Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mucho Malware and Spyware


  • This topic is locked This topic is locked
2 replies to this topic

#1 azcards

azcards

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 03 August 2010 - 07:12 PM

Please help. My computer has been hijacked. It is full of Malware and Spy and Adaware that keep coming back no matter what I do. The internet is unstable and works for a little bit then goes to limited or no connectivity and needs to be restarted. Waiting for your assistance Thank You.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Michelle at 20:23:03.23 on Sat 07/31/2010
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1388 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: MySpace Toolbar: {28aed1af-b164-44cd-b435-cf04aa955015} - c:\program files\myspace\toolbar\1.0.72.0\MySpaceToolbar.dll
BHO: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - ALOT Toolbar
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {da7c2cb8-0786-43af-8932-131ab6d237ba}: {ab732d6b-a131-2398-fa34-68708bc2c7ad}
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CescrtHlpr Object: {f9b72325-a029-4a39-943a-02433c978829} - c:\program files\esnips.com\esnipstoolbar\1.3.0.3\escort.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\michelle\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [gljbqtbs] c:\documents and settings\networkservice\local settings\application data\thmbnatge\amqhiuktssd.exe
dRun: [tjfrxvbw] c:\documents and settings\networkservice\local settings\application data\xyqfuubdc\egvwddbtssd.exe
dRun: [dvqoxwte] c:\documents and settings\networkservice\local settings\application data\jctpekqsv\baifddwtssd.exe
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280548309046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli c:\windows\system32\bululepu.dll
IFEO: image file execution options - svchost.exe
Hosts: 91.206.201.8 osawarepro.microsoft.com
Hosts: 91.206.201.8 osawarepro.com
Hosts: 91.206.201.8 www.osawarepro.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michelle\applic~1\mozilla\firefox\profiles\5spapcu5.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\myspace\toolbar\1.0.72.0\components\MySpaceFFoxTB.dll
FF - plugin: c:\documents and settings\michelle\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {F9DCDC46-06F8-4B79-9D59-41D14EB5FA92} - c:\windows\system32\config\systemprofile\local settings\application data\{f9dcdc46-06f8-4b79-9d59-41d14eb5fa92}\
FF - HiddenExtension: XULRunner: {C89F5F1A-DD35-4B5F-801A-A78DA4832937} - c:\documents and settings\shane\local settings\application data\{c89f5f1a-dd35-4b5f-801a-a78da4832937}\
FF - HiddenExtension: XULRunner: {5D7332CC-D14C-4A11-993E-E6987FDC6A7A} - c:\documents and settings\michelle\local settings\application data\{5D7332CC-D14C-4A11-993E-E6987FDC6A7A}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 214664]
R1 SASDIFSV;SASDIFSV;c:\docume~1\michelle\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\michelle\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-12 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-3-12 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-3-12 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-25 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-3-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-12 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-3-12 40552]
S0 pgmilega;pgmilega;c:\windows\system32\drivers\pgmilega.sys [2010-7-21 767488]
S2 FdRedir;FdRedir;\??\c:\program files\common files\protector suite ql\drivers\fdredir.sys --> c:\program files\common files\protector suite ql\drivers\FdRedir.sys [?]
S2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\common files\protector suite ql\drivers\filedisk.sys --> c:\program files\common files\protector suite ql\drivers\filedisk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-3 133104]
S2 smihlp;SMI helper driver;\??\c:\program files\protector suite ql\smihlp.sys --> c:\program files\protector suite ql\smihlp.sys [?]
S2 svchost32;Windows Service Manager;c:\windows\system32\directx\svchost.exe /service --> c:\windows\system32\directx\svchost.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-12 34248]

=============== Created Last 30 ================

2010-08-01 00:30:49 0 d-----w- c:\program files\Cobian Backup 10
2010-07-30 04:29:13 0 d-----w- c:\program files\AnVi
2010-07-30 03:47:22 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2010-07-30 03:47:17 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2010-07-30 03:47:06 0 d-----w- c:\program files\common files\Pure Networks Shared
2010-07-30 03:46:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2010-07-27 09:09:43 0 d-----w- c:\docume~1\michelle\applic~1\ElevatedDiagnostics
2010-07-27 03:21:33 142 ----a-w- c:\docume~1\michelle\applic~1\wklnhst.dat
2010-07-26 20:20:06 0 d-----w- c:\documents and settings\michelle\DoctorWeb
2010-07-26 01:49:38 0 d-s---w- C:\ComboFix
2010-07-26 01:44:12 98816 ----a-w- c:\windows\sed.exe
2010-07-26 01:44:12 77312 ----a-w- c:\windows\MBR.exe
2010-07-26 01:44:12 256512 ----a-w- c:\windows\PEV.exe
2010-07-26 01:44:12 161792 ----a-w- c:\windows\SWREG.exe
2010-07-25 18:43:32 0 d-----w- c:\docume~1\michelle\applic~1\Malwarebytes
2010-07-25 18:43:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 18:43:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-25 18:43:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 18:43:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 17:35:32 0 d-----w- C:\xp_txt_fix
2010-07-25 17:35:22 0 d-----w- C:\xp_regfile
2010-07-25 17:35:11 0 d-----w- C:\xp_mpg_fix_reg
2010-07-25 17:34:56 0 d-----w- C:\xp_ico_file_assoc_fix
2010-07-25 17:34:45 0 d-----w- C:\xp_giffile_fix
2010-07-25 17:34:34 0 d-----w- C:\xp_drive_association_fix
2010-07-25 17:34:22 0 d-----w- C:\xp_com_fix
2010-07-25 17:34:08 0 d-----w- C:\scf_assoc_fix
2010-07-25 17:33:57 0 d-----w- C:\ie_desktop_icon
2010-07-25 17:33:38 0 d-----w- C:\xp_vbs_file_association
2010-07-25 17:33:27 0 d-----w- C:\xp_tiff_fix
2010-07-25 17:33:09 0 d-----w- C:\xp_mspfix
2010-07-25 17:32:44 0 d-----w- C:\xp_jpg_jpe_jpeg_file_assoc_fix
2010-07-25 17:32:28 0 d-----w- C:\xp_hta_fix
2010-07-25 17:32:13 0 d-----w- C:\xp_exe_fix
2010-07-25 17:31:59 0 d-----w- C:\xp_directory_reg
2010-07-25 17:31:45 0 d-----w- C:\xp_chm_fix
2010-07-25 17:31:25 0 d-----w- C:\msi_assoc
2010-07-25 17:31:09 0 d-----w- C:\html_association_fix
2010-07-25 17:30:40 0 d-----w- C:\batch_file_assoc
2010-07-25 17:28:25 0 d-----w- C:\xp_url_shortcut_fix
2010-07-25 17:28:09 0 d-----w- C:\xp_scr_fix
2010-07-25 17:27:42 0 d-----w- C:\xp_mscfix
2010-07-25 17:26:58 0 d-----w- C:\xp_inf_assoc
2010-07-25 17:25:52 0 d-----w- C:\xp_hlp_file_fix
2010-07-25 17:25:15 0 d-----w- C:\xp_eml_file_assoc
2010-07-25 17:23:19 0 d-----w- C:\xp_cpl_file_assoc
2010-07-25 17:23:01 0 d-----w- C:\xp_cabfile
2010-07-25 17:22:43 0 d-----w- C:\linkfile_fix
2010-07-25 17:22:12 0 d-----w- C:\folder_reg
2010-07-24 21:39:58 0 d-----w- c:\docume~1\michelle\applic~1\SUPERAntiSpyware.com
2010-07-24 21:39:58 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-24 06:32:49 120 ----a-w- c:\windows\Bpuxowetohekafo.dat
2010-07-24 06:32:49 0 ----a-w- c:\windows\Btucoxagijoba.bin
2010-07-21 21:48:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-21 21:48:41 767488 ----a-w- c:\windows\system32\drivers\pgmilega.sys
2010-07-21 21:20:02 78 ----a-w- C:\cb.dll
2010-07-21 21:19:14 1669 ----a-w- C:\Security Master AV.lnk
2010-07-21 21:19:02 0 d-----w- c:\docume~1\alluse~1\applic~1\cb302
2010-07-21 21:08:31 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SMKKXNAV
2010-07-21 21:07:31 0 d-sh--w- c:\documents and settings\all users\50003ec
2010-07-17 15:56:13 0 d-----w- c:\program files\FOnline
2010-07-17 15:35:51 0 d-----w- c:\program files\GOG.com
2010-07-16 05:56:42 0 d-----w- C:\spoolerlogs
2010-07-15 22:16:45 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-15 22:16:45 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-15 22:16:45 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-15 22:16:45 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-15 22:16:44 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-15 22:16:44 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-07-15 22:15:54 150 ----a-w- C:\zrpt.xml

==================== Find3M ====================

2010-07-15 22:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-01-06 21:51:28 673109 --sha-w- c:\windows\system32\bdMWayay.ini2
2009-01-03 05:12:59 675512 --sha-w- c:\windows\system32\edgiPXbc.ini2
2009-01-05 23:06:03 672323 --sha-w- c:\windows\system32\JQqpXGgh.ini2
2008-11-13 23:52:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081103\index.dat
2008-11-13 23:52:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111320081114\index.dat
2009-12-31 00:51:14 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-31 00:51:14 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-31 00:51:14 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:25:14.82 ===============

GMER will run for a minute and then will shut down the computer with a Blue Screen HARD DISK Error 00001244 unable to get a log.

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:49 AM

Posted 12 August 2010 - 03:18 AM

Hello, azcards.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  1. Please download DeFogger to your desktop.
  2. Double click DeFogger to run the tool.
  3. The application window will appear
  4. Click the Disable button to disable your CD Emulation drivers
  5. Click Yes to continue
  6. A 'Finished!' message will appear
  7. Click OK
  8. DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  1. Please Download Rootkit Unhooker Save it to your desktop.
  2. Now double-click on RKUnhookerLE.exe to run it.
  3. Click the Report tab, then click Scan.
  4. Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  5. Wait till the scanner has finished and then click File, Save Report.
  6. Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:49 AM

Posted 12 August 2010 - 11:10 AM

It appears that you are getting help here. Please carry on with that thread instead.

This topic will now be closed.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users