Defense center and Google redirect infection

Hi,

My computer (IBM thinkpad R50e, Windows XP, not networked) became infected with the Defense Center virus several weeks ago, and also has a Google redirect virus. I was not aware that my McAfee security program had expired over a year ago. I seem to have gotten rid of Defense Center by using MalwareBytes and the tutorial on the Bleeping Comuter website, but I think the virus is still acting as the system administrator. When I log on - the screen simply says "welcome", instead of the usual log on as the system administrator.

However, the Google redirect virus has been persistant - and I don't know how to remove it. It is not currently redirecting every time. One of the sites it redirects to is iseeksite.com. My computer is acting unstable & has had several stop (blue screen) errors, caused by a device or driver, according to microsoft.com

I am concerned about getting my system clean again to insure the privacy of my passwords etc.

Pasted below is the DDS log, and I've attached the ark.txt and attach files.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Eric at 23:05:11.11 on Fri 07/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.875 [GMT -7:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Eric\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100723143855.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
StartupFolder: c:\docume~1\eric\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\0052.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eric\applic~1\mozilla\firefox\profiles\qznw0ls8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\eric\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\eric\application data\mozilla\firefox\profiles\qznw0ls8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385880]
R1 fdaa;fdaa;c:\windows\system32\fdaa.sys [2010-6-12 80896]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-6-27 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-6-27 54776]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-1-17 58464]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2007-1-21 16384]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-27 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-27 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-27 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-27 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-27 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-27 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-27 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-27 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-27 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-27 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-6-27 88480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-1-17 102463]
S2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2005-8-22 29184]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2007-1-16 32384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-17 38224]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-6-27 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-27 83496]

=============== Created Last 30 ================

2010-07-24 05:52:02 0 ----a-w- c:\documents and settings\eric\defogger_reenable
2010-07-19 18:15:13 0 d-----w- c:\program files\Cobian Backup 8
2010-07-17 22:31:02 0 ---ha-w- c:\windows\system32\wupd.dat
2010-07-17 19:07:11 0 d-----w- c:\docume~1\eric\applic~1\Malwarebytes
2010-07-17 19:06:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 19:06:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 19:06:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 19:06:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-17 16:25:13 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-17 16:18:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 05:54:05 1152 ----a-w- c:\windows\system32\windrv.sys
2010-06-27 21:26:04 0 d-----w- c:\program files\McAfeeMOBK
2010-06-27 21:25:44 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-06-27 21:25:27 0 d-----w- c:\program files\McAfee Online Backup
2010-06-27 21:23:01 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-06-27 21:22:53 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-06-27 21:22:53 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-06-27 21:22:53 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-06-27 21:22:53 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-06-27 21:22:53 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-06-27 21:22:53 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-06-27 21:22:53 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-06-27 21:22:43 0 d-----w- c:\program files\common files\Mcafee
2010-06-27 21:22:38 0 d-----w- c:\program files\McAfee.com
2010-06-27 19:23:11 0 d-----w- c:\program files\Citrix
2010-06-27 19:22:55 103784 ----a-w- c:\documents and settings\eric\GoToAssistDownloadHelper.exe
2010-06-27 19:05:53 0 d-----w- c:\docume~1\eric\applic~1\McAfee
2010-06-27 19:05:01 0 d-----w- c:\program files\McAfee
2010-06-25 07:07:17 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cb14350bc6bc70.mof

==================== Find3M ====================

2010-06-13 06:09:42 80896 ----a-w- c:\windows\system32\fdaa.sys
2010-06-01 03:32:58 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-01 03:32:58 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-09-16 00:04:22 6936 ----a-w- c:\program files\uninstal.log

============= FINISH: 23:06:48.55 ===============

Edited by Harford, 24 July 2010 - 08:55 PM.

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

Hello,

Thanks for responding! I really appreciate you and all the good samaritans at bleeping computer! I haven't attempted any unsupervised fixes or scans, yet. Although I've been reading the posts, and I'm afraid that it's likely I'm infected with a rootkit, and may have to reformat my computer.

Yes, it looks like the MBR rootkit.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Hi,

OK, here is the MBRCheck log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 PCIIde.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7607000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF798D000 dmload.sys
0xF7494000 dmio.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF747C000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF745C000 fltmgr.sys
0xF744A000 sr.sys
0xF783A000 mfehidk.sys
0xF7433000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7406000 NDIS.sys
0xF796D000 Mup.sys
0xBA104000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9E3A000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9E26000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77C7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9E02000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9BE6000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xB9BC0000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xBA0F4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\point32.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB9BAC000 \SystemRoot\system32\DRIVERS\parport.sys
0xF793B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF793F000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xBA0E4000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA0D4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA0C4000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9B89000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7943000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB9B53000 \SystemRoot\system32\drivers\smwdm.sys
0xB9B2F000 \SystemRoot\system32\drivers\portcls.sys
0xBA0B4000 \SystemRoot\system32\drivers\drmk.sys
0xB9B0F000 \SystemRoot\system32\drivers\aeaudio.sys
0xB9AD2000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xB99E0000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB992E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77EF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A58000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB991A000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xBA0A4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7FC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9903000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA094000 \SystemRoot\system32\DRIVERS\raspppoe.sys

Can you run MBRCheck again, that isn't the whole log.

Ahh. Sorry. This should do the trick.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 PCIIde.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7607000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF798D000 dmload.sys
0xF7494000 dmio.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF747C000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF745C000 fltmgr.sys
0xF744A000 sr.sys
0xF783A000 mfehidk.sys
0xF7433000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7406000 NDIS.sys
0xF796D000 Mup.sys
0xBA0EC000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9E42000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9E2E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9E0A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77BF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9BEE000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xB9BC8000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xBA0DC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\point32.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB9BB4000 \SystemRoot\system32\DRIVERS\parport.sys
0xF793B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF793F000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xBA0CC000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA0BC000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA0AC000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9B91000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7943000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB9B5B000 \SystemRoot\system32\drivers\smwdm.sys
0xB9B37000 \SystemRoot\system32\drivers\portcls.sys
0xBA09C000 \SystemRoot\system32\drivers\drmk.sys
0xB9B17000 \SystemRoot\system32\drivers\aeaudio.sys
0xB9ADA000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xB99E8000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB9936000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77DF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A59000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9922000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xBA08C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7FC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB990B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7657000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7667000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB98FA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7677000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB98D6000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB9863000 \SystemRoot\system32\drivers\mfefirek.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9833000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7697000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79B5000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB97AD000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7B0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76A7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76C7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79B7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB1652000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xF79CB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A75000 \SystemRoot\System32\Drivers\Null.SYS
0xF79CD000 \SystemRoot\System32\Drivers\Beep.SYS
0xF781F000 \SystemRoot\System32\drivers\vga.sys
0xF79CF000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79D1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF772F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7737000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB98C2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB15CF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1576000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1563000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xB153D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7577000 \SystemRoot\system32\drivers\mvstdi5x.sys
0xB1515000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB14FE000 \??\C:\WINDOWS\system32\fdaa.sys
0xB14DC000 \SystemRoot\System32\drivers\afd.sys
0xF7567000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF773F000 \SystemRoot\System32\drivers\Tppwr.sys
0xF7747000 \SystemRoot\System32\drivers\TDSMAPI.SYS
0xF774F000 \SystemRoot\System32\drivers\Smapint.sys
0xB14B1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1419000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF79D3000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0xF7557000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7547000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB981F000 \SystemRoot\System32\drivers\ANC.SYS
0xBA0FC000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1401000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79FF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9709000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77FF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A66000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF068000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7797000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB12D1000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB1281000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB0EAC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79BD000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF79F5000 \??\C:\WINDOWS\system32\EGATHDRV.SYS
0xB0C4D000 \SystemRoot\system32\DRIVERS\srv.sys
0xB0EED000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF7A05000 \??\C:\WINDOWS\System32\drivers\pmemnt.sys
0xB1019000 \SystemRoot\system32\drivers\cfwids.sys
0xB056C000 \SystemRoot\System32\Drivers\HTTP.sys
0xB039E000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB053C000 \SystemRoot\system32\drivers\mfebopk.sys
0xB025C000 \SystemRoot\system32\drivers\wdmaud.sys
0xB0320000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
1200 C:\WINDOWS\system32\smss.exe
1332 csrss.exe
1356 C:\WINDOWS\system32\winlogon.exe
1400 C:\WINDOWS\system32\services.exe
1412 C:\WINDOWS\system32\lsass.exe
1588 C:\WINDOWS\system32\ibmpmsvc.exe
1616 C:\WINDOWS\system32\svchost.exe
1688 svchost.exe
1884 C:\WINDOWS\system32\svchost.exe
1948 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
240 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
316 svchost.exe
544 svchost.exe
864 C:\WINDOWS\system32\LEXBCES.EXE
900 C:\WINDOWS\system32\LEXPPS.EXE
956 C:\WINDOWS\system32\spoolsv.exe
1024 svchost.exe
1072 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1104 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1128 C:\Program Files\Bonjour\mDNSResponder.exe
1268 C:\WINDOWS\system32\cisvc.exe
1300 C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
1640 C:\Program Files\Java\jre6\bin\jqs.exe
1756 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
1844 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
1956 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
512 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
696 C:\WINDOWS\system32\svchost.exe
1188 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
632 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
380 C:\WINDOWS\system32\wuauclt.exe
648 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
3584 C:\WINDOWS\system32\vssvc.exe
3836 unsecapp.exe
3992 wmiprvse.exe
1904 alg.exe
3608 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
600 C:\WINDOWS\explorer.exe
2856 C:\WINDOWS\system32\igfxtray.exe
2864 C:\WINDOWS\system32\hkcmd.exe
1808 C:\WINDOWS\system32\wuauclt.exe
2976 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
3008 C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
2936 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
3100 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
3148 C:\WINDOWS\system32\rundll32.exe
3168 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
3184 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
3264 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3308 C:\Program Files\iTunes\iTunesHelper.exe
3328 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3336 C:\WINDOWS\system32\rundll32.exe
3556 C:\Program Files\McAfee.com\Agent\mcagent.exe
2280 C:\Program Files\Messenger\msmsgs.exe
2208 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
2708 C:\WINDOWS\system32\ctfmon.exe
1636 C:\Program Files\WinZip\WZQKPICK.EXE
2296 C:\PROGRA~1\MICROS~4\rapimgr.exe
3492 C:\Program Files\iPod\bin\iPodService.exe
2376 C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
1840 C:\WINDOWS\system32\cidaemon.exe
312 C:\Documents and Settings\Eric\Desktop\Clean\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK8032GAX, Rev: AD001A

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Can you run Gmer for me

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Hi mOle,

I tried to run GMER and got a blue screen, so I restarted in safe mode & ran GMER again. It ran for many hours, then I got a message that said something like GMER did not find any malicious software (I can't remember exactly what it said - I forgot to write it down before I clicked OK). Anyway, the log is empty. I saved it, but it's not worth posting because it's empty.

I had previously saved GMER from a zipped file from the bleeping computer website. Perhaps I should try again with the version downloaded from the Main Mirror?

Yes, it may be a more up-to-date copy from the mirror. Please run Gmer and post the log.

Thanks

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le

Hi mOle,

Sorry I didn't get back sooner. I was on vacation for a couple days. I'm running GMER again from the Main Mirror & will post the results as soon as I have them.

Thanks!

Harford

Hi,

I ran GMER again, and it produced a log this time. I have attached it.

I realized after I ran it that I forgot to turn off the Mcafee real time scanning before I ran GMER, I hope that didn't affect the results.

-Harford

Do you still have redirects at this time?

I'll check when I get home.

If I don't have redirects, then the next question I will have is, how will I know if my computer is safe to use?