Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiVirus2010 removal process


  • This topic is locked This topic is locked
16 replies to this topic

#1 TheVoge

TheVoge

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 29 October 2010 - 06:27 PM

Following the online removal instructions for AntiVirus2010, I have reached the step #9 for performing the GMER file scan. I am not sure the scan completed because of this pop-up message: WARNING!!! GMER has found system modifications caused by ROOTKIT activity. There is a second pop-up that says "Windows was unable to save all the data for the file \$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connections. Please try to save this file elsewhere."

Info: XP IE8, having to use Safe Mode as nothing else works including IE because of this Bleeping Malware. As such, I am submitting the results text via another computer. Also, I am a complete amature at this kind of thing so please dumb down your responses to layman's terms - Thanks!

The results of the scan are as follows:

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-29 14:36:17
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\VOGELM~1\LOCALS~1\Temp\pgrcypow.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7477E22]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7458CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7458ECE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7478610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF74788C4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7476B14]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7478D30]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF74780E2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7458982]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7424D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7424D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!NtOpenProcess 8057F592 5 Bytes JMP F7424D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80584849 5 Bytes JMP F7424D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text netbt.sys F6ED6000 145 Bytes [89, 01, 81, 7D, 10, 16, 00, ...]
.text netbt.sys F6ED6092 26 Bytes [4F, 0C, 42, F0, 0F, C1, 11, ...]
.text netbt.sys F6ED60AD 135 Bytes [00, 8B, 75, 0C, 8B, 46, 04, ...]
.text netbt.sys F6ED6135 54 Bytes [0F, 84, 30, D2, 00, 00, 8B, ...]
.text netbt.sys F6ED616C 8 Bytes [EC, 0C, 53, 8B, 5D, 1C, 83, ...]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Driver\Disk \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 F76D211B
Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST380819AS______________________________8.04____#5&f85c66f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F7955000-F795D000 (32768 bytes)
Module (noname) (*** hidden *** ) F795D000-F7964000 (28672 bytes)
Module (noname) (*** hidden *** ) F76DD000-F76E6000 (36864 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:780] F7958730
Thread System [4:784] F76E1078
Thread System [4:788] F76D2E8A

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 30 October 2010 - 01:02 AM

Hello TheVoge ,

Posted Image

Were you able to complete any of the other scans in the guide for posting logs? I'm interested in a DDS log, if you were able to get one. In the meantime, let's see if this gets the rootkit you said gmer mentioned:

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 30 October 2010 - 10:39 AM

Bleepin Texan! Yeah, I live in Austin.

So the TDSKiller didn't find anythin. Here are the log results.

2010/10/30 10:27:10.0015 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/30 10:27:10.0015 ================================================================================
2010/10/30 10:27:10.0015 SystemInfo:
2010/10/30 10:27:10.0015
2010/10/30 10:27:10.0015 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/30 10:27:10.0015 Product type: Workstation
2010/10/30 10:27:10.0015 ComputerName: VOGELMAN
2010/10/30 10:27:10.0031 UserName: Vogelman Family
2010/10/30 10:27:10.0031 Windows directory: C:\WINDOWS
2010/10/30 10:27:10.0031 System windows directory: C:\WINDOWS
2010/10/30 10:27:10.0031 Processor architecture: Intel x86
2010/10/30 10:27:10.0031 Number of processors: 1
2010/10/30 10:27:10.0031 Page size: 0x1000
2010/10/30 10:27:10.0031 Boot type: Safe boot with network
2010/10/30 10:27:10.0031 ================================================================================
2010/10/30 10:27:10.0531 Initialize success
2010/10/30 10:27:12.0406 ================================================================================
2010/10/30 10:27:12.0406 Scan started
2010/10/30 10:27:12.0406 Mode: Manual;
2010/10/30 10:27:12.0406 ================================================================================
2010/10/30 10:27:13.0906 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/30 10:27:14.0015 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/30 10:27:14.0078 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/30 10:27:14.0140 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/30 10:27:14.0265 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/30 10:27:14.0343 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/30 10:27:14.0406 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/30 10:27:14.0453 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/30 10:27:14.0515 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/30 10:27:14.0593 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/30 10:27:14.0640 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/30 10:27:14.0703 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/30 10:27:14.0765 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/30 10:27:14.0828 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/30 10:27:14.0843 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/30 10:27:14.0921 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/30 10:27:14.0968 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/30 10:27:15.0000 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/30 10:27:15.0078 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/10/30 10:27:15.0203 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/30 10:27:15.0281 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/30 10:27:15.0375 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/30 10:27:15.0468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/30 10:27:15.0562 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/30 10:27:15.0718 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/30 10:27:15.0765 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/30 10:27:15.0828 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/30 10:27:15.0921 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/30 10:27:16.0000 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/30 10:27:16.0078 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/30 10:27:16.0203 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys
2010/10/30 10:27:16.0437 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/30 10:27:16.0515 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/30 10:27:16.0593 ctsfm2k (fcbb8ea6fe935d2c531d3a4dee9f985b) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2010/10/30 10:27:16.0671 CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
2010/10/30 10:27:16.0718 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/30 10:27:16.0781 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/30 10:27:16.0921 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/30 10:27:17.0000 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/10/30 10:27:17.0062 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/10/30 10:27:17.0140 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/10/30 10:27:17.0218 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/10/30 10:27:17.0265 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/10/30 10:27:17.0312 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/10/30 10:27:17.0390 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/10/30 10:27:17.0453 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/10/30 10:27:17.0468 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/10/30 10:27:17.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/30 10:27:18.0234 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/30 10:27:18.0265 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/30 10:27:18.0312 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/30 10:27:18.0390 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/30 10:27:18.0437 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/30 10:27:18.0500 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/10/30 10:27:18.0531 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/10/30 10:27:18.0656 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2010/10/30 10:27:18.0718 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2010/10/30 10:27:18.0781 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/30 10:27:18.0906 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/30 10:27:18.0968 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/30 10:27:19.0015 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/30 10:27:19.0062 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/30 10:27:19.0125 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/30 10:27:19.0187 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/30 10:27:19.0234 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/30 10:27:19.0296 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/30 10:27:19.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/30 10:27:19.0421 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/30 10:27:19.0468 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/30 10:27:19.0515 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/30 10:27:19.0531 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/10/30 10:27:19.0734 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/10/30 10:27:20.0437 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/30 10:27:20.0546 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/30 10:27:20.0609 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/30 10:27:20.0671 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/30 10:27:20.0781 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/10/30 10:27:20.0906 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/30 10:27:20.0984 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/30 10:27:21.0062 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/30 10:27:21.0109 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/30 10:27:21.0203 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/30 10:27:21.0265 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/30 10:27:21.0328 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/30 10:27:21.0406 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/30 10:27:21.0468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/30 10:27:21.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/30 10:27:21.0625 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys
2010/10/30 10:27:21.0703 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/30 10:27:21.0765 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/30 10:27:21.0812 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/30 10:27:21.0875 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/30 10:27:21.0968 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/30 10:27:22.0375 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/30 10:27:22.0453 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/10/30 10:27:22.0500 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/10/30 10:27:22.0546 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/10/30 10:27:22.0625 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys
2010/10/30 10:27:22.0687 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/10/30 10:27:22.0765 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/10/30 10:27:22.0796 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/10/30 10:27:22.0859 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys
2010/10/30 10:27:22.0921 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2010/10/30 10:27:22.0968 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/10/30 10:27:23.0031 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2010/10/30 10:27:23.0109 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/10/30 10:27:23.0171 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/30 10:27:23.0250 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/30 10:27:23.0328 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/30 10:27:23.0375 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/30 10:27:23.0437 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/30 10:27:23.0468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/30 10:27:23.0531 mozyFilter (3ef80a284c61fdbc38c2ad16053619ac) C:\WINDOWS\system32\DRIVERS\mozy.sys
2010/10/30 10:27:23.0578 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/30 10:27:23.0640 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/30 10:27:23.0718 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/30 10:27:23.0796 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/30 10:27:23.0843 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/30 10:27:24.0031 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/30 10:27:24.0109 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/30 10:27:24.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/30 10:27:24.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/30 10:27:24.0234 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/30 10:27:24.0312 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/30 10:27:24.0328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/30 10:27:24.0375 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/30 10:27:24.0390 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/30 10:27:24.0421 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/30 10:27:24.0453 NetBT (6944d2c7d400aad8907bd0eca911a9ce) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/30 10:27:24.0515 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/30 10:27:24.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/30 10:27:24.0656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/30 10:27:24.0765 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/30 10:27:24.0859 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/30 10:27:24.0890 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/30 10:27:24.0937 ossrv (3649eefa90990249267dd6c7808cbc86) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2010/10/30 10:27:25.0015 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/30 10:27:25.0093 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/30 10:27:25.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/30 10:27:25.0171 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/30 10:27:25.0250 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/30 10:27:25.0296 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/30 10:27:25.0343 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys
2010/10/30 10:27:25.0468 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/30 10:27:25.0500 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/30 10:27:25.0578 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/30 10:27:25.0609 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/30 10:27:25.0671 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/30 10:27:25.0718 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/30 10:27:25.0750 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/30 10:27:25.0781 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/30 10:27:25.0812 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/30 10:27:25.0843 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/30 10:27:25.0859 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/30 10:27:25.0921 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/30 10:27:25.0984 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/30 10:27:26.0031 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/30 10:27:26.0046 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/30 10:27:26.0093 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/30 10:27:26.0125 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/30 10:27:26.0156 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/30 10:27:26.0234 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/30 10:27:26.0265 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/30 10:27:26.0406 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/30 10:27:26.0468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/30 10:27:26.0500 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/30 10:27:26.0562 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/30 10:27:26.0671 sigfilt (6bd3976b881888ac9a0ed3eb94e7fd38) C:\WINDOWS\system32\drivers\sigfilt.sys
2010/10/30 10:27:26.0796 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/30 10:27:26.0843 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/30 10:27:26.0890 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/30 10:27:26.0921 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/30 10:27:27.0000 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/30 10:27:27.0093 STHDA (b95480c92c4c9c311be47b8a1ad73770) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/30 10:27:27.0156 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/30 10:27:27.0203 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/30 10:27:27.0312 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/30 10:27:27.0328 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/30 10:27:27.0359 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/30 10:27:27.0375 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/30 10:27:27.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/30 10:27:27.0468 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\szkg.sys
2010/10/30 10:27:27.0531 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys
2010/10/30 10:27:27.0593 tclondrv (1cdfcf0542e7eefe22ba502bfe452b12) C:\WINDOWS\system32\DRIVERS\tclondrv.sys
2010/10/30 10:27:27.0796 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/30 10:27:28.0156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/30 10:27:28.0187 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/30 10:27:28.0218 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/30 10:27:28.0281 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/30 10:27:28.0328 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/30 10:27:28.0484 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/30 10:27:28.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/30 10:27:28.0625 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/30 10:27:28.0671 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/30 10:27:28.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/30 10:27:28.0765 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/30 10:27:28.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/30 10:27:28.0843 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/30 10:27:28.0875 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/30 10:27:28.0937 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/30 10:27:28.0953 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/30 10:27:28.0984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/30 10:27:29.0031 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/30 10:27:29.0062 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/30 10:27:29.0109 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/30 10:27:29.0156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/30 10:27:29.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/30 10:27:29.0312 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/30 10:27:29.0453 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/30 10:27:29.0500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/30 10:27:29.0531 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/30 10:27:29.0578 ================================================================================
2010/10/30 10:27:29.0578 Scan finished
2010/10/30 10:27:29.0578 ================================================================================


OK, now here are the DDS scan results that I didn't include previously:

DDS (Ver_10-10-21.02) - NTFSx86 NETWORK
Run by Vogelman Family at 9:05:03.28 on Fri 10/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.761 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Documents and Settings\Vogelman Family\Desktop\dds.scr
C:\Documents and Settings\Vogelman Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: AutorunsDisabled - No File
BHO: Browser Address Error Redirector - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518173024.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Tgbh_PreA1T] c:\program files\adware pro\Adware_Pro.exe
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [TuneClone] c:\program files\tuneclone\TuneClone.exe /silence
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Reader Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\vogelm~1\startm~1\programs\startup\autoru~1\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237474652171
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {999748bc-a38d-42af-b5ab-a6b0d8bdc5a2} -
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, digest.dll, msnsspc.dll,msapsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vogelm~1\applic~1\mozilla\firefox\profiles\dkn8018f.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-11 385880]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-10-25 207280]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [2009-11-21 20352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-24 82952]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-24 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-24 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-24 141792]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-24 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-24 88480]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S0 swwqu;swwqu;c:\windows\system32\drivers\yrrfbdo.sys --> c:\windows\system32\drivers\yrrfbdo.sys [?]
S2 0118601283047158mcinstcleanup;McAfee Application Installer Cleanup (0118601283047158);c:\windows\temp\011860~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\011860~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-10-25 112592]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-6 88176]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-24 271480]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-24 271480]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-24 170144]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-10-25 358600]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-10-25 1141200]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-24 55456]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-11 152320]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-11 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-24 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-24 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-11 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-11 40552]
S4 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-4-10 319488]

=============== Created Last 30 ================

2010-10-27 01:54:08 -------- d-----w- c:\docume~1\vogelm~1\applic~1\AVP 2009
2010-10-26 13:32:13 -------- d-----w- c:\program files\STOPzilla!
2010-10-26 13:32:09 -------- d-----w- c:\program files\common files\iS3
2010-10-26 13:32:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-10-26 13:10:46 -------- d-----w- C:\20548261a6171afdef
2010-10-25 20:12:29 767952 ----a-w- c:\windows\BDTSupport.dll1045.old
2010-10-25 20:12:29 767952 ----a-w- c:\windows\BDTSupport.dll
2010-10-25 20:12:29 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-10-25 20:12:29 1636304 ----a-w- c:\windows\PCTBDCore.dll1045.old
2010-10-25 20:12:29 1636304 ----a-w- c:\windows\PCTBDCore.dll
2010-10-25 20:12:29 149456 ----a-w- c:\windows\SGDetectionTool.dll1045.old
2010-10-25 20:12:29 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-10-25 20:12:06 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-10-25 20:11:59 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-10-25 20:11:59 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-10-25 20:11:54 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-10-25 20:11:47 -------- d-----w- c:\program files\common files\PC Tools
2010-10-25 20:11:47 -------- d-----w- c:\docume~1\vogelm~1\applic~1\PC Tools
2010-10-25 20:11:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-10-24 00:07:40 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-10-24 00:07:40 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-10-24 00:07:38 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-10-24 00:07:38 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-10-24 00:07:38 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-10-24 00:07:38 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-10-24 00:07:36 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-10-24 00:07:36 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-10-24 00:07:36 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-10-24 00:07:34 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-24 00:07:34 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-10-24 00:07:34 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-10-23 21:22:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-23 21:22:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-20 19:19:32 -------- d-----w- c:\program files\ESET
2010-10-20 18:32:15 -------- d-----w- c:\program files\SpyZooka
2010-10-20 16:24:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 16:24:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 14:59:47 -------- d-----w- c:\docume~1\vogelm~1\applic~1\Malwarebytes
2010-10-20 14:59:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-20 14:59:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-03 20:48:01 -------- d-----w- c:\program files\Encore

==================== Find3M ====================

2010-10-25 00:09:45 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-25 00:09:44 104 --sh--r- c:\windows\system32\C5BA49A8B1.sys
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-13 12:53:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 9:05:36.18 ===============


FYI, I am heading up to Arlington to see the Rangers World Series game tonight and won't be back until tomorrow afternoon. I'll do your recommended next steps when I get back. GO RANGERS!

Really appreciate your help. This has been a week long nightmare that has consumed at least 20 hours of my time trying to fix it. Probably would have been better to just take it in for a fix, but now I don't want this thing to beat me!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 30 October 2010 - 11:00 AM

Hey hey....you'll be within an hour of me when you get there. Yeah, GO RANGERS! You think they did so well because they know they'd better not let the legend that owns them now down? :lol: I was SO happy when Nolan Ryan got them!! :dance:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Thanks,
tea

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to rangers.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 31 October 2010 - 01:27 PM

Tea! How 'bout them Rangers last night?! Their first World Series game win in franchise history!! Got to see Nolan Ryan throw the ceremonial pitch to Pudge Rodgriquez. I used to watch the 2 of them in games at the old Arlington Stadium when I lived in Dallas. Priceless! Now if they can just even the Series tonight...

OK, back to business. Both McAfee and SpyDoctor have beeing showing to be diabled by the malware except for the McAfee auto-scan which I turned off. The combofix first popped up a warning that it would not proceed without a back-up program from Microsoft and that an internet connection was required. I thought "uh oh" because the internet has also been disabled by this malware. However, I got another pop saying the download was successful only to receive another pop-up warning with the title "ROUTE.exe - Entry Point Not Found" with a message that says "The procedure entry point getnetbyname could not be located in the dynamic link library MSWSOCK.dill." I clicked OK and the pop-up warning reappeared. Funny, in-spite-of that the scan started on a blue screen behind the pop-up. I watched as it ran through over 50 "stages". As I was typing this response it suddenly displayed a message (I didn't see how the scan ended) that it was rebooting the system. I now have a black screen that says "Safe Mode" in 4 corners and at the top it says "Microsoft ® Windowns XP ® (Build 2600.xpsp_sp3)gdr.100427-1636: Service Pack 3)" but it did not actually reboot the system. Do I hard boot it now or what? Also, if it produced a log, it must have autosaved it somewhere, but where - I didn't see that?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 31 October 2010 - 02:18 PM

Yes, it wanted you to install recovery console....so that part is normal, and it will, as you saw, run without it, but it prefers that you do. :)

Yes, reboot it, and look for C:\ComboFix.txt I need to see that report if I can so I know where to take you next. :thumbup2: When you reboot, also let me know how it's running.

I haven't been to a game at all in about 2 years. I can only imagine how exciting that was! Love Pudge.....REALLY love Nolan Ryan.:wub: It was a sad day when he retired, but glad he's where he belongs now!

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 31 October 2010 - 04:43 PM

Tea, some successes to report.

Found the Conbofix.txt. Not much there but here are the contents:

ComboFix 10-10-30.09 - Vogelman Family 10/31/2010 13:13:01.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.737 [GMT -5:00]
Running from: F:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

The start-up was very slow and I thought it was going to crash a few times hitting 100% a lot (I know there are too many start-up processes but my attempt to fix them using the performance tune-up program I found on Bleepingcomputer required admin rights which I don't have). After the start-up processes slowed down a bit, it was the first time since this infection that I have been able to open IE or Firefox - yeah!!!

I re-enabled the McAfee firewall but beyond that, McAfee is still not working properly. I was finally able to turn McAfee real-time protection back on or so it says, but when I click on the link in the menu to verify it, the pop-up says it is Off! So is says it is On then it says it is Off. I still can't run a McAfee scan - this results in the same pop-up message that I have been getting for the past week: "X An error has occurred" "An unexpected problem during your scan. Please click OK to go back to the Home page, and then try running your scan again", When I do this, I get the "! Your computer is at risk" "Check for updates" message, but the scan fails again - just a failing loop process. Also, once I got an internet connection, I got a pop-up message saying PCTools needed to do add some Smart Scan updates that require a reboot. Have not rebooted yet - will wait to hear back from you.

TheVoge - GO RANGERS!!!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 31 October 2010 - 05:13 PM

Every little bit helps! :thumbsup:

I would like for you to keep McAfee disabled....it interferes badly with ComboFix, and sometimes we even have to have folks temporarily uninstall it....then I'd like for you to run ComboFix again. It might give me the report from the previous run. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 01 November 2010 - 06:52 PM

I disabled McAfee again and ran Combofix a second time. It froze after stage 7 and got an error message saying Combofix has detected the presence of rootkit activity and needs to reboot. After the reboot, I ran it again and this is the resulting log:

ComboFix 10-11-01.01 - Vogelman Family 11/01/2010 16:08:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.358 [GMT -5:00]
Running from: F:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\VOGELM~1\LOCALS~1\Temp\clclean.0001.dir.0002\~df394b.tmp
c:\documents and settings\Vogelman Family\Local Settings\temp\clclean.0001.dir.0002\~df394b.tmp
c:\windows\system32\logs
c:\windows\system32\logs\{D7FB805D-8827-4A38-8241-340B5D18D9F7}.log

.
((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-10-27 01:54 . 2010-10-27 02:22 -------- d-----w- c:\documents and settings\Vogelman Family\Application Data\AVP 2009
2010-10-26 13:32 . 2010-10-26 13:32 -------- d-----w- c:\program files\STOPzilla!
2010-10-26 13:32 . 2010-10-26 13:32 -------- d-----w- c:\program files\Common Files\iS3
2010-10-26 13:32 . 2010-10-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-26 13:10 . 2010-10-26 13:10 -------- d-----w- C:\20548261a6171afdef
2010-10-26 03:26 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-26 03:26 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-26 03:26 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-26 03:26 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-25 20:12 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-10-25 20:12 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-10-25 20:12 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-10-25 20:12 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-10-25 20:12 . 2009-09-24 13:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-10-25 20:11 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-10-25 20:11 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-10-25 20:11 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-10-25 20:11 . 2010-10-25 20:13 -------- d-----w- c:\program files\Common Files\PC Tools
2010-10-25 20:11 . 2010-10-25 20:11 -------- d-----w- c:\documents and settings\Vogelman Family\Application Data\PC Tools
2010-10-25 20:11 . 2010-10-25 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-10-24 00:07 . 2010-10-24 00:07 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-10-24 00:07 . 2010-10-24 00:07 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-10-24 00:07 . 2010-10-24 00:07 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-10-24 00:07 . 2010-10-24 00:07 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-10-24 00:07 . 2010-10-24 00:07 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-10-24 00:07 . 2010-10-24 00:07 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-10-24 00:07 . 2010-10-24 00:07 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-10-24 00:07 . 2010-10-24 00:07 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-10-24 00:07 . 2010-10-24 00:07 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-10-24 00:07 . 2010-10-24 00:07 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-24 00:07 . 2010-10-24 00:07 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-10-24 00:07 . 2010-10-24 00:07 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-10-23 21:22 . 2010-10-23 21:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-20 19:19 . 2010-10-20 19:19 -------- d-----w- c:\program files\ESET
2010-10-20 18:32 . 2010-10-23 21:17 -------- d-----w- c:\program files\SpyZooka
2010-10-20 16:24 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 16:24 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 14:59 . 2010-10-20 14:59 -------- d-----w- c:\documents and settings\Vogelman Family\Application Data\Malwarebytes
2010-10-20 14:59 . 2010-10-27 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-20 14:59 . 2010-10-20 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-03 20:48 . 2010-10-03 20:48 -------- d-----w- c:\program files\Encore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2005-08-16 10:18 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2005-08-16 10:18 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2005-08-16 10:18 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2005-08-16 10:18 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2005-08-16 10:18 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2005-08-16 10:18 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2005-08-16 10:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2006-03-19 18:08 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 20:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2005-08-16 10:18 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2005-08-16 10:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-04-27 22:16 . 2010-04-30 00:40 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-04-06 247296]
"TuneClone"="c:\program files\TuneClone\TuneClone.exe" [2009-07-27 4534272]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-05-10 906656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]

c:\documents and settings\Vogelman Family\Start Menu\Programs\Startup\AutorunsDisabled
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-3-19 390432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-19 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll, msnsspc.dll, msapsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcjpswx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/25/2010 3:11 PM 207280]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [11/21/2009 8:34 PM 20352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/24/2010 9:06 PM 82952]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/25/2010 3:12 PM 112592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/24/2010 9:05 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/24/2010 9:06 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/24/2010 9:06 PM 88480]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S0 swwqu;swwqu;c:\windows\system32\drivers\yrrfbdo.sys --> c:\windows\system32\drivers\yrrfbdo.sys [?]
S2 0118601283047158mcinstcleanup;McAfee Application Installer Cleanup (0118601283047158);c:\windows\TEMP\011860~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\011860~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/24/2010 9:06 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/24/2010 9:06 PM 83496]
S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/10/2009 2:30 PM 319488]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Vogelman Family\Application Data\Mozilla\Firefox\Profiles\dkn8018f.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Tgbh_PreA1T - c:\program files\Adware Pro\Adware_Pro.exe
Notify-TPSvc - TPSvc.dll
AddRemove-Scooby-Doo™, Showdown in Ghost Town™ - c:\program files\The Learning Company\Scooby-Doo™



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 16:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-11-01 16:45:35
ComboFix-quarantined-files.txt 2010-11-01 21:45

Pre-Run: 16,014,565,376 bytes free
Post-Run: 15,959,060,480 bytes free

- - End Of File - - 16FADC85BD4FBF0CD7FFD39BA4AB739F


OK, going to go watch the Rangers game and see if they can stay alive tonight. Thanks for hanging with me on this.

TheVoge

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 02 November 2010 - 12:30 PM

Hi there,

I'm SO sorry for my absence yesterday. I knew I had to go to the dentist, but it got more involved than I thought and I was out on pain medication....YOW! And....I'm still so proud of the Rangers. They had a fabulous season, especially after so many mediocre ones. I'm happy with it. :)

There are a few things in that log I need to look into and I'll get back to you. How is it running now please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 02 November 2010 - 06:14 PM

Tea, no apologies necessary. I can only find time to work on this problem about once per day anyway. Tooth pain takes highest priority in my books. Very proud of the Rangers, too. I think they will be even better next year after a few roster tweaks.

So my system is functioning pretty well except for the slow start-up, but that was a problem before this malware issue. The only issue that I am aware of at this moment is that I think McAfee is still not working based on the same pop-up warnings I have been getting during this whole episode. Then again, I have it disabled, so I don't know for sure.

Thanks again!

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 02 November 2010 - 07:28 PM

hi there,

You're welcome. :)

If McAfee still acts up after being re enabled, you may have to uninstall it and reinstall it. Sometimes malware can corrupt these programs and they need to be replaced. Let me know what happens, please. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 02 November 2010 - 10:51 PM

OK, uninstalled McAffee. Reboot froze screen. Hard boot, reinstalled McAfee. Hard reboot, screen stalled with never-ending hour glass. Hard reboot, screen was non-response - mouse would move but could not click on anything. Hard reboot. McAfee ate up processing for about 10 minutes. After is calmed down, I was able to successfully run a scan producing 0 negative results.

PCTools identified some files it wants to correct but I don't know if they are from Combofix, etc. or if I should let PC Tools delete them. These are the files identified:

RogueAntiSpyware.RegistryDoktor:

C:\Documents and settings\vogelman family\appplication data\avp 2009\1/dat
C:\Documents and settings\vogelman family\appplication data\avp 2009\

Registry value:

HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ConfigFlags
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Control, ActiveService
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance

Registry Key:
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\catchme
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME

Registry Key:
HKEY_USERS\S-1-5-21-2300450115-1409317769-3148743654-1005\Software\Wget

Registry Value to be Repaired:
HKEY_USERS\S-1-5-21-2300450115-1409317769-3148743654-1005\Software\Microsoft\Windows\CurrentVerson\Explorer\Advanced, Hidden
HKEY_USERS\S-1-5-21-2300450115-1409317769-3148743654-1005\Software\Microsoft\Windows\CurrentVerson\Explorer\Advanced, HideFileExt

OK, so where does that leave us now? All in all, my system seems to be back to its ususal self.

Let me know any next steps or if we are finally finished.

Many thanks!

Also, I will be making a PayPal donation - you definitely earned it!

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:27 AM

Posted 03 November 2010 - 11:53 AM

Hi there,

You're welcome :)

Yes, those can all go....the very top ones are related to the infection you had, and you're right. All the "Catch me" entries are related to ComboFix, which we'll remove right now :

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Could you tell me what's in these folders, please? C:\20548261a6171afdef, and c:\documents and settings\Vogelman Family\Application Data\AVP 2009 If they're empty, delete them. I'd also like to have a file analyzed :

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Copy and paste the following filepath in the box:

    c:\windows\system32\drivers\yrrfbdo.sys

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

After that, have another scan and let me know if it comes up clean, and also if McAfee is behaving as it should now. Sounds like it gave you a hard time. :blink: Unfortunately, that is more typical than it is a surprise. :(

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Those old versions also take up a ton of space! Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Thanks,
tea

Edited by teacup61, 03 November 2010 - 11:54 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 TheVoge

TheVoge
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 03 November 2010 - 08:51 PM

Howdy Tea,

Lots of homework to report back on so here goes:

All the previously listedfiles found by PCTools have been deleted.

Was not able to Uninstall ComboFix because the file could not be found by Search or by Run - probably because I ran the program from a flash drive?

Folder C:\20548261a6171afdef contains a lot of Hotfix folders with files for EULA and .dll, plus an .exe file, and some icons for Hotfix. Did not delete it.

Folder c:\documents and settings\Vogelman Family\Application Data\AVP 2009 was an empty .dat file - now deleted

Unable to use Jotti Virus Scanner because c:\windows\system32\drivers\yrrfbdo.sys could not be found by Jotti or by my system Search or Run funtions. Now what?

Ran another PCTool scan and found several mid-level and low level files, none related to trojans. Deleted all. Reran it again and it came up clean. Ran McAfee scan and it came up clean. Question: in your opinion, is PCTools combined with Malwarebytes a comparable replacement for McAfee? I really don't like the way McAfee consumes resources and causes performance issues but I also don't want to compromise protection.

Thanks for the tip on the old Java files. I removed two large older Java files. Rebooted and reinstalled new version of Java Runtime Environment (JRE).

I opted to turned off the Java Quick Starter (JQS.exe).

Rebooted. Start-up process initially consumed a lot less resources avg. +/-60% until the mcshield.exe kicked in.

OK, are we getting close to burying this nasty thing?

Thanks! KV




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users