Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware redirecting browser


  • This topic is locked This topic is locked
20 replies to this topic

#1 Rookie7

Rookie7

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 12 September 2010 - 04:18 PM

New to the site...so thanks in advance. I have malware that is redirecting the browser. As an example when I do a search and click on one of the results the request is getting redirected to various websites. I ran both Malwarebytes and Superantispyware on multiple occassions. Did not help.

I also followed the directions in the Preperation Guide. Was able to complete all with the exception of GMER. When GMER is running eventually i get to the blue screen of death with the error message Stop: d000144 Unkown Hard Error. Tried GMER multiple times with same result.

DDS Text file as follows:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Larry_2 at 10:49:48.40 on Sun 09/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1855 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Larry_2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100812020705.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [KWTray] c:\program files\webroot\webroot parental controls\WPCTray.exe
mRun: [drkly16j] rundll32.exe drkly16j.dll,ServiceCheck
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\larry.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: KWNTA - ICKGW32I.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ickgw32i

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-25 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-12 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-26 210216]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-12 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-12 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-12 141792]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-12 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-25 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-25 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-12 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-12 88480]
R3 TCFilter;TCFilter;c:\windows\system32\drivers\tcfilter.sys --> c:\windows\system32\drivers\tcfilter.sys [?]
S2 gupdate1c9f76b46f7efa8;Google Update Service (gupdate1c9f76b46f7efa8);c:\program files\google\update\GoogleUpdate.exe [2009-6-27 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-12 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-12 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-25 40552]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-10 44928]
S4 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

=============== Created Last 30 ================

2010-09-12 14:47:18 0 ----a-w- c:\documents and settings\larry_2\defogger_reenable
2010-09-11 13:52:21 0 d-----w- c:\docume~1\larry_2\applic~1\SUPERAntiSpyware.com
2010-08-26 22:10:08 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-08-26 22:10:02 0 d-----w- c:\program files\Coupons
2010-08-18 19:17:04 0 d-----w- c:\program files\Amazon

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-21 22:03:57 72864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll
2008-12-28 04:38:41 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122720081228\index.dat

============= FINISH: 10:52:56.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 18 September 2010 - 04:25 AM

Hello Rookie7 ,



Sorry for the delay. sad.gif If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 September 2010 - 07:16 AM

Many thanks Tea...here is new DDS

DS (Ver_10-03-17.01) - NTFSx86
Run by Larry_2 at 8:06:50.86 on Sat 09/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1613 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Larry_2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100916194513.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [KWTray] c:\program files\webroot\webroot parental controls\WPCTray.exe
mRun: [drkly16j] rundll32.exe drkly16j.dll,ServiceCheck
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\larry.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: KWNTA - ICKGW32I.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ickgw32i

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-25 386712]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-12 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-26 210216]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-12 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-12 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-12 141792]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-12 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-25 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-25 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-12 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-12 88544]
R3 TCFilter;TCFilter;c:\windows\system32\drivers\tcfilter.sys --> c:\windows\system32\drivers\tcfilter.sys [?]
S2 gupdate1c9f76b46f7efa8;Google Update Service (gupdate1c9f76b46f7efa8);c:\program files\google\update\GoogleUpdate.exe [2009-6-27 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-12 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-12 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-25 40552]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-2-10 44928]
S4 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

=============== Created Last 30 ================

2010-09-16 11:58:41 3248 ----a-w- c:\windows\system32\wbem\Outlook_01cb55968169d766.mof
2010-09-14 08:06:03 24576 ----a-w- c:\windows\system32\drivers\Kbdclass.sy@
2010-09-11 13:52:21 0 d-----w- c:\docume~1\larry_2\applic~1\SUPERAntiSpyware.com
2010-08-26 22:10:08 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-08-26 22:10:02 0 d-----w- c:\program files\Coupons

==================== Find3M ====================

2010-08-24 18:57:38 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 18:57:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 18:57:38 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 18:57:38 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 18:57:38 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 18:57:38 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 18:57:38 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 18:57:38 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 18:57:38 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 18:57:38 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 22:03:57 72864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 21:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2008-12-28 04:38:41 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122720081228\index.dat

============= FINISH: 8:08:07.31 ===============
Attached File  Attach2.txt   19.68KB   1 downloads

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 18 September 2010 - 07:26 AM

Hello,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. dry.gif

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Rookie.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 September 2010 - 08:25 AM

OK...ComboFix ran successfully. Log as follows:

ComboFix 10-09-17.04 - Larry_2 09/18/2010 8:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1827 [GMT -4:00]
Running from: c:\documents and settings\Larry_2\Desktop\Rookie.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\{B883E129-0F57-41CE-8B0A-0CC3B66392B1}
c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\{B883E129-0F57-41CE-8B0A-0CC3B66392B1}\chrome.manifest
c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\{B883E129-0F57-41CE-8B0A-0CC3B66392B1}\chrome\content\_cfg.js
c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\{B883E129-0F57-41CE-8B0A-0CC3B66392B1}\chrome\content\c.js
c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\{B883E129-0F57-41CE-8B0A-0CC3B66392B1}\chrome\content\overlay.xul
c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\{B883E129-0F57-41CE-8B0A-0CC3B66392B1}\install.rdf
C:\kmd.exe
c:\program files\Shared
c:\windows\patch.exe
c:\windows\settings.reg
c:\windows\system32\Data
c:\windows\system32\kmd.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-17 21:50 . 2010-09-17 21:50 862872 ----a-w- c:\documents and settings\Larry_2\Application Data\yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-09-16 09:39 . 2010-09-16 09:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-09-11 13:52 . 2010-09-11 13:52 63488 ----a-w- c:\documents and settings\Larry_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-11 13:52 . 2010-09-11 13:52 52224 ----a-w- c:\documents and settings\Larry_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-11 13:52 . 2010-09-11 13:52 117760 ----a-w- c:\documents and settings\Larry_2\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-11 13:52 . 2010-09-11 13:52 -------- d-----w- c:\documents and settings\Larry_2\Application Data\SUPERAntiSpyware.com
2010-08-26 22:10 . 2010-08-26 22:10 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 14:57 . 2008-06-13 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-11 00:59 . 2008-01-21 20:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-11 00:36 . 2009-01-04 04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-04 12:27 . 2009-03-09 00:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-01 15:09 . 2009-12-27 16:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-24 18:57 . 2010-08-12 06:07 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 18:57 . 2010-08-12 06:06 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 18:57 . 2010-08-12 06:06 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-24 18:57 . 2010-08-12 06:06 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 18:57 . 2010-08-12 06:06 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-24 18:57 . 2010-08-12 06:06 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 18:57 . 2010-08-12 06:06 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 18:57 . 2007-02-25 14:46 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 18:57 . 2007-02-25 14:46 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-24 18:57 . 2007-02-25 14:46 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-18 19:17 . 2010-08-18 19:17 -------- d-----w- c:\program files\Amazon
2010-08-17 13:17 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 13:59 . 2005-07-14 15:22 -------- d-----w- c:\program files\McAfee.com
2010-08-12 13:33 . 2005-10-04 23:52 -------- d-----w- c:\program files\McAfee
2010-08-12 13:32 . 2007-02-25 14:45 -------- d-----w- c:\program files\Common Files\McAfee
2010-08-05 13:03 . 2010-08-05 13:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-07-25 13:26 . 2007-12-22 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-22 15:49 . 2004-08-19 20:49 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 00:40 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-21 22:03 . 2010-03-13 03:21 72864 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-11 12:39 . 2008-12-18 15:22 108304 ----a-w- c:\documents and settings\Anthony.DB9RBW71.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-10 21:11 . 2010-06-12 14:43 108304 ----a-w- c:\documents and settings\Larry_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-10 17:41 . 2010-07-10 17:41 14756400 ----a-w- c:\documents and settings\All Users\Application Data\Pure Networks\Setup\nmsetup.exe
2010-06-30 12:31 . 2004-08-19 20:49 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-19 20:49 1851904 ------w- c:\windows\system32\win32k.sys
2010-06-23 01:52 . 2010-06-23 01:52 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3.tmp.exe
2010-06-21 15:27 . 2005-07-14 14:49 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"P17Helper"="P17.dll" [2004-06-10 60928]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"KWTray"="c:\program files\Webroot\Webroot Parental Controls\WPCTray.exe" [2007-11-21 185688]
"drkly16j"="drkly16j.dll" [2007-04-16 677304]
"snp2std"="c:\windows\vsnp2std.exe" [2008-03-10 348160]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-11-25 705832]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\KWNTA]
2007-04-16 15:52 677304 ------w- c:\windows\system32\ickgw32i.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ickgw32i

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SLC\\jre_1_6_0_1\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/12/2010 2:06 AM 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/26/2008 6:38 AM 210216]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/12/2010 2:06 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/12/2010 2:06 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/12/2010 2:07 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/12/2010 2:06 AM 141792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/12/2010 2:06 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/12/2010 2:06 AM 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/12/2010 2:06 AM 88544]
R3 TCFilter;TCFilter;c:\windows\system32\drivers\tcfilter.sys --> c:\windows\system32\drivers\tcfilter.sys [?]
S2 gupdate1c9f76b46f7efa8;Google Update Service (gupdate1c9f76b46f7efa8);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2009 5:07 PM 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/12/2010 2:06 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/12/2010 2:06 AM 84264]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2/10/2008 8:53 PM 44928]
S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-04 23:39]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 21:07]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 21:07]

2010-09-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-09-18 c:\windows\Tasks\User_Feed_Synchronization-{CB45EE17-589F-412F-855F-0C5CB0679E85}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\larry.exe
AddRemove-Registrar Registry Manager 5.66 (Lite Edition) - c:\program files\Registrar Registry Manager\unwise.exe
AddRemove-SBC Self Support Tool - c:\docume~1\Larry\LOCALS~1\Temp\SST\CustomUninstall.exe
AddRemove-SBC Yahoo! Dial Connection Manager - c:\windows\..\Program Files\SBC Yahoo!\Connection Manager\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 09:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sy@"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1124)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'winlogon.exe'(5332)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'winlogon.exe'(3816)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-18 09:23:16
ComboFix-quarantined-files.txt 2010-09-18 13:23
ComboFix2.txt 2008-02-13 02:21

Pre-Run: 113,380,290,560 bytes free
Post-Run: 113,579,397,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 6EEB2477D40031AB46C869F6C7DD5ACC


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 18 September 2010 - 03:32 PM

Hello,

How is it running now please? smile.gif Have a run with Malwarebytes, and try gmer again. If gmer still won't go, don't worry. this is pretty common. Try unchecking everything but the user code section and try it again. I just want to be sure there are no modified files there, so if you can get it to run, it'll tell me. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 19 September 2010 - 01:45 PM

Running better now...no more redirects. Ran malwarebytes with no detections. Still having trouble getting GMER to complete successfully. What did you mean by "uncheck everyting but user code section" ?

Thanks again tea...you are a lifesaver

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 23 September 2010 - 01:19 PM

Hi there,

SO sorry for the delay. sad.gif

You're welcome. Glad it's better. smile.gif Eh, don't worry about it if it won't run. It's pretty common, and things look all right in the ComboFix log, so I don't think we need gmer. smile.gif

Please delete ComboFix and it's folder, C:\Qoobox. Empty your recycle bin and reboot your computer.

If you have any questions, feel free to ask. Otherwise.........

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 23 September 2010 - 06:43 PM

OK...thanks Tea. One last thing. I've tried to re-enable by CD drives with Defogger and I am unsuccessful (not sure why). So I tried to disable and reenable them again...also with no success. Any thoughts on how I can get my CD drives back?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 24 September 2010 - 11:18 AM

Hello,

You said you disabled and re enabled them....try uninstalling, reboot and they should automatically reinstall and pick up. If not, let me know. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 24 September 2010 - 04:49 PM

no luck. I deleted defogger off the desk top (as it wasn't showing up on my program list and therefore was not able to find it in the add/remove programs list). Rebooted after I deleted it and still can't see my CD or DVD drive.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 25 September 2010 - 02:27 AM

Okay....try this one thing and then you may have to post in the hardware section for this. Beyond a certain point I'm not certain in that area. Are you familiar with the upper and lower filters?

NOTE: After removing these registry keys and rebooting, it may be necessary to reinstall any CD or DVD recording applications.


1) Close all open programs

2) Click on Start, Run, and type REGEDIT and press Enter

3) Click on the plus signs (+) next to the following folders

* HKEY_LOCAL_MACHINE
* SYSTEM
* CurrentControlSet
* Control
* Class
* {4D36E965-E325-11CE-BFC1-08002BE10318}

4) This folder is the DVD/CD-ROM Drive Class Description in the registry. Look for any of the following names in the right hand column.

* UpperFilters
* LowerFilters
* UpperFilters.bak
* LowerFilters.bak

5) If any of the above keys shown in step 4 are listed, right-click on them and choose Delete

6) After deleting the keys, close the Registry Editor

7) Reboot
your computer

8) Open My Computer and check to see if your CD or DVD drives have returned. You may also want to open Device Manager and verify that the yellow exclamation and error code on the CD or DVD drive is gone.

I have done this on my own computer with success, so I'm hopeful it's that easy. thumbup2.gif If not, let me know and we'll do something else. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 25 September 2010 - 06:07 AM

Wow...you're a genius! that worked. I think we are done here. If I could trouble you for one final clean-up question. When I went to delete C:\Qoobox, I noticed another directory directly beneath it called "Rookie" that had a computer symbol next to it and. When you click on the plus sign to expand there is, what appers to be, another mirror image of my c: drive. Was this an artifact of the clean-up process? Can the whole thing be deleted off the drive?
thumbup2.gif

Edited by Rookie7, 25 September 2010 - 06:08 AM.


#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 PM

Posted 25 September 2010 - 08:49 AM

I'm glad that worked. thumbup.gif

About the other, we didn't do that, but I can't tell you what did. I wouldn't delete it though. Do you have some sort of imaging software? If so this *may* be a backup for that. Is it a folder? If so, how big is it?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Rookie7

Rookie7
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 25 September 2010 - 07:30 PM

so this is strange....its a computer icon just like the typical "my computer" part of of the tree except its called Rookie (a term I've never used except during this process) When you click on it, it opens to reveal a complete copy of "my computer" (documents and settings, program files D: and E: drives etc. etc.) along with another computer icon that says "Rookie". If you click on that one it opens to reveal another full tree of "my computer". I did this 5 or 6 times and it appears it would continue to tree like this indefinitely. Also...I don't have any imaging software that I am aware of.
I'l hold back on the temptation to delete it all until i hear back from you.

Any thoughts?? blink.gif

Edited by Rookie7, 25 September 2010 - 07:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users