Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC very slow (QC44k87A) ?


  • This topic is locked This topic is locked
24 replies to this topic

#1 egarrim

egarrim

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 03 September 2010 - 01:50 AM

I believe The pc first became infected after teenage daughter had been left on facebook. There were many instances of an AOL.exe running after restart, these were visable in processes in task manager (up to 586) if left long enough and still climbing, nothing else was possible after that. Restarted in safe mode and disabled all instances of AOL software in start up or services using MSCONFIG. Then managed to go and uninstal a program called AOL Picture viewer in add remove programs.I think it may be legit, but it was definately causing problem. I then ran Malwarebytes and it found and deleted the following nasties
Trojan vundo
backdoor bot
worm autorun b
stolen data
spyware zbot
trojan agent
malware trace
hijack shell
hijack userinit

After all that i get a microsoft dialogue box stating QC44k87A as a non responsive program.

DDS (Ver_10-03-17.01) - NTFSx86
Run by chris stubbs at 10:20:36.03 on Thu 09/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.427 [GMT 1:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\timeform\ComputerTimeformManager\ComputerTimeformManager\bin\ComputerTimeformManager.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst .exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag .exe
C:\Program Files\Dell AIO 810\dlcgmon .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent .exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\McInfo.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Bleeping Computer Malware Removal\NO.2\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://start.facemoods.com/?s={searchTerms}
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: H - No File
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.3.43.0\escort.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100725082651.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Internet Explorer Plugin: {9fe088dc-c3b2-479c-a314-08f90ce5166f} - vecrits93.dll
BHO: Virgin Media Toolbar: {a057a204-bacc-4d26-cfc3-3cecc9ab2eda} - c:\progra~1\virgin~2\VIRGIN~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.3.43.0\escorTlbr.dll
TB: Virgin Media Toolbar: {a057a204-bacc-4d26-cfc3-3cecc9ab2eda} - c:\progra~1\virgin~2\VIRGIN~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [STManager] "c:\program files\speedtouch\dr speedtouch\drst.exe" -b
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [MSConfig] c:\documents and settings\chris stubbs\xkvg.exe \u
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16
mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe"
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [NPSStartup]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\0plgg6s.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\6rs70e7.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\a9w1soojaa.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\bww6ii6uu6g.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\c0yytkkf.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\cc6ejfk9w.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\eezqqg3iid.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\faa6mm6yy.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\hdyy6kk6.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\hs6j65glh.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\iy0uppgg.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\jfvvrhhdtt.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\ny0kqg6h0n.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\pvq1msnjzz.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\qrw5n0tp.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\riidufk9w.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\s1o9qqlc.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\tpffbrrn.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\tpffbrrndd.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\u1qmmhyy.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\uqvg3iiduu.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\vq1miiduup.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\w5sy9e1aww.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\zpplbbxn.exe
StartupFolder: c:\documents and settings\chris stubbs\start menu\programs\startup\zqqg3iid.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ctfman~1.lnk - c:\timeform\computertimeformmanager\computertimeformmanager\bin\ComputerTimeformManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\chris stubbs\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1270825735046
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - c:\program files\schmap\schmap player\schmapdoclib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli jotcon.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-25 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-25 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-14 93320]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-25 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-25 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-25 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-25 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-25 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-25 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-25 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-25 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-25 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-25 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-25 88480]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-9-13 233472]
S2 gupdate1c9b94afc14758c;Google Update Service (gupdate1c9b94afc14758c);c:\program files\google\update\GoogleUpdate.exe [2009-4-9 133104]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-9-13 36608]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-25 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-25 83496]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2009-9-13 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2009-9-13 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2009-9-13 121856]

=============== Created Last 30 ================

2010-09-02 07:04:55 0 d-----w- c:\windows\pss
2010-09-01 18:58:21 0 ------w- c:\documents and settings\chris stubbs\defogger_reenable
2010-09-01 18:20:03 0 d-----w- c:\program files\Cobian Backup 9
2010-09-01 15:49:10 0 d-----w- c:\program files\CCleaner
2010-09-01 15:37:33 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-01 10:43:03 0 ----a-w- c:\windows\vmm32dll.ex_
2010-09-01 09:35:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-01 09:23:47 0 d-----w- c:\docume~1\chriss~1\applic~1\Malwarebytes
2010-09-01 09:23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 09:23:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-01 09:23:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 09:23:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 07:26:00 16752 ----a-w- c:\windows\vmm32dll .exe
2010-08-30 09:04:59 2 ----a-w- c:\windows\msoffice.ini
2010-08-29 16:38:37 72706 ------w- c:\docume~1\alluse~1\applic~1\QC44k87A.exe
2010-08-29 16:38:35 112 ------w- c:\docume~1\alluse~1\applic~1\hgTGm6Gd.dat
2010-08-03 20:33:30 0 d-----w- c:\docume~1\chriss~1\applic~1\McAfee

==================== Find3M ====================

2010-06-25 08:27:48 6060 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2008-03-31 15:09:15 56 --sh--r- c:\windows\system32\45BB5F3C9D.sys
2009-10-14 17:01:25 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 10:23:21.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 11 September 2010 - 10:18 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 12 September 2010 - 11:35 AM

Hi there, thanks for your reply. The computer in question is at my parents house some miles away and as it seemed to be ok after running the malwarebytes scan i left it there after sending the logs off to bleeping computer for review. The only thing i can say is that there were quite a few instances of qttask running immeadiatly after start up but after that they one by one ceased to run and then there were only a couple of instances running, i looked this up and found it to be a quicktime process. The non responsive program QC44k87A has not been seen since and although the computer is a little slower than it was, my parents have not reported any other problems. I sent the logs to you to see if you could spot anything suspicious, i will of course get the pc if you believe it requires further investigation.

PS would it be possible for you to reccomend a remote access program, if of course this would be appropriate as it would make it easier and cut out the possibility of a lengthy round trip.

Many thanks

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 12 September 2010 - 01:59 PM

Hello

I don't know if these logs are from before or after the MBAM scan but this is in the DDS log

C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Documents and Settings\All Users\Application Data\QC44k87A.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

I don't like doing these scans remotely for different reasons, just let me know when you can get ahold of the computer and we will take it from there

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 12 September 2010 - 02:45 PM

Hi again, i have spoken to my parents and it appears the pc has started to act strangely since it was connected to the internet again. I will collect the pc tommorow and i will be able to post my log results about 20.00 hrs GMT 13/09/2010. Thanks again

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 12 September 2010 - 03:11 PM

Ok thanks for letting me know


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 13 September 2010 - 01:29 PM

hi i have just run the first two programs you told me to run. however the rootkit unhooker does in fact come up with the error message you have mentioned, but when i ignore i get another message: program integrety has been damaged. No other dialogue boxes appear, however the program can be seen to be running in task manager, its using 50% processor and about 7,148kb memory. please advise. Nothing seems to happen.

I have seen much comment on the rootkit unhooker program, what should it do and do you believe it to be safe. Have said i have tried to run it, but with no luck, it was only then i have searched for a file that might not be corrupted but instead found lots of bad press about the program, some of it on this site.

Edited by egarrim, 13 September 2010 - 02:29 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 13 September 2010 - 04:52 PM

Hello

program integrety has been damaged. No other dialogue boxes appear, however the program can be seen to be running in task manager, its using 50% processor and about 7,148kb memory. please advise. Nothing seems to happen.
This may be from the antivirus can you make sure that the antivirus is off and if you keep having problems then send me a new GMER report

I have seen much comment on the rootkit unhooker program, what should it do and do you believe it to be safe. Have said i have tried to run it, but with no luck, it was only then i have searched for a file that might not be corrupted but instead found lots of bad press about the program, some of it on this site.
Can you give me some links for these as I have used it for a least 1,000 computers so far and had less than 1% that could not run it

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 14 September 2010 - 03:17 AM

i must appologise for the missunderstanding about rootkit unhooker,
i mispelt it in my web search and there must be a suspicious program with simular name.
I have to the best of my ability disabled all anti virus / spyware / malware programs
but when i try to run unhooker i get the usuall message you told be about, i then can either press OK/CANCEL or
press the X in the corner to remove message, whatever i do then i get a message program is
initiallizing, then nothing it just runs in task manager!
i will attach another gmer log if possible.I have tried several times but unfortunately i get the BSOD stating
Bad pool error Technical info: STOP:0x00000019 (0x00000020, 0x85f04000,0x85f04828, 0xBo50000)
i have done this serveal times i will try to tun in safe mode now,

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 14 September 2010 - 03:52 AM

Hello

Ok no problem,

Rkunhooker will not run in safe mode - since we cant run unhooker please rerun gmer again for so I can make sure nothing has changed from the last one and it is safe to move on for me

Thanks Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 15 September 2010 - 01:34 AM

Hi, trhe gmer scan took well over 12 hrs to run.But here are the results along with the other scans you asked me for. The gmer was run in safe mode as i blue screened every time in normal mode.


DDS (Ver_10-03-17.01) - NTFSx86
Run by jeremy stubbs at 8:14:23.71 on 14/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.385 [GMT 1:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\timeform\ComputerTimeformManager\ComputerTimeformManager\bin\ComputerTimeformManager.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\eHome\ehmsas.exe
E:\Chris Stubbs Malware Progs\DDS Prog 2\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearchAssistant = hxxp://start.facemoods.com/?s={searchTerms}
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.3.43.0\escort.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100725082651.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Internet Explorer Plugin: {9fe088dc-c3b2-479c-a314-08f90ce5166f} - vecrits93.dll
BHO: Virgin Media Toolbar: {a057a204-bacc-4d26-cfc3-3cecc9ab2eda} - c:\progra~1\virgin~2\VIRGIN~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.3.43.0\escorTlbr.dll
TB: Virgin Media Toolbar: {a057a204-bacc-4d26-cfc3-3cecc9ab2eda} - c:\progra~1\virgin~2\VIRGIN~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16
mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe"
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [NPSStartup]
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ctfman~1.lnk - c:\timeform\computertimeformmanager\computertimeformmanager\bin\ComputerTimeformManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=GRxdm036YYGB
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\chris stubbs\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1270825735046
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - c:\program files\schmap\schmap player\schmapdoclib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli jotcon.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-25 385880]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-9-10 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-9-10 59664]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-25 82952]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-9-13 233472]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-14 93320]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-25 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-25 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-25 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-25 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-25 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-25 141792]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-25 55456]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-9-13 36608]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-25 152320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-25 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-25 88480]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-9-10 33552]
S2 gupdate1c9b94afc14758c;Google Update Service (gupdate1c9b94afc14758c);c:\program files\google\update\GoogleUpdate.exe [2009-4-9 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-25 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-25 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-25 83496]
S3 Normandy;Normandy SR2; [x]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2009-9-13 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2009-9-13 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2009-9-13 121856]

=============== Created Last 30 ================

2010-09-14 07:13:52 0 ----a-w- c:\documents and settings\jeremy stubbs\defogger_reenable
2010-09-11 19:41:01 0 d--h--w- c:\windows\system32\GroupPolicy
2010-09-11 19:21:49 0 d-----w- c:\program files\iPod
2010-09-11 18:42:06 0 d-----w- c:\program files\CCleaner
2010-09-11 13:03:37 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-11 12:49:23 0 d-----w- c:\program files\Bonjour
2010-09-11 12:30:55 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-09-11 12:30:53 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-09-10 17:19:05 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-09-10 17:19:05 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-09-10 17:19:05 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-09-10 17:19:03 0 d-----w- c:\program files\ThreatFire
2010-09-10 17:19:03 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-10 06:52:34 0 d-----w- c:\docume~1\jeremy~1\applic~1\Malwarebytes
2010-09-02 07:04:55 0 d-----w- c:\windows\pss
2010-09-01 18:20:03 0 d-----w- c:\program files\Cobian Backup 9
2010-09-01 15:37:33 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-01 10:43:03 0 ----a-w- c:\windows\vmm32dll.ex_
2010-09-01 09:35:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-01 09:23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 09:23:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-01 09:23:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 09:23:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 07:26:00 16752 ----a-w- c:\windows\vmm32dll .exe
2010-08-30 09:04:59 2 ----a-w- c:\windows\msoffice.ini
2010-08-29 16:38:35 112 ----a-w- c:\docume~1\alluse~1\applic~1\hgTGm6Gd.dat

==================== Find3M ====================

2010-09-10 17:19:19 6060 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-27 17:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 17:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-03-31 15:09:15 56 --sh--r- c:\windows\system32\45BB5F3C9D.sys
2009-10-14 17:01:25 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 8:21:07.54 ===============

Attached Files



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 15 September 2010 - 07:58 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 15 September 2010 - 01:19 PM

Hi there, things are not going well at all. The machine starts to run combo fix after installing it then installed recovery console and backed up the registry. It starts by telling me it should only take 10 mins but could take longer on a badly infected machine. Then it sits for about 5 mins and then the machine blue screens with the text

BAD_POOL_CALLER
STOP: 0x00000000c2, (0x00000007,0x00000cd4,0x00000000, 0xf762ca68)
mfehidk.sys-address f762CA68base at f75d9000,DATESTAMP4bdld9e2


Thanks for your help.

PS will combofix run in safe made

Edited by egarrim, 15 September 2010 - 01:22 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:54 PM

Posted 15 September 2010 - 01:40 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 egarrim

egarrim
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 15 September 2010 - 02:58 PM

Hi, the combofix ran in safe mode, with a couple of restarts, i did watch it and restart everytime in safe made. Here is the log file.


ComboFix 10-09-14.05 - chris stubbs 09/15/2010 20:20:04.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.817 [GMT 1:00]
Running from: c:\documents and settings\chris stubbs\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\chris stubbs\Application Data\facemoods.com
c:\documents and settings\chris stubbs\Local Settings\Application Data\{1BC61C04-8595-482C-8980-1CD4566A3C22}
c:\documents and settings\chris stubbs\Local Settings\Application Data\{1BC61C04-8595-482C-8980-1CD4566A3C22}\chrome.manifest
c:\documents and settings\chris stubbs\Local Settings\Application Data\{1BC61C04-8595-482C-8980-1CD4566A3C22}\chrome\content\overlay.xul
c:\documents and settings\chris stubbs\Local Settings\Application Data\{1BC61C04-8595-482C-8980-1CD4566A3C22}\install.rdf
c:\documents and settings\LocalService\Application Data\facemoods.com
c:\program files\Common Files\AOL\1209215906\ee\AOLSoftware.exe
c:\program files\Common Files\AOL\ACS\AOLDial.exe
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.3.43.0\chrome.manifest
c:\program files\facemoods.com\facemoods\1.3.43.0\chrome\content\facemoods.png
c:\program files\facemoods.com\facemoods\1.3.43.0\chrome\content\ffxtlbr.xul
c:\program files\facemoods.com\facemoods\1.3.43.0\components\FFHst.dll
c:\program files\facemoods.com\facemoods\1.3.43.0\components\FFHst.xpt
c:\program files\facemoods.com\facemoods\1.3.43.0\escort.dll
c:\program files\facemoods.com\facemoods\1.3.43.0\escortEng.dll
c:\program files\facemoods.com\facemoods\1.3.43.0\escorTlbr.dll
c:\program files\facemoods.com\facemoods\1.3.43.0\install.rdf
c:\program files\facemoods.com\facemoods\1.3.43.0\uninstall.exe
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchAssistant.dll
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\chrome.manifest
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\blgc.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\facemoods.png
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\facemoods.xul
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\Loader.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\pref.jpg
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\preferences.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\preferences.xul
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\prefman.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\script-compiler.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\Thumbs.db
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\content\xmlhttprequester.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\defaults\preferences\facemoods.js
c:\program files\Mozilla Firefox\extensions\ffxtlbr@Facemoods.com\install.rdf
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SGPSA
c:\program files\SGPSA\SearchAssistant.dll
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
c:\windows\system32\klgd.bmp

CODE
<pre>
c:\program files\Common Files\AOL\1209215906\ee\AOLSoftware .exe ---^> c:\program files\Common Files\AOL\1209215906\ee\AOLSoftware.exe
c:\program files\Common Files\AOL\ACS\AOLDial .exe ---^> c:\program files\Common Files\AOL\ACS\AOLDial.exe
c:\program files\QuickTime\qttask                                                                                              .exe ---^> c:\program files\QuickTime\qttask.exe
c:\program files\Windows Live\Messenger\msnmsgr                          .exe ---^> c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\windows\ehome\ehtray .exe ---^> c:\windows\ehome\ehtray.exe
</pre>

.
Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.

2010-09-11 19:41 . 2010-09-11 19:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-09-11 19:21 . 2010-09-11 19:21 -------- d-----w- c:\program files\iPod
2010-09-11 18:42 . 2010-09-11 18:42 -------- d-----w- c:\program files\CCleaner
2010-09-11 13:03 . 2010-09-11 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-11 12:54 . 2010-09-11 18:42 -------- d-----w- c:\program files\Apple Software Update
2010-09-11 12:49 . 2010-09-11 18:42 -------- d-----w- c:\program files\Bonjour
2010-09-11 12:30 . 2001-08-17 21:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-09-11 12:30 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-09-10 17:19 . 2010-01-14 15:08 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-09-10 17:19 . 2010-01-14 15:08 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-09-10 17:19 . 2010-01-14 15:08 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-09-10 17:19 . 2010-09-11 18:43 -------- d-----w- c:\program files\ThreatFire
2010-09-10 17:19 . 2010-09-10 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-02 06:40 . 2010-09-02 06:40 31712 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 06:38 . 2010-09-02 06:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-09-02 06:29 . 2010-09-02 06:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-01 18:20 . 2010-09-11 18:42 -------- d-----w- c:\program files\Cobian Backup 9
2010-09-01 15:37 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-01 09:35 . 2010-09-15 19:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-01 09:23 . 2010-09-01 09:23 -------- d-----w- c:\documents and settings\chris stubbs\Application Data\Malwarebytes
2010-09-01 09:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 09:23 . 2010-09-01 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-01 09:23 . 2010-09-11 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 09:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-01 07:26 . 2010-09-01 07:26 16752 ----a-w- c:\windows\vmm32dll .exe
2010-08-29 16:41 . 2010-08-29 16:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VIRGINMEDIATOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 19:39 . 2009-07-28 10:37 -------- d-----w- c:\program files\QuickTime
2010-09-15 17:17 . 2010-08-29 16:38 112 ----a-w- c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat
2010-09-11 19:23 . 2009-07-28 10:40 -------- d-----w- c:\program files\iTunes
2010-09-11 19:21 . 2009-05-11 18:47 -------- d-----w- c:\program files\Common Files\Apple
2010-09-11 18:42 . 2006-05-15 21:40 -------- d-----w- c:\program files\McAfee
2010-09-11 18:42 . 2007-09-07 16:31 -------- d-----w- c:\program files\Google
2010-09-11 18:42 . 2006-05-15 21:35 -------- d-----w- c:\program files\Dell Support
2010-09-11 18:42 . 2006-05-15 21:32 -------- d-----w- c:\program files\Dell
2010-09-11 18:39 . 2006-05-15 21:37 -------- d-----w- c:\program files\Common Files\AOL
2010-09-11 18:39 . 2006-05-21 15:42 -------- d-----w- c:\program files\Dell AIO 810
2010-09-11 13:29 . 2006-06-19 10:06 -------- d-----w- c:\documents and settings\chris stubbs\Application Data\Apple Computer
2010-09-11 13:28 . 2009-05-11 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-10 17:19 . 2006-06-19 10:51 6060 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-10 17:19 . 2006-06-19 10:51 88 --sh--r- c:\windows\system32\9D3C5FBB45.sys
2010-09-10 17:13 . 2010-07-18 19:14 452104 ----a-w- c:\documents and settings\chris stubbs\Application Data\Real\Update\setup3.12\setup.exe
2010-09-01 08:12 . 2010-09-01 08:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-30 09:15 . 2006-05-15 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-08-29 16:07 . 2006-05-21 16:06 -------- d-----w- c:\program files\Dl_cats
2010-08-03 20:33 . 2010-08-03 20:33 -------- d-----w- c:\documents and settings\chris stubbs\Application Data\McAfee
2010-08-01 17:00 . 2006-05-21 16:36 31712 ----a-w- c:\documents and settings\chris stubbs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-01 13:32 . 2005-08-16 03:41 88467 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-27 17:44 . 2010-07-27 17:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-25 10:01 . 2006-05-15 21:38 -------- d-----w- c:\program files\McAfee.com
2010-07-25 09:47 . 2007-03-09 07:48 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-30 18:23 . 2010-03-23 06:58 439816 ------w- c:\documents and settings\chris stubbs\Application Data\Real\Update\setup3.10\setup.exe
2010-06-23 15:24 . 2010-06-23 15:24 501936 ------w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb7E.tmp.exe
2008-03-31 15:09 . 2006-08-18 13:24 56 --sh--r- c:\windows\system32\45BB5F3C9D.sys
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Cobian Backup 9\Cobian .exe
c:\program files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                                     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                                   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                                  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                                .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                               .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                              .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                             .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                            .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                           .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                          .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                                .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                               .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                              .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                             .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                            .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                           .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                          .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                                .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                               .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                              .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                             .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                            .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                           .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                          .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                                .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                               .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                              .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                             .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                            .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                           .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                          .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm               .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm              .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm             .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm            .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm           .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm          .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Corel\Corel Photo Album 6\MediaDetect .exe
c:\program files\Dell AIO 810\dlcgmon .exe
c:\program files\Dell Support\DSAgnt .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Samsung\Samsung New PC Studio\NPSAgent .exe
c:\program files\SpeedTouch\Dr SpeedTouch\drst .exe
c:\program files\Thomson\SpeedTouch USB\Dragdiag .exe
c:\program files\ThreatFire\TFTray .exe
c:\windows\vmm32dll .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CFC3-3CECC9AB2EDA}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STManager"="c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe" [N/A]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-10 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]
"dlcgmon.exe"="c:\program files\Dell AIO 810\dlcgmon.exe" [N/A]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [N/A]
"NapsterShell"="c:\program files\Napster\napster.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [N/A]
"NPSStartup"="" [N/A]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]
"Cobian Backup 9"="c:\program files\Cobian Backup 9\Cobian.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-08-29 35844]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-2 657168]
CTF Manager.lnk - c:\timeform\ComputerTimeformManager\ComputerTimeformManager\bin\ComputerTimeformManager.exe [2005-10-7 94208]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2007-12-07 15:30 71008 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1209215906\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/10/2010 6:19 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/10/2010 6:19 PM 59664]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [7/25/2010 8:26 AM 82952]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [9/13/2009 10:22 AM 233472]
S2 gupdate1c9b94afc14758c;Google Update Service (gupdate1c9b94afc14758c);c:\program files\Google\Update\GoogleUpdate.exe [4/9/2009 8:39 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/14/2008 2:50 PM 93320]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/25/2010 8:26 AM 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/25/2010 8:26 AM 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/25/2010 8:27 AM 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/25/2010 8:26 AM 141792]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/25/2010 8:26 AM 55456]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [9/13/2009 10:22 AM 36608]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 1:49 PM 227232]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/25/2010 8:26 AM 312616]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [7/25/2010 8:26 AM 88480]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [7/25/2010 8:26 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/25/2010 8:26 AM 83496]
S3 Normandy;Normandy SR2; [x]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [9/13/2009 10:22 AM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [9/13/2009 10:22 AM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [9/13/2009 10:22 AM 121856]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/10/2010 6:19 PM 33552]
.
Contents of the 'Scheduled Tasks' folder

2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 19:39]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 19:39]

2010-09-15 c:\windows\Tasks\User_Feed_Synchronization-{8969C3E2-B12C-4DA3-B554-8E4DE39B7486}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\chris stubbs\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1270825735046
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.3.43.0\escort.dll
Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.3.43.0\escorTlbr.dll
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.3.43.0\uninstall.exe
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,d9,44,55,87,82,79,48,a2,cf,69,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,d9,44,55,87,82,79,48,a2,cf,69,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1532)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-09-15 20:47:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 19:47

Pre-Run: 209,867,292,672 bytes free
Post-Run: 211,478,261,760 bytes free

- - End Of File - - BEC3F3239E0006497ED0A77847A01E5C





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users