Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defense Center Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 qataxman

qataxman

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 17 July 2010 - 08:07 PM

This is the Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/25/2009 10:36:41 AM
System Uptime: 7/17/2010 7:56:08 PM (1 hours ago)

Motherboard: Dell Inc. | | CN0Y53
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | U1 | 1596/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 128.643 GiB free.
D: is CDROM (CDFS)
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: COMPAL Embedded System Control
Device ID: ACPI\CPL0002\2&DABA3FF&0
Manufacturer: COMPAL
Name: COMPAL Embedded System Control
PNP Device ID: ACPI\CPL0002\2&DABA3FF&0
Service: EMSC

==== System Restore Points ===================

RP120: 4/19/2010 6:23:47 AM - System Checkpoint
RP121: 4/20/2010 6:23:54 AM - System Checkpoint
RP122: 4/21/2010 7:23:54 AM - System Checkpoint
RP123: 4/22/2010 8:23:54 AM - System Checkpoint
RP124: 4/23/2010 9:23:53 AM - System Checkpoint
RP125: 4/24/2010 10:23:54 AM - System Checkpoint
RP126: 4/25/2010 11:22:22 AM - System Checkpoint
RP127: 4/26/2010 11:46:09 AM - System Checkpoint
RP128: 4/27/2010 12:51:57 PM - System Checkpoint
RP129: 4/28/2010 1:14:38 PM - System Checkpoint
RP130: 4/29/2010 3:52:05 PM - System Checkpoint
RP131: 4/30/2010 4:14:38 PM - System Checkpoint
RP132: 5/1/2010 4:14:51 PM - System Checkpoint
RP133: 5/2/2010 6:45:22 PM - System Checkpoint
RP134: 5/3/2010 7:14:51 PM - System Checkpoint
RP135: 5/4/2010 8:14:51 PM - System Checkpoint
RP136: 5/5/2010 8:36:35 PM - System Checkpoint
RP137: 5/6/2010 9:40:51 PM - System Checkpoint
RP138: 5/8/2010 1:55:13 PM - System Checkpoint
RP139: 5/9/2010 4:15:46 PM - System Checkpoint
RP140: 5/10/2010 4:58:04 PM - System Checkpoint
RP141: 5/11/2010 5:58:04 PM - System Checkpoint
RP142: 5/12/2010 3:00:15 AM - Software Distribution Service 3.0
RP143: 5/13/2010 3:23:12 AM - System Checkpoint
RP144: 5/14/2010 4:23:12 AM - System Checkpoint
RP145: 5/15/2010 5:23:12 AM - System Checkpoint
RP146: 5/16/2010 5:23:18 AM - System Checkpoint
RP147: 5/17/2010 6:23:18 AM - System Checkpoint
RP148: 5/18/2010 7:23:18 AM - System Checkpoint
RP149: 5/19/2010 8:23:18 AM - System Checkpoint
RP150: 5/20/2010 9:23:18 AM - System Checkpoint
RP151: 5/21/2010 10:34:30 AM - System Checkpoint
RP152: 5/22/2010 11:23:18 AM - System Checkpoint
RP153: 5/23/2010 11:23:31 AM - System Checkpoint
RP154: 5/24/2010 12:23:31 PM - System Checkpoint
RP155: 5/25/2010 1:40:37 PM - System Checkpoint
RP156: 5/26/2010 3:00:16 AM - Software Distribution Service 3.0
RP157: 5/27/2010 3:23:32 AM - System Checkpoint
RP158: 5/28/2010 4:23:32 AM - System Checkpoint
RP159: 5/29/2010 6:47:26 PM - System Checkpoint
RP160: 5/30/2010 7:02:15 PM - System Checkpoint
RP161: 5/31/2010 8:02:15 PM - System Checkpoint
RP162: 6/1/2010 10:08:32 PM - System Checkpoint
RP163: 6/2/2010 11:02:15 PM - System Checkpoint
RP164: 6/4/2010 12:02:15 AM - System Checkpoint
RP165: 6/5/2010 1:02:15 AM - System Checkpoint
RP166: 6/6/2010 7:25:26 PM - System Checkpoint
RP167: 6/8/2010 7:51:53 AM - System Checkpoint
RP168: 6/9/2010 8:27:54 AM - System Checkpoint
RP169: 6/10/2010 3:00:16 AM - Software Distribution Service 3.0
RP170: 6/11/2010 4:54:19 AM - System Checkpoint
RP171: 6/12/2010 5:03:50 AM - System Checkpoint
RP172: 6/13/2010 9:52:47 AM - System Checkpoint
RP173: 6/14/2010 10:40:21 AM - System Checkpoint
RP174: 6/15/2010 11:25:51 AM - System Checkpoint
RP175: 6/16/2010 12:40:22 PM - System Checkpoint
RP176: 6/17/2010 1:25:52 PM - System Checkpoint
RP177: 6/18/2010 2:40:21 PM - System Checkpoint
RP178: 6/19/2010 3:25:51 PM - System Checkpoint
RP179: 6/20/2010 6:17:05 PM - System Checkpoint
RP180: 6/21/2010 6:40:00 PM - System Checkpoint
RP181: 6/22/2010 6:40:31 PM - System Checkpoint
RP182: 6/23/2010 3:00:15 AM - Software Distribution Service 3.0
RP183: 6/24/2010 3:26:09 AM - System Checkpoint
RP184: 6/25/2010 3:30:39 AM - System Checkpoint
RP185: 6/26/2010 4:30:39 AM - System Checkpoint
RP186: 6/27/2010 5:30:39 AM - System Checkpoint
RP187: 6/28/2010 5:30:48 AM - System Checkpoint
RP188: 6/29/2010 6:30:47 AM - System Checkpoint
RP189: 6/30/2010 7:43:18 AM - System Checkpoint
RP190: 7/1/2010 7:43:48 AM - System Checkpoint
RP191: 7/2/2010 8:02:35 AM - System Checkpoint
RP192: 7/3/2010 8:46:58 AM - System Checkpoint
RP193: 7/4/2010 9:53:41 AM - System Checkpoint
RP194: 7/5/2010 6:18:07 PM - System Checkpoint
RP195: 7/6/2010 6:36:26 PM - System Checkpoint
RP196: 7/7/2010 8:06:45 PM - System Checkpoint
RP197: 7/8/2010 8:36:26 PM - System Checkpoint
RP198: 7/9/2010 9:47:48 PM - System Checkpoint
RP199: 7/10/2010 9:48:57 PM - System Checkpoint
RP200: 7/11/2010 11:42:50 PM - System Checkpoint
RP201: 7/13/2010 12:15:45 AM - System Checkpoint
RP202: 7/14/2010 1:15:46 AM - System Checkpoint
RP203: 7/15/2010 2:15:50 AM - System Checkpoint
RP204: 7/15/2010 3:00:20 AM - Software Distribution Service 3.0
RP205: 7/16/2010 9:40:33 PM - System Checkpoint
RP206: 7/17/2010 12:55:53 PM - Restore Operation

==== Installed Programs ======================

Sansa Media Converter
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Advanced Audio FX Engine
Battery Meter
CapsLKNotify
Compatibility Pack for the 2007 Office system
Dell Support Center (Support Software)
Dell System Restore
Dell Touchpad
Dell Video Chat
Dell Webcam Central
Dell Wireless WLAN Card Utility
EMSC
Function Keys
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Integrated Webcam Driver (1.02.02.0403)
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 17
Junk Mail filter update
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
QuickTime
Realtek High Definition Audio Driver
Rummy.com
Sansa Media Converter
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Presentation Foundation
Windows Search 4.0
WSED
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

7/17/2010 9:12:45 AM, error: PSched [14103] - QoS [Adapter {1FFDE81B-4468-4B8A-B673-3477C41C6D0D}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
7/16/2010 7:21:08 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/16/2010 7:21:08 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/15/2010 11:01:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: EMSC
7/15/2010 10:57:27 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
7/15/2010 10:56:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/15/2010 10:16:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/15/2010 10:14:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/15/2010 10:09:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
7/15/2010 10:08:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: EMSC Fips intelppm mfehidk
7/15/2010 10:02:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/15/2010 10:01:23 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The class is configured to run as a security id different from the caller

==== End Of File ===========================


DDS.txt file


DDS (Ver_10-03-17.01) - NTFSx86
Run by Marcia Wolfe at 20:09:57.04 on Sat 07/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.464 [GMT -4:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OA012Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Defense Center\defcnt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\LaunchPad.exe
C:\Documents and Settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\RoboTaskBarIcon.exe
C:\Documents and Settings\Marcia Wolfe\Desktop\Defogger.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Marcia Wolfe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vgoyusocacezaf] rundll32.exe "c:\windows\rshstc.dll",Startup
uRun: [Defense Center] "c:\program files\defense center\defcnt.exe" -noscan
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OA012Mon] c:\windows\OA012Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [<NO NAME>]
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Lvudoqev] rundll32.exe "c:\windows\ihoxecug.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-10-27 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\McProxy.exe [2009-10-27 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-27 144704]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-10-27 143840]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-27 40552]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-10-27 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-10-27 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-10-27 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-10-27 162816]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-10-27 14248]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-27 1684736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-27 34248]

=============== Created Last 30 ================

2010-07-18 00:08:16 0 ----a-w- c:\documents and settings\marcia wolfe\defogger_reenable
2010-07-16 03:00:37 0 d-----w- c:\docume~1\marcia~1\applic~1\Malwarebytes
2010-07-16 02:26:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-16 02:26:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-16 02:26:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 02:26:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-16 02:01:22 2811 ----a-w- c:\windows\ufuxaquvetidacir.dll
2010-07-15 14:04:41 2811 ----a-w- c:\windows\evobezax.dll
2010-07-15 13:48:55 0 d-----w- c:\program files\Defense Center
2010-07-15 13:47:33 120 ----a-w- c:\windows\Qfebaneyulexaheq.dat
2010-07-15 13:47:33 0 ----a-w- c:\windows\Pnuhiruh.bin
2010-07-14 19:30:26 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-06 01:07:07 4096 ----a-w- c:\windows\d3dx.dat
2010-07-06 01:02:00 0 d-----w- c:\program files\Rummy.com

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 06:34:15 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-10-27 20:54:32 75 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 20:12:21.60 ===============


While running the GMER, A blue screen popped up and says:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

The problem seems to be caused by the following file: pwtdypog.sys

PAGE_FAULT_IN_NONPAGED_AREA

If this this the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use safe mose to remove or disable components, restart your computer, press F8 to select Advaced Startup Options, and then select Safe Mode.

Technical information:

***STOP: 0x00000050 (0xE4A98000, 0x00000000, 0x9D2S0C3E, 0x00000001)

*** pwtdypog.sys - Address 9D2D0C3E base at 9D2D0000, DateStamp 4b274f8d

Please help. No rest until mama's happy.





BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:04 AM

Posted 17 July 2010 - 11:54 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 qataxman

qataxman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 18 July 2010 - 12:17 AM

Thanks Fireman4it. Please read my problem. I have already completed all of those tasks. I also included the logs and other information.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:04 AM

Posted 18 July 2010 - 08:02 PM


Hello qataxman,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 qataxman

qataxman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 18 July 2010 - 11:35 PM

Hallelujah!!!!!!!!!!!!!!!!!!!!!!!! All hail to the power of fireman4it. You are the (Man/Woman) So far I have been able to update the Mcafee files, etc. I can get on the net. Thank you!!!!

Here are the txt files you requested.


ComboFix 10-07-16.02 - Marcia Wolfe 07/18/2010 23:31:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.604 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marcia Wolfe\Desktop\spam001.exe
c:\documents and settings\Marcia Wolfe\Desktop\spam003.exe
c:\documents and settings\Marcia Wolfe\Desktop\troj000.exe
c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\{7BD4EA06-A940-49BD-9266-8412FEA36D2A}
c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\{7BD4EA06-A940-49BD-9266-8412FEA36D2A}\chrome.manifest
c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\{7BD4EA06-A940-49BD-9266-8412FEA36D2A}\chrome\content\_cfg.js
c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\{7BD4EA06-A940-49BD-9266-8412FEA36D2A}\chrome\content\overlay.xul
c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\{7BD4EA06-A940-49BD-9266-8412FEA36D2A}\install.rdf
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\About.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Activate.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Buy.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Defense Center Support.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Defense Center.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Scan.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Settings.lnk
c:\documents and settings\Marcia Wolfe\Start Menu\Programs\Defense Center\Update.lnk
c:\program files\Defense Center
c:\program files\Defense Center\defcnt.exe
c:\program files\Defense Center\defext.dll
c:\program files\Defense Center\defhook.dll
c:\program files\Defense Center\help.ico
c:\program files\Defense Center\scan.ico
c:\program files\Defense Center\settings.ico
c:\program files\Defense Center\splash.mp3
c:\program files\Defense Center\update.ico
c:\program files\Defense Center\virus.mp3
c:\windows\evobezax.dll
c:\windows\ihoxecug.dll
c:\windows\rshstc.dll
c:\windows\ufuxaquvetidacir.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-18 00:20 . 2007-05-25 05:53 164920 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\Safenotes.exe
2010-07-18 00:20 . 2007-05-25 05:53 160832 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\RoboTaskBarIcon.exe
2010-07-18 00:20 . 2007-05-25 05:53 5600312 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\RoboForm.dll
2010-07-18 00:20 . 2007-05-25 05:53 496632 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\rfproxy_19.dll
2010-07-18 00:20 . 2007-05-25 05:48 20535 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\rfmozhlp.dll
2010-07-18 00:20 . 2007-05-25 05:53 640064 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\PortableRoboForm.exe
2010-07-18 00:20 . 2007-05-25 05:53 230456 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\Passcards.exe
2010-07-18 00:20 . 2007-05-25 05:51 139328 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\PasswordGenerator.exe
2010-07-18 00:20 . 2007-05-25 05:53 197696 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\Identities.exe
2010-07-18 00:15 . 2006-01-20 19:56 110592 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\U3\temp\cleanup.exe
2010-07-17 17:28 . 2007-05-25 05:53 160832 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\RoboTaskBarIcon.exe
2010-07-17 17:28 . 2007-05-25 05:53 640064 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\PortableRoboForm.exe
2010-07-17 17:28 . 2007-05-25 05:53 164920 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\Safenotes.exe
2010-07-17 17:28 . 2007-05-25 05:53 230456 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\Passcards.exe
2010-07-17 17:28 . 2007-05-25 05:53 197696 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\Identities.exe
2010-07-17 17:28 . 2007-05-25 05:53 5600312 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\RoboForm.dll
2010-07-17 17:28 . 2007-05-25 05:53 496632 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\rfproxy_19.dll
2010-07-17 17:28 . 2007-05-25 05:51 139328 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\PasswordGenerator.exe
2010-07-17 17:28 . 2007-05-25 05:48 20535 ----a-w- c:\documents and settings\Administrator\Application Data\U3\00001868FA6039F4\786EC753-D82C-493A-BF26-67D74AE2D931\Exec\rfmozhlp.dll
2010-07-17 00:22 . 2010-07-17 00:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-16 03:00 . 2010-07-16 03:00 -------- d-----w- c:\documents and settings\Marcia Wolfe\Application Data\Malwarebytes
2010-07-16 02:26 . 2010-07-16 02:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-16 02:26 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-16 02:01 . 2010-07-18 00:19 -------- d-----w- c:\documents and settings\Marcia Wolfe\Application Data\U3
2010-07-15 13:47 . 2010-07-19 03:04 0 ----a-w- c:\windows\Pnuhiruh.bin
2010-07-15 13:47 . 2010-07-15 13:47 120 ----a-w- c:\windows\Qfebaneyulexaheq.dat
2010-07-15 13:44 . 2010-07-16 02:55 -------- d-----w- c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\ycjpomqxv
2010-07-14 19:30 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-06 01:07 . 2010-07-06 01:07 4096 ----a-w- c:\windows\d3dx.dat
2010-07-06 01:02 . 2010-07-06 01:07 -------- d-----w- c:\program files\Rummy.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 03:11 . 2009-10-27 21:02 -------- d-----w- c:\program files\McAfee
2010-07-16 02:26 . 2010-07-16 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 02:26 . 2010-07-16 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-16 02:25 . 2010-07-16 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-06-14 14:31 . 2008-04-26 01:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-27 10:08 . 2010-05-27 10:08 503808 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5598fb13-n\msvcp71.dll
2010-05-27 10:08 . 2010-05-27 10:08 348160 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5598fb13-n\msvcr71.dll
2010-05-27 10:08 . 2010-05-27 10:08 499712 ----a-w- c:\documents and settings\Marcia Wolfe\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5598fb13-n\jmc.dll
2010-05-06 10:41 . 2008-04-25 20:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 06:34 . 2008-04-25 20:33 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-07-16 02:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2008-04-25 20:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-10-27 20:54 . 2009-10-27 20:54 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-12-26 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2009-12-25 303104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [10/27/2009 4:53 PM 143840]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [10/27/2009 6:16 PM 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [10/27/2009 6:16 PM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [10/27/2009 6:16 PM 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [10/27/2009 6:16 PM 162816]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [10/27/2009 4:48 PM 14248]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/27/2009 6:16 PM 1684736]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Vgoyusocacezaf - c:\windows\rshstc.dll
HKCU-Run-Defense Center - c:\program files\Defense Center\defcnt.exe
HKLM-Run-Lvudoqev - c:\windows\ihoxecug.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 23:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864CBEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7601f28
\Driver\ACPI -> ACPI.sys @ 0xf7494cb8
\Driver\atapi -> atapi.sys @ 0xf744c852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8102E/RTL8103E Family PCI-E Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7358bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7347a0d
SendHandler -> NDIS.sys @ 0xf735bb40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-19 00:04:27
ComboFix-quarantined-files.txt 2010-07-19 04:04

Pre-Run: 138,069,041,152 bytes free
Post-Run: 138,446,323,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - FB99C4387A6736BD7653AC739B41F756


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Marcia Wolfe on 07/18/2010 at 23:08:57.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Marcia Wolfe\Desktop\rkill(2).com
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE


Rkill completed on 07/18/2010 at 23:09:20.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:04 AM

Posted 19 July 2010 - 04:50 PM

Hello,

Let do some more checking and cleaning.

1.
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

2.
  • Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  • Double-click the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  • If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

3.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

File::
c:\windows\Qfebaneyulexaheq.dat
c:\windows\Pnuhiruh.bin

Folder::
c:\documents and settings\Marcia Wolfe\Local Settings\Application Data\ycjpomqxv

Domains::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply::
TdssKiller Log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:04 AM

Posted 22 July 2010 - 07:33 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:04 AM

Posted 24 July 2010 - 02:46 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users