM


Hello atloss,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 16 June 2010 - 10:04 AM

Hi,
Yes it did get rid of the problem but it also created another. I can no longer use Google Chrome as a secondary web browser.I had to uninstall it and then download Firefox. I have to use a secondary browser to access my online banking. My primary browser ( I.E. ) was screwed up by another virus several months ago. I willhave to reformat my C drive some day but not just right now. Thanks for your help
ComboFix 10-06-15.03 - Charles R Schultz 06/16/2010 7:13.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2542 [GMT -4:00]
Running from: c:\documents and settings\Charles R Schultz\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
c:\windows\Jrifia.exe
c:\windows\Jrifib.exe
c:\windows\system32\ernel32.dll
c:\windows\system32\nvapi(10).dll
c:\windows\system32\nvapi(11).dll
c:\windows\system32\nvapi(12).dll
c:\windows\system32\nvapi(13).dll
c:\windows\system32\nvapi(14).dll
c:\windows\system32\nvapi(15).dll
c:\windows\system32\nvapi(16).dll
c:\windows\system32\nvapi(17).dll
c:\windows\system32\nvapi(18).dll
c:\windows\system32\nvapi(19).dll
c:\windows\system32\nvapi(2).dll
c:\windows\system32\nvapi(20).dll
c:\windows\system32\nvapi(21).dll
c:\windows\system32\nvapi(22).dll
c:\windows\system32\nvapi(23).dll
c:\windows\system32\nvapi(24).dll
c:\windows\system32\nvapi(25).dll
c:\windows\system32\nvapi(26).dll
c:\windows\system32\nvapi(27).dll
c:\windows\system32\nvapi(28).dll
c:\windows\system32\nvapi(29).dll
c:\windows\system32\nvapi(3).dll
c:\windows\system32\nvapi(30).dll
c:\windows\system32\nvapi(31).dll
c:\windows\system32\nvapi(4).dll
c:\windows\system32\nvapi(5).dll
c:\windows\system32\nvapi(6).dll
c:\windows\system32\nvapi(7).dll
c:\windows\system32\nvapi(8).dll
c:\windows\system32\nvapi(9).dll
c:\windows\system32\nvcod(12).dll
c:\windows\system32\nvcod(13).dll
c:\windows\system32\nvcod(14).dll
c:\windows\system32\nvcod(15).dll
c:\windows\system32\nvcod(16).dll
c:\windows\system32\nvcod(17).dll
c:\windows\system32\nvcod(18).dll
c:\windows\system32\nvcod(19).dll
c:\windows\system32\nvcod(20).dll
c:\windows\system32\nvcod(21).dll
c:\windows\system32\nvcod(22).dll
c:\windows\system32\nvcod(23).dll
c:\windows\system32\nvcod(24).dll
c:\windows\system32\nvcod(25).dll
c:\windows\system32\nvcod(26).dll
c:\windows\system32\nvcod(27).dll
c:\windows\system32\nvcod(28).dll
c:\windows\system32\nvcod(29).dll
c:\windows\system32\nvcod(30).dll
c:\windows\system32\nvcod(31).dll
c:\windows\system32\nvcod(32).dll
c:\windows\system32\nvcod(33).dll
c:\windows\system32\nvcod(34).dll
c:\windows\system32\nvcod(35).dll
c:\windows\system32\nvcod(36).dll
c:\windows\system32\spool\prtprocs\w32x86\93mY93179.dll
c:\windows\system32\spool\prtprocs\w32x86\m179c1s9.dll
c:\windows\system32\spool\prtprocs\w32x86\SK7y3c79.dll

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-15 11:03 . 2010-06-16 11:21 -------- d-----w- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\qajgvv
2010-06-09 12:06 . 2010-06-09 12:06 -------- d-----w- c:\program files\XVIDCodecPack
2010-06-08 19:02 . 2010-06-08 19:02 -------- d-----w- c:\program files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 22:02 . 2009-11-02 14:42 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 12:28 . 2009-11-07 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 15:00 . 2010-01-24 15:03 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Online Backup
2010-06-05 11:16 . 2009-05-27 17:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-24 19:13 . 2009-08-21 10:57 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\HpUpdate
2010-05-24 19:13 . 2009-05-16 18:12 -------- d-----w- c:\program files\HP
2010-05-20 12:58 . 2009-05-16 18:47 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Canon
2010-05-16 22:52 . 2009-07-02 10:28 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Skype
2010-05-16 21:00 . 2009-07-02 10:34 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\skypePM
2010-05-10 10:57 . 2009-11-08 13:04 -------- d-----w- c:\program files\McAfee.com
2010-05-09 19:31 . 2009-11-08 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 19:24 . 2009-11-08 13:04 -------- d-----w- c:\program files\McAfee
2010-05-09 19:20 . 2009-11-08 13:04 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-01 13:02 . 2009-05-19 15:04 -------- d-----w- c:\program files\Opera
2010-04-29 19:39 . 2009-11-07 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-07 20:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16 . 2010-05-09 19:17 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-05-09 19:17 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-05-09 19:17 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-05-09 19:17 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-05-09 19:17 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-05-09 19:17 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-05-09 19:17 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-05-09 19:17 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-05-09 19:17 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-05-09 19:17 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 18:45 . 2010-04-27 18:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45 . 2010-04-27 18:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-06 12:38 . 2010-04-06 12:38 12160056 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\Bin\Core.dll
2010-04-06 12:38 . 2009-07-22 15:35 12160056 ----a-w- c:\documents and settings\Charles R Schultz\Application Data\PictureMover\Bin\Core.dll
2010-04-06 12:38 . 2008-08-13 13:11 51768 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\Bin\Proxy4WLPG.exe
2010-04-06 12:38 . 2010-04-06 12:38 1249336 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\Bin\AgentScr.scr
2010-04-06 12:38 . 2010-04-06 12:38 1699384 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\EN-US\Presentation.dll
2010-04-06 12:38 . 2009-07-22 15:35 1699384 ----a-w- c:\documents and settings\Charles R Schultz\Application Data\PictureMover\EN-US\Presentation.dll
2010-04-02 21:17 . 2010-04-02 21:17 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 21:17 . 2010-04-02 21:17 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2009-05-21 19:59 . 2009-05-21 20:00 348160 ----a-w- c:\program files\opera\program\plugins\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}"= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler"="c:\program files\Online Backup\OnlineBackup.exe" [2010-01-24 611768]
"Google Update"="c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"Adobe Reader Speed Launcher"="e:\adobe\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-06-03 5164968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Magic-i.lnk - e:\new folder\ArcSoft\HP Webcam\ArcSoft\Magic-i 3\Magic-i.exe [2009-7-6 530944]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk
backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic-i.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Magic-i.lnk
backup=c:\windows\pss\Magic-i.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles R Schultz^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
path=c:\documents and settings\Charles R Schultz\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
backup=c:\windows\pss\Greetings Workshop Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- e:\adobe\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-07 19:55 188728 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TBPanel"=c:\program files\Vtune\TBPanel.exe /A
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
"ErrorWiz"=g:\errorwiz\ErrorWiz.exe /scan
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"Adobe Reader Speed Launcher"="e:\adobe\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX9.exe"=
"c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX10.exe"=
"c:\\Program Files\\Tams11\\Games\\Farkle\\farkle.exe"=
"e:\\STEAM\\steamapps\\common\\splinter cell\\system\\splintercell.exe"=
"e:\\STEAM\\steamapps\\common\\farcry\\Bin32\\FarCry.exe"=
"e:\\STEAM\\steamapps\\common\\farcry\\Bin32\\FarCryConfigurator.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\STEAM\\steamapps\\crs1945\\half-life\\hl.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/9/2010 3:17 PM 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:17 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/9/2010 3:17 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/9/2010 3:17 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/9/2010 3:17 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/9/2010 3:17 PM 88480]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/8/2009 9:07 AM 93320]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:17 PM 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/9/2010 3:17 PM 55456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/9/2010 3:17 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/9/2010 3:17 PM 83496]
S3 taterto2.scr;taterto2.scr;\??\c:\windows\system32\drivers\taterto2.scr.sys --> c:\windows\system32\drivers\taterto2.scr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-630328440-839522115-1004Core.job
- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-29 17:36]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-630328440-839522115-1004UA.job
- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-29 17:36]

2010-06-13 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-06-13 11:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
uInternet Settings,ProxyServer = http=127.0.0.1:1192
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Comrade.exe - c:\program files\GameSpy\Comrade\Comrade.exe
HKCU-Run-wyiowvipucmvq - c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
HKCU-Run-V71IQL7HI7 - c:\windows\Jrifib.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-MBkLogonHook - (no file)
HKLM-Run-wyiowvipucmvq - c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 07:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x89EA3AEA]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf787fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf788ca21
SendHandler -> NDIS.sys @ 0xf786a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-630328440-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:85,32,43,65,69,c4,ad,51,71,b0,8b,a7,ab,97,12,00,15,7c,d2,ca,3d,
20,29,4f,92,f1,88,45,31,ef,c6,99,1e,50,86,d2,48,25,b4,29,b5,45,12,79,eb,aa,\
"rkeysecu"=hex:80,3a,0f,3a,aa,b6,ee,e3,1c,55,6c,93,cc,4a,c3,2f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-16 07:27:05
ComboFix-quarantined-files.txt 2010-06-16 11:27

Pre-Run: 192,964,268,032 bytes free
Post-Run: 193,417,740,288 bytes free

- - End Of File - - BB0178740C28C863D7E836BD8A6A43B1

Thanks again!

Chuck thumbup.gif

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 16 June 2010 - 05:05 PM

Hello,

If your having problem with Google Chrome and you like it, I would just uninstall it and reinstall it.
Lets do some cleanup and final checking.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\windows\system32\drivers\taterto2.scr.sys
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\SUPERAntiSpyware\SASKUTIL.sys

Folder::
c:\documents and settings\Charles R Schultz\Local Settings\Application Data\qajgvv

Driver::
taterto2.scr
Lavasoft Ad-Aware Service
SASKUTIL

DDS::
uSearchMigratedDefaultURL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 17 June 2010 - 08:24 AM

Hello,
Enclosed are the logs you asked for. Yes I uninstalled GComboFix 10-06-15.03 - Charles R Schultz 06/16/2010 7:13.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2542 [GMT -4:00]
Running from: c:\documents and settings\Charles R Schultz\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
c:\windows\Jrifia.exe
c:\windows\Jrifib.exe
c:\windows\system32\ernel32.dll
c:\windows\system32\nvapi(10).dll
c:\windows\system32\nvapi(11).dll
c:\windows\system32\nvapi(12).dll
c:\windows\system32\nvapi(13).dll
c:\windows\system32\nvapi(14).dll
c:\windows\system32\nvapi(15).dll
c:\windows\system32\nvapi(16).dll
c:\windows\system32\nvapi(17).dll
c:\windows\system32\nvapi(18).dll
c:\windows\system32\nvapi(19).dll
c:\windows\system32\nvapi(2).dll
c:\windows\system32\nvapi(20).dll
c:\windows\system32\nvapi(21).dll
c:\windows\system32\nvapi(22).dll
c:\windows\system32\nvapi(23).dll
c:\windows\system32\nvapi(24).dll
c:\windows\system32\nvapi(25).dll
c:\windows\system32\nvapi(26).dll
c:\windows\system32\nvapi(27).dll
c:\windows\system32\nvapi(28).dll
c:\windows\system32\nvapi(29).dll
c:\windows\system32\nvapi(3).dll
c:\windows\system32\nvapi(30).dll
c:\windows\system32\nvapi(31).dll
c:\windows\system32\nvapi(4).dll
c:\windows\system32\nvapi(5).dll
c:\windows\system32\nvapi(6).dll
c:\windows\system32\nvapi(7).dll
c:\windows\system32\nvapi(8).dll
c:\windows\system32\nvapi(9).dll
c:\windows\system32\nvcod(12).dll
c:\windows\system32\nvcod(13).dll
c:\windows\system32\nvcod(14).dll
c:\windows\system32\nvcod(15).dll
c:\windows\system32\nvcod(16).dll
c:\windows\system32\nvcod(17).dll
c:\windows\system32\nvcod(18).dll
c:\windows\system32\nvcod(19).dll
c:\windows\system32\nvcod(20).dll
c:\windows\system32\nvcod(21).dll
c:\windows\system32\nvcod(22).dll
c:\windows\system32\nvcod(23).dll
c:\windows\system32\nvcod(24).dll
c:\windows\system32\nvcod(25).dll
c:\windows\system32\nvcod(26).dll
c:\windows\system32\nvcod(27).dll
c:\windows\system32\nvcod(28).dll
c:\windows\system32\nvcod(29).dll
c:\windows\system32\nvcod(30).dll
c:\windows\system32\nvcod(31).dll
c:\windows\system32\nvcod(32).dll
c:\windows\system32\nvcod(33).dll
c:\windows\system32\nvcod(34).dll
c:\windows\system32\nvcod(35).dll
c:\windows\system32\nvcod(36).dll
c:\windows\system32\spool\prtprocs\w32x86\93mY93179.dll
c:\windows\system32\spool\prtprocs\w32x86\m179c1s9.dll
c:\windows\system32\spool\prtprocs\w32x86\SK7y3c79.dll

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-15 11:03 . 2010-06-16 11:21 -------- d-----w- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\qajgvv
2010-06-09 12:06 . 2010-06-09 12:06 -------- d-----w- c:\program files\XVIDCodecPack
2010-06-08 19:02 . 2010-06-08 19:02 -------- d-----w- c:\program files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 22:02 . 2009-11-02 14:42 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 12:28 . 2009-11-07 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 15:00 . 2010-01-24 15:03 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Online Backup
2010-06-05 11:16 . 2009-05-27 17:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-24 19:13 . 2009-08-21 10:57 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\HpUpdate
2010-05-24 19:13 . 2009-05-16 18:12 -------- d-----w- c:\program files\HP
2010-05-20 12:58 . 2009-05-16 18:47 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Canon
2010-05-16 22:52 . 2009-07-02 10:28 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Skype
2010-05-16 21:00 . 2009-07-02 10:34 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\skypePM
2010-05-10 10:57 . 2009-11-08 13:04 -------- d-----w- c:\program files\McAfee.com
2010-05-09 19:31 . 2009-11-08 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 19:24 . 2009-11-08 13:04 -------- d-----w- c:\program files\McAfee
2010-05-09 19:20 . 2009-11-08 13:04 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-01 13:02 . 2009-05-19 15:04 -------- d-----w- c:\program files\Opera
2010-04-29 19:39 . 2009-11-07 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-07 20:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 21:16 . 2010-05-09 19:17 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-05-09 19:17 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-05-09 19:17 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-05-09 19:17 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-05-09 19:17 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-05-09 19:17 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-05-09 19:17 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-05-09 19:17 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-05-09 19:17 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-05-09 19:17 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-27 18:45 . 2010-04-27 18:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45 . 2010-04-27 18:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-06 12:38 . 2010-04-06 12:38 12160056 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\Bin\Core.dll
2010-04-06 12:38 . 2009-07-22 15:35 12160056 ----a-w- c:\documents and settings\Charles R Schultz\Application Data\PictureMover\Bin\Core.dll
2010-04-06 12:38 . 2008-08-13 13:11 51768 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\Bin\Proxy4WLPG.exe
2010-04-06 12:38 . 2010-04-06 12:38 1249336 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\Bin\AgentScr.scr
2010-04-06 12:38 . 2010-04-06 12:38 1699384 ----a-w- c:\documents and settings\All Users\Application Data\PictureMover\EN-US\Presentation.dll
2010-04-06 12:38 . 2009-07-22 15:35 1699384 ----a-w- c:\documents and settings\Charles R Schultz\Application Data\PictureMover\EN-US\Presentation.dll
2010-04-02 21:17 . 2010-04-02 21:17 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 21:17 . 2010-04-02 21:17 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2009-05-21 19:59 . 2009-05-21 20:00 348160 ----a-w- c:\program files\opera\program\plugins\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}"= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@BackupScheduler"="c:\program files\Online Backup\OnlineBackup.exe" [2010-01-24 611768]
"Google Update"="c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-29 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"Adobe Reader Speed Launcher"="e:\adobe\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-06-03 5164968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Magic-i.lnk - e:\new folder\ArcSoft\HP Webcam\ArcSoft\Magic-i 3\Magic-i.exe [2009-7-6 530944]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk
backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic-i.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Magic-i.lnk
backup=c:\windows\pss\Magic-i.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles R Schultz^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
path=c:\documents and settings\Charles R Schultz\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
backup=c:\windows\pss\Greetings Workshop Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- e:\adobe\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-07 19:55 188728 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TBPanel"=c:\program files\Vtune\TBPanel.exe /A
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
"ErrorWiz"=g:\errorwiz\ErrorWiz.exe /scan
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"Adobe Reader Speed Launcher"="e:\adobe\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX9.exe"=
"c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX10.exe"=
"c:\\Program Files\\Tams11\\Games\\Farkle\\farkle.exe"=
"e:\\STEAM\\steamapps\\common\\splinter cell\\system\\splintercell.exe"=
"e:\\STEAM\\steamapps\\common\\farcry\\Bin32\\FarCry.exe"=
"e:\\STEAM\\steamapps\\common\\farcry\\Bin32\\FarCryConfigurator.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\STEAM\\steamapps\\crs1945\\half-life\\hl.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/9/2010 3:17 PM 82952]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:17 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/9/2010 3:17 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/9/2010 3:17 PM 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/9/2010 3:17 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/9/2010 3:17 PM 88480]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/8/2009 9:07 AM 93320]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:17 PM 271480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/9/2010 3:17 PM 55456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/9/2010 3:17 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/9/2010 3:17 PM 83496]
S3 taterto2.scr;taterto2.scr;\??\c:\windows\system32\drivers\taterto2.scr.sys --> c:\windows\system32\drivers\taterto2.scr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-630328440-839522115-1004Core.job
- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-29 17:36]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-630328440-839522115-1004UA.job
- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-29 17:36]

2010-06-13 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-06-13 11:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
uInternet Settings,ProxyServer = http=127.0.0.1:1192
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} - hxxps://mpsnare.iesnare.com/StmOCX.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Comrade.exe - c:\program files\GameSpy\Comrade\Comrade.exe
HKCU-Run-wyiowvipucmvq - c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
HKCU-Run-V71IQL7HI7 - c:\windows\Jrifib.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-MBkLogonHook - (no file)
HKLM-Run-wyiowvipucmvq - c:\documents and settings\charles r schultz\local settings\application data\qajgvv\mrsoqjt.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 07:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x89EA3AEA]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf787fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf788ca21
SendHandler -> NDIS.sys @ 0xf786a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-630328440-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:85,32,43,65,69,c4,ad,51,71,b0,8b,a7,ab,97,12,00,15,7c,d2,ca,3d,
20,29,4f,92,f1,88,45,31,ef,c6,99,1e,50,86,d2,48,25,b4,29,b5,45,12,79,eb,aa,\
"rkeysecu"=hex:80,3a,0f,3a,aa,b6,ee,e3,1c,55,6c,93,cc,4a,c3,2f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-16 07:27:05
ComboFix-quarantined-files.txt 2010-06-16 11:27

Pre-Run: 192,964,268,032 bytes free
Post-Run: 193,417,740,288 bytes free

- - End Of File - - BB0178740C28C863D7E836BD8A6A43B1
oogle chrome and reinstalled x 2 but it still would not work, My I.E. 7 also has stopped working ( it worked fine for several hrs. then stopped. All I get is " can not connect to that web page". Luckily I had downloaded Fire fox to replace Google BEFORE I.E went on the fritz! Thanks. I'll be gone next week, so if we don't clear this up this week you will not hear from me from this Sun till next Sun.

Attached Files



#6 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 17 June 2010 - 08:35 AM

Ok, after running the latest corrections, I>E> is working again??????

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 17 June 2010 - 05:29 PM

Hello,

You have given me the first combofix.log Please go to C:\Combofix.txt2
This will be the current Combofix log

Are you still having any redirects?

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Things to include in your next reply::
Combofix.txt2
Are you experiencing any redirects?
Gmer log

Edited by fireman4it, 17 June 2010 - 05:29 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 18 June 2010 - 06:27 AM

Let me get this straight, you want me to copy ,then paste CScript . txt onto Combofix.exe and THEN run Combofix again or is it sme other combination of the two??If I have to run it again I will do it t night ( it took 5 hrs. to complete last time ).Thanks.By the way although I got I.E. back my windows xp update function no longer works.

Chck

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 18 June 2010 - 09:19 AM

Hello,

QUOTE
Let me get this straight, you want me to copy ,then paste CScript . txt onto Combofix.exe and THEN run Combofix again or is it sme other combination of the two??If I have to run it again I will do it t night ( it took 5 hrs. to complete last time ).Thanks.By the way although I got I.E. back my windows xp update function no longer works.

The first run of Combofix most of the time takes longer because you are infected more.Please follow my instuctions for the CFscript.txt in my previous post here.

You copy and paste the script into notepad then save it to your desktop and name it CFScipt.txt then you drag it from your desktop into Combofix.

After you have done this, please do the following.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  • Double-click the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  • If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Tdsskiller log
Gmer log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 18 June 2010 - 05:42 PM

Enclosed are two of the 3 logs you asked for. I ran GMER 3 times and each time my computer froze up before the scan could finish! Don't know hat to do, the very first time I ran it I had no problem other than the long timeit took! Yes I.m still getting redirects, not as many but still annoying.

Attached Files


Edited by atloss, 18 June 2010 - 05:43 PM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 18 June 2010 - 06:05 PM

Hello,


Please try and run GMER in Safemode. Uncheck Services and Devices

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

1.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

2.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    *kbdclass.sys*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Things to include in your next reply:
Gmer log
MBAM log
Systemlook.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 19 June 2010 - 02:18 PM

hERE ARE THE LOGS YOU REQUESTED, HOWEVER THE gmer LOG IS BLANK THE SCAN RAN FOR 7HRS. BUT NO TEXT WAS PRODUCED BUT AT THE END OF IT THE MESSAGE READ " no PROBLEMS FOUND" I will be leaving on Sun. afternoon for several days. I'll check back in when I get Home. whistling.gif

Attached Files



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 19 June 2010 - 06:45 PM

Hello,

Please run Systemlook and post it's log from my previous post. Are still receiving popups?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 atloss

atloss
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 20 June 2010 - 06:15 AM

Sorry. I forgot to post it last time. Not too often ( popups)

Attached Files



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:49 PM

Posted 20 June 2010 - 10:34 AM

Hello,

Print out these instructions to use while in the Recovery Console: (This is for XP only)

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

cd c:\windows\system32\drivers
ren kbdclass.sys kbdclas.old
copy C:\windows\ServicePackFiles\i386\kbdclass.sys c:\windows\system32\drivers
exit


You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.
(if you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
ren atapi.old atapi.sys
you should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)

6. Type exit and press 'Enter'. Your computer should reboot.

7. Now please run Combofix and post its log (only if you got "1 file copied" from above).


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users