Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

devenum4.dll


  • This topic is locked This topic is locked
23 replies to this topic

#1 ajfa

ajfa

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 19 December 2010 - 12:53 AM

Hi, thanks for helping me out. My problems began when I got a Google redirect virus. McAfee and Malwarebytes Antimalware couldn't detect anything, so i downloaded hitman Pro v 3.5.8. When I ran this program, it detected and deleted 3 exe files called ljl.exe ljk.exe and a couple of other similarly named programs. It also detected something called devenum4.dll in my c:\users\Andrew\AppData\Roaming\ folder, which it identifies as malware, but is unsuccessful at deleting it. When I search for the file manually, I am unable to find it. Any help in removing this (if necessary) would be greatly appreciated. Please find below my DDS log, and attached, the other file from that program and the GMER log.

Andrew

DDS (Ver_10-12-12.02) - NTFSx86
Run by Andrew at 15:54:06.18 on Sun 19/12/2010
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2046.954 [GMT 11:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbccoms.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\PLFSetL.exe
C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\OmniPass\opvapp.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Andrew\Desktop\HitmanPro35.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Andrew\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.queens.unimelb.edu.au/qi
uSearch Bar = Preserve
uInternet Settings,ProxyServer = wwwproxy.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101027161319.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [RemoteControl] "c:\program files\home cinema\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\home cinema\powerdvd\language\Language.exe"
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [HotkeyApp] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSD.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [toolbar_eula_launcher] c:\program files\googleeula\EULALauncher.exe
mRun: [Skytel] Skytel.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 386840]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2007-10-2 210736]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-3-17 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-3-17 164840]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-17 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-17 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-17 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-17 313288]
S3 flash;flash;c:\windows\system32\drivers\flash.sys [2007-10-2 8064]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-17 84264]
S3 PhilCap;NXP service;c:\windows\system32\drivers\PhilCap.sys [2007-10-2 908896]

=============== Created Last 30 ================

2070-11-28 07:02:20 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2010-12-16 06:35:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-16 06:35:14 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-14 03:40:35 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-14 03:21:30 98816 ----a-w- c:\windows\sed.exe
2010-12-14 03:21:30 89088 ----a-w- c:\windows\MBR.exe
2010-12-14 03:21:30 256512 ----a-w- c:\windows\PEV.exe
2010-12-14 03:21:30 161792 ----a-w- c:\windows\SWREG.exe
2010-12-14 02:09:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-14 02:07:15 -------- d-----w- c:\progra~2\Hitman Pro
2010-12-13 13:04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-13 13:04:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 13:04:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-13 04:34:04 129536 --sha-r- c:\users\andrew\appdata\roaming\devenum4.dll
2010-12-13 04:19:40 -------- d-----w- c:\progra~2\Sibelius Software
2010-12-13 04:15:51 -------- d-----w- c:\users\andrew\appdata\roaming\Sibelius Software
2010-12-13 04:13:30 -------- d-----w- c:\program files\Sibelius Software
2010-12-10 11:56:57 341256 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2010-11-30 08:38:26 -------- d-----w- c:\program files\iPod
2010-11-30 08:38:24 -------- d-----w- c:\program files\iTunes
2010-11-24 00:00:54 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 15:57:35.08 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:15 PM

Posted 29 December 2010 - 01:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 ajfa

ajfa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 31 December 2010 - 01:32 AM

Hey, thanks for getting back to me. I've attached the DDS logs, but unfortunately, when I tried to run GMER, the first time a blue screen appeared and i had to restart, the second time the following error appeared:

Gmer.exe has stopped working

A problem has caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.


Seems a bit odd because i was able to create a GMER log, which I attached in my first post. But here are the new DDS logs.

Thanks again.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Andrew at 16:42:25.12 on Fri 31/12/2010
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2046.1014 [GMT 11:00]

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbccoms.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\PLFSetL.exe
C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Softex\OmniPass\opvapp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.queens.unimelb.edu.au/qi
uSearch Bar = Preserve
uInternet Settings,ProxyServer = wwwproxy.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101027161319.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [RemoteControl] "c:\program files\home cinema\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\home cinema\powerdvd\language\Language.exe"
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [HotkeyApp] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSD.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [toolbar_eula_launcher] c:\program files\googleeula\EULALauncher.exe
mRun: [Skytel] Skytel.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [BigPondWirelessBroadbandCM] "c:\program files\telstra\mobile broadband manager\TelstraUCM.exe" -tsr
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 386840]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2007-10-2 210736]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-3-17 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-3-17 164840]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-17 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-17 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-17 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-17 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-17 313288]
R3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2007-10-22 118784]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2007-10-16 13976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S3 flash;flash;c:\windows\system32\drivers\flash.sys [2007-10-2 8064]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-22 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-12-26 7168]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-17 52104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-17 84264]
S3 PhilCap;NXP service;c:\windows\system32\drivers\PhilCap.sys [2007-10-2 908896]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-12-26 114688]

=============== Created Last 30 ================

2070-11-28 07:02:20 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2010-12-26 07:13:07 -------- d-----w- c:\users\andrew\appdata\roaming\Sierra Wireless
2010-12-26 07:11:50 7168 ----a-w- c:\windows\system32\drivers\massfilter.sys
2010-12-26 07:11:50 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2010-12-26 07:11:50 105856 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2010-12-26 07:11:50 105856 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2010-12-26 07:11:50 105856 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-12-26 07:11:29 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-12-26 07:10:43 -------- d-----w- c:\program files\Telstra
2010-12-16 06:35:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-16 06:35:14 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-14 03:40:35 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-14 03:21:30 98816 ----a-w- c:\windows\sed.exe
2010-12-14 03:21:30 89088 ----a-w- c:\windows\MBR.exe
2010-12-14 03:21:30 256512 ----a-w- c:\windows\PEV.exe
2010-12-14 03:21:30 161792 ----a-w- c:\windows\SWREG.exe
2010-12-14 02:09:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-14 02:07:15 -------- d-----w- c:\progra~2\Hitman Pro
2010-12-13 13:04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-13 13:04:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 13:04:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-13 04:34:04 129536 --sha-r- c:\users\andrew\appdata\roaming\devenum4.dll
2010-12-13 04:19:40 -------- d-----w- c:\progra~2\Sibelius Software
2010-12-13 04:15:51 -------- d-----w- c:\users\andrew\appdata\roaming\Sibelius Software
2010-12-13 04:13:30 -------- d-----w- c:\program files\Sibelius Software
2010-12-10 11:56:57 341256 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll

==================== Find3M ====================

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:50:09.87 ===============

Attached Files



#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 31 December 2010 - 01:04 PM

Hi ajfa

Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista and Windows 7 users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 ajfa

ajfa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 03 January 2011 - 09:45 AM

As requested, here is the combofix log.




ComboFix 11-01-02.04 - Andrew 04/01/2011 1:27.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2046.1187 [GMT 11:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.

((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2070-11-28 07:02 . 2006-11-21 09:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-01-03 14:38 . 2011-01-03 14:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-26 07:13 . 2010-12-26 07:13 -------- d-----w- c:\users\Andrew\AppData\Roaming\Sierra Wireless
2010-12-26 07:11 . 2010-01-26 23:46 105856 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2010-12-26 07:11 . 2010-01-26 23:46 105856 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2010-12-26 07:11 . 2010-01-26 23:46 105856 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-12-26 07:11 . 2009-12-28 04:05 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2010-12-26 07:11 . 2008-04-29 00:00 7168 ----a-w- c:\windows\system32\drivers\massfilter.sys
2010-12-26 07:11 . 2010-12-26 07:11 -------- d-----w- c:\program files\DIFX
2010-12-26 07:11 . 2010-05-03 01:18 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-12-26 07:10 . 2010-12-26 07:10 -------- d-----w- c:\program files\Telstra
2010-12-16 06:35 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-16 06:35 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-14 02:09 . 2010-12-19 05:46 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-14 02:07 . 2010-12-14 02:15 -------- d-----w- c:\programdata\Hitman Pro
2010-12-13 13:04 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-13 13:04 . 2010-12-13 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-13 13:04 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 04:34 . 2010-12-13 04:34 129536 --sha-r- c:\users\Andrew\AppData\Roaming\devenum4.dll
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\programdata\Sibelius Software
2010-12-13 04:15 . 2010-12-13 04:21 -------- d-----w- c:\users\Andrew\AppData\Roaming\Sibelius Software
2010-12-13 04:13 . 2010-12-13 04:13 -------- d-----w- c:\program files\Sibelius Software
2010-12-10 11:56 . 2010-12-10 11:56 341256 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-13 11:28 . 2010-03-16 23:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 11:28 . 2010-03-16 23:29 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 11:28 . 2010-03-16 23:29 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 11:28 . 2010-03-16 23:29 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 11:28 . 2010-03-16 23:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 11:28 . 2010-03-16 23:29 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 11:28 . 2010-03-16 23:29 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 11:28 . 2010-03-16 23:29 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 11:28 . 2010-01-05 07:04 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 11:28 . 2010-01-05 07:04 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 4702208]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-31 102400]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"RemoteControl"="c:\program files\Home Cinema\PowerDVD\PDVDServ.exe" [2007-02-09 71216]
"LanguageShortcut"="c:\program files\Home Cinema\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2007-09-04 2560000]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2007-09-01 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2007-09-06 188416]
"LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2006-12-26 180224]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2007-09-06 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 220160]
"toolbar_eula_launcher"="c:\program files\GoogleEULA\EULALauncher.exe" [2007-02-09 16896]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-27 570664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2010-05-14 4352408]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-20 608584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 135664]
R3 flash;flash;c:\windows\system32\drivers\flash.sys [2007-03-27 8064]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-04-29 7168]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 PhilCap;NXP service;c:\windows\system32\DRIVERS\PhilCap.sys [2007-07-31 908896]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-12-28 114688]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-15 716272]
S0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2007-06-01 210736]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-15 537520]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2007-09-11 118784]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 11:09]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 11:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.queens.unimelb.edu.au/qi
uInternet Settings,ProxyServer = wwwproxy.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 01:38
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
"MSCurrentCountry"=dword:00000009

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5720)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
.
Completion time: 2011-01-04 01:42:08
ComboFix-quarantined-files.txt 2011-01-03 14:41
ComboFix2.txt 2010-12-14 03:41

Pre-Run: 43,181,531,136 bytes free
Post-Run: 42,847,571,968 bytes free

- - End Of File - - 53211937858FC6C997F3CA80A1713FBD

#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 03 January 2011 - 09:42 PM

Hi ajfa
This is from the 2nd time you ran Combofix.

I need to see the first log from the first time you ran it.

Please go to C:\Qoobox folder and open the folder, look for ComboFix2.txt open that txt file and copy and paste it in this thread.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 ajfa

ajfa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 04 January 2011 - 09:14 AM

Here you go.

Cheers.


ComboFix 10-12-13.02 - Andrew 14/12/2010 14:24:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2046.1207 [GMT 11:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.

((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2070-11-28 07:02 . 2006-11-21 09:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2010-12-14 03:36 . 2010-12-14 03:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-14 02:09 . 2010-12-14 02:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-14 02:07 . 2010-12-14 02:15 -------- d-----w- c:\programdata\Hitman Pro
2010-12-13 13:04 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-13 13:04 . 2010-12-13 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-13 13:04 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 04:34 . 2010-12-13 04:34 129536 --sha-r- c:\users\Andrew\AppData\Roaming\devenum4.dll
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\programdata\Sibelius Software
2010-12-13 04:15 . 2010-12-13 04:21 -------- d-----w- c:\users\Andrew\AppData\Roaming\Sibelius Software
2010-12-13 04:13 . 2010-12-13 04:13 -------- d-----w- c:\program files\Sibelius Software
2010-12-10 11:56 . 2010-12-10 11:56 341256 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-30 08:38 . 2010-11-30 08:38 -------- d-----w- c:\program files\iPod
2010-11-30 08:38 . 2010-11-30 08:39 -------- d-----w- c:\program files\iTunes
2010-11-24 00:00 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-13 11:28 . 2010-03-16 23:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 11:28 . 2010-03-16 23:29 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 11:28 . 2010-03-16 23:29 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 11:28 . 2010-03-16 23:29 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 11:28 . 2010-03-16 23:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 11:28 . 2010-03-16 23:29 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 11:28 . 2010-03-16 23:29 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 11:28 . 2010-03-16 23:29 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 11:28 . 2010-01-05 07:04 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 11:28 . 2010-01-05 07:04 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-17 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 4702208]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-31 102400]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"RemoteControl"="c:\program files\Home Cinema\PowerDVD\PDVDServ.exe" [2007-02-09 71216]
"LanguageShortcut"="c:\program files\Home Cinema\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2007-09-04 2560000]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2007-09-01 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2007-09-06 188416]
"LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2006-12-26 180224]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2007-09-06 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 220160]
"toolbar_eula_launcher"="c:\program files\GoogleEULA\EULALauncher.exe" [2007-02-09 16896]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-06-10 98304]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-27 570664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-20 608584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 135664]
R3 flash;flash;c:\windows\system32\drivers\flash.sys [2007-03-27 8064]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 PhilCap;NXP service;c:\windows\system32\DRIVERS\PhilCap.sys [2007-07-31 908896]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2007-06-01 210736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-15 716272]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-15 537520]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-12-14 16968]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2007-09-11 118784]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HITMANPRO35
*NewlyCreated* - KLMD25
*Deregistered* - klmd25
*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 11:09]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 11:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.queens.unimelb.edu.au/qi
uInternet Settings,ProxyServer = wwwproxy.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe
HKLM-Run-CtrlVol - c:\program files\Launch Manager\CtrlVol.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-Phat Chord Voicings Chapter 1 - Full Versionv. 4.0 - c:\users\Andrew\Desktop\Uninstall\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-14 14:38
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
"MSCurrentCountry"=dword:00000009

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(312)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
.
Completion time: 2010-12-14 14:41:52
ComboFix-quarantined-files.txt 2010-12-14 03:41

Pre-Run: 44,390,727,680 bytes free
Post-Run: 46,400,233,472 bytes free

- - End Of File - - 58B8EA59FDF46D3C6D77EB52EC7473BA

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 04 January 2011 - 10:04 PM

Hi ajfa
Thanks for that log.

OK please do the following.

Upload a File to Virustotal
Please visit Virustotal
  • Click the Browse... button
  • Navigate to the file c:\windows\system32\drivers\flash.sys
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.

Now this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Posted Image
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

http://www.bleepingcomputer.com/forums/topic368256.html/page__pid__2080228#entry2080228
Collect::
c:\users\Andrew\AppData\Roaming\devenum4.dll

Please post the Combofix log and the VirusTotal results.

Thanks
maranatha

Edited by maranatha, 04 January 2011 - 10:05 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 ajfa

ajfa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 05 January 2011 - 08:09 AM

Hi again. I did as you asked, and I manually submitted (i had disconnected my internet to run combofix, so autosubmit failed) the file to the bleeping computer website for further analysis

Firstly, below is the most information I could squeeze out of the virus total website:

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: af9c417c8f6c8bf4411cb601df318c07
Date first seen: 2009-03-10 22:53:19 (UTC)
Date last seen: 2010-11-27 00:19:17 (UTC)
Detection ratio: 0/43


Antivirus Version Last Update Result
AhnLab-V3 2011.01.05.00 2011.01.04 -
AntiVir 7.11.1.29 2011.01.05 -
Antiy-AVL 2.0.3.7 2011.01.05 -
Avast 4.8.1351.0 2011.01.05 -
Avast5 5.0.677.0 2011.01.05 -
AVG 9.0.0.851 2011.01.05 -
BitDefender 7.2 2011.01.05 -
CAT-QuickHeal 11.00 2011.01.05 -
ClamAV 0.96.4.0 2011.01.05 -
Command 5.2.11.5 2011.01.05 -
Comodo 7300 2011.01.05 -
DrWeb 5.0.2.03300 2011.01.05 -
Emsisoft 5.1.0.1 2011.01.05 -
eSafe 7.0.17.0 2011.01.02 -
eTrust-Vet 36.1.8082 2011.01.05 -
F-Prot 4.6.2.117 2011.01.05 -
F-Secure 9.0.16160.0 2011.01.05 -
Fortinet 4.2.254.0 2011.01.05 -
GData 21 2011.01.05 -
Ikarus T3.1.1.90.0 2011.01.05 -
Jiangmin 13.0.900 2011.01.05 -
K7AntiVirus 9.75.3435 2011.01.04 -
Kaspersky 7.0.0.125 2011.01.05 -
McAfee 5.400.0.1158 2011.01.05 -
McAfee-GW-Edition 2010.1C 2011.01.05 -
Microsoft 1.6402 2011.01.05 -
NOD32 5761 2011.01.05 -
Norman 6.06.12 2011.01.03 -
nProtect 2011-01-05.01 2011.01.05 -
Panda 10.0.2.7 2011.01.04 -
PCTools 7.0.3.5 2011.01.04 -
Prevx 3.0 2011.01.05 -
Rising 22.81.02.03 2011.01.05 -
Sophos 4.60.0 2011.01.05 -
SUPERAntiSpyware 4.40.0.1006 2011.01.05 -
Symantec 20101.3.0.103 2011.01.05 -
TheHacker 6.7.0.1.110 2011.01.03 -
TrendMicro 9.120.0.1004 2011.01.05 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.05 -
VBA32 3.12.14.2 2011.01.04 -
VIPRE 7961 2011.01.05 -
ViRobot 2011.1.5.4238 2011.01.05 -
VirusBuster 13.6.127.0 2011.01.04 -
Additional informationShow all
MD5 : af9c417c8f6c8bf4411cb601df318c07
SHA1 : c9ea724a8e06aed8429342f6f7247105bdb18ee0
SHA256: ce944de69a7e3b40577ecc16ab6e5bd3c2a15a4c2299f0906c9c6adddd482913
ssdeep: 48:6/mss6iEMN4dzChppRLlyZzdf1aBqfkMK5uu2Od8iLPPs2fuu25hHL+bpHRrK91g:os6iEMNACXLQFYcfkH8ca811Q
File size : 8064 bytes
First seen: 2009-03-10 22:53:19
Last seen : 2011-01-05 12:33:56
TrID: Generic Win/DOS Executable (49.9%)DOS Executable Generic (49.8%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck: publisher....: n/acopyright....: n/aproduct......: n/adescription..: n/aoriginal name: n/ainternal name: n/afile version.: n/acomments.....: n/asigners......: -signing date.: -verified.....: Unsigned
PEInfo: PE structure information[[ basic data ]]entrypointaddress: 0x2C0timedatestamp....: 0x437C3300 (Thu Nov 17 07:36:32 2005)machinetype......: 0x14c (I386)[[ 5 section(s) ]]name, viradd, virsiz, rawdsiz, ntropy, md5.text, 0x280, 0x18CB, 0x1900, 2.99, 734b108c1fe883319e4ae6ef80e8d511.rdata, 0x1B80, 0x8A, 0x100, 3.11, b570891dc18a943d9602b7152a2dcd25.data, 0x1C80, 0xC0, 0x100, 1.75, 0622cfc8174e4f913ea28ceaf840bb67INIT, 0x1D80, 0xE8, 0x100, 4.18, f6145db0a5380f78d1065b6e8a3855a0.reloc, 0x1E80, 0xB4, 0x100, 3.93, 6f590e8fb54cd41fc5a44b8484aa6af6[[ 1 import(s) ]]ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IoDeleteSymbolicLink, IofCompleteRequest, MmMapIoSpace, IoDeleteDevice






Following is the latest combofix log having dragged and dropped the .txt file:






ComboFix 11-01-02.04 - Andrew 05/01/2011 23:40:47.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2046.1128 [GMT 11:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

file zipped: c:\users\Andrew\AppData\Roaming\devenum4.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrew\AppData\Roaming\devenum4.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2070-11-28 07:02 . 2006-11-21 09:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-01-05 12:51 . 2011-01-05 12:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-26 07:13 . 2010-12-26 07:13 -------- d-----w- c:\users\Andrew\AppData\Roaming\Sierra Wireless
2010-12-26 07:11 . 2010-01-26 23:46 105856 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2010-12-26 07:11 . 2010-01-26 23:46 105856 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2010-12-26 07:11 . 2010-01-26 23:46 105856 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2010-12-26 07:11 . 2009-12-28 04:05 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2010-12-26 07:11 . 2008-04-29 00:00 7168 ----a-w- c:\windows\system32\drivers\massfilter.sys
2010-12-26 07:11 . 2010-12-26 07:11 -------- d-----w- c:\program files\DIFX
2010-12-26 07:11 . 2010-05-03 01:18 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2010-12-26 07:10 . 2010-12-26 07:10 -------- d-----w- c:\program files\Telstra
2010-12-16 06:35 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-16 06:35 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-14 02:09 . 2010-12-19 05:46 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-14 02:07 . 2010-12-14 02:15 -------- d-----w- c:\programdata\Hitman Pro
2010-12-13 13:04 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-13 13:04 . 2010-12-13 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-13 13:04 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-13 04:19 . 2010-12-13 04:19 -------- d-----w- c:\programdata\Sibelius Software
2010-12-13 04:15 . 2010-12-13 04:21 -------- d-----w- c:\users\Andrew\AppData\Roaming\Sibelius Software
2010-12-13 04:13 . 2010-12-13 04:13 -------- d-----w- c:\program files\Sibelius Software
2010-12-10 11:56 . 2010-12-10 11:56 341256 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-13 11:28 . 2010-03-16 23:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 11:28 . 2010-03-16 23:29 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 11:28 . 2010-03-16 23:29 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 11:28 . 2010-03-16 23:29 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 11:28 . 2010-03-16 23:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 11:28 . 2010-03-16 23:29 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 11:28 . 2010-03-16 23:29 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 11:28 . 2010-03-16 23:29 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 11:28 . 2010-01-05 07:04 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 11:28 . 2010-01-05 07:04 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 4702208]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-31 102400]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"RemoteControl"="c:\program files\Home Cinema\PowerDVD\PDVDServ.exe" [2007-02-09 71216]
"LanguageShortcut"="c:\program files\Home Cinema\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2007-09-04 2560000]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2007-09-01 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2007-09-06 188416]
"LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2006-12-26 180224]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2007-09-06 86016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-22 220160]
"toolbar_eula_launcher"="c:\program files\GoogleEULA\EULALauncher.exe" [2007-02-09 16896]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-27 570664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2010-05-14 4352408]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-20 608584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 135664]
R3 flash;flash;c:\windows\system32\drivers\flash.sys [2007-03-27 8064]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-04-29 7168]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 PhilCap;NXP service;c:\windows\system32\DRIVERS\PhilCap.sys [2007-07-31 908896]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-12-28 114688]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-15 716272]
S0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2007-06-01 210736]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-15 537520]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2007-09-11 118784]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 11:09]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 11:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.queens.unimelb.edu.au/qi
uInternet Settings,ProxyServer = wwwproxy.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 23:52
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
"MSCurrentCountry"=dword:00000009

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-05 23:54:57
ComboFix-quarantined-files.txt 2011-01-05 12:54
ComboFix2.txt 2011-01-03 14:42
ComboFix3.txt 2010-12-14 03:41

Pre-Run: 47,415,472,128 bytes free
Post-Run: 47,381,102,592 bytes free

- - End Of File - - 944CC5C8C41434A3236C188E8EE668C5


Thanks so much,

Andrew

#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 05 January 2011 - 08:23 AM

Hi
OK thanks for submitting that.

Lets get an on line scan. Please do the following.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All".


Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
Close ATF Cleaner

Please Run the ESET Online Scanner and post the Scan Log..
  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Click on the ESET on line scanner button.
  • Check the YES, I accept the Terms of Use box. And click “Start”
    If your Pop=up blocker comes up, please allow the Add-ON
  • Be sure the option to Remove found threats is Un-checked and click Start.
  • When you have completed that scan, a scan log ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 ajfa

ajfa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 06 January 2011 - 12:45 AM

Hi,

I ran the ATF cleaner with no problems, but the ESET online scan wouldn't run. I disabled my McAfee and turned off the Internet Explorer popup blocker. When I said I accepted the terms of use and pressed 'Start', the next window that popped up had a small icon in the top left corner that turned into a red x. The page didn't load any further.

#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 06 January 2011 - 09:54 PM

Hi
OK lets try this one.

Please do an online scan with Kaspersky WebScanner Using Internet Explorer Browser.

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on Accept, If your pop up blocker blocks any windows from opening.

Read then Click Accept on the Information page.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side, Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 08 January 2011 - 09:42 PM

Hi
You still with me here?

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 ajfa

ajfa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 08 January 2011 - 11:24 PM

Yes I am sorry. Just been trying feverishly to get either of the online scanners to work. I couldn't fully download all the updates to Kaspersky, but in the end I got ESET to work. However, I cannot find the log file in the directory you indicated. Perhaps because I elected to uninstall after the scan was complete? At any rate, no threats were detected. Would you like me to reinstall and run the scan one more time in order to post the log?

#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:15 PM

Posted 09 January 2011 - 11:36 AM

Hi

Would you like me to reinstall and run the scan one more time

No thats OK.

I would like to see one more new DDS log if you would.

Please let me know how everything running?

thanks
maranatha

Edited by maranatha, 09 January 2011 - 11:38 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users