Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown Virus/problem, Fire walls and antivirus keeps turning off.

  • This topic is locked This topic is locked
4 replies to this topic

#1 questrage77


  • Members
  • 2 posts
  • Gender:Male
  • Local time:01:58 PM

Posted 31 December 2010 - 03:07 PM

I have gotten some type of malware issue that is very sneaky. I get McAfee and Norton full versions from the Army and neither has caught it (McAfee is the currently in use). Windows defender is defensless. I have observed that it is cutting off parts of my antivirus protection and most importantly my firewalls, both MS defender and McAfee. I am also having problems with my hotmail account involuntarily emailing my address book, probably sharing the love. It is blowing up mine and friends accounts wrecklessly. I am suspisious that they are related and it is knocking down the firewall to do the dirty deed. This thing is pretty slick, even the GMER didnt catch anyting (most of the boxes were not checked they were not optional).

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Flash at 12:28:29.03 on Fri 12/31/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6069.3788 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://asus.msn.com
uDefault_Page_URL = hxxp://asus.msn.com
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: ooVoo Video Chat Toolbar: {e5a1e26f-0d1d-4307-868f-fbd9a374ab54} - C:\Program Files (x86)\ooVoo_Video_Chat\tbooV0.dll
mURLSearchHooks: ooVoo Video Chat Toolbar: {e5a1e26f-0d1d-4307-868f-fbd9a374ab54} - C:\Program Files (x86)\ooVoo_Video_Chat\tbooV0.dll
mWinlogon: Userinit=userinit.exe
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - C:\Program Files (x86)\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20101225232708.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: ooVoo Video Chat Toolbar: {e5a1e26f-0d1d-4307-868f-fbd9a374ab54} - C:\Program Files (x86)\ooVoo_Video_Chat\tbooV0.dll
TB: ooVoo Video Chat Toolbar: {e5a1e26f-0d1d-4307-868f-fbd9a374ab54} - C:\Program Files (x86)\ooVoo_Video_Chat\tbooV0.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: state.tx.us\myoffice.agd
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101225232708.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {E5A1E26F-0D1D-4307-868F-FBD9A374AB54} - No File
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [(Default)]

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-12-25 529128]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-3-10 55280]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\System32\drivers\mfenlfk.sys [2010-12-25 75032]
R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2010-12-25 283360]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-3 277032]
R2 AFBAgent;AFBAgent;C:\Windows\System32\FBAgent.exe [2010-3-10 379520]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-12-17 202752]
R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
R2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-12-25 355440]
R2 McNaiAnn;McAfee VirusScan Announcer;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-12-25 355440]
R2 McProxy;McAfee Proxy Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-12-25 355440]
R2 McShield;McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2010-12-25 200056]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2010-12-25 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2010-12-25 149032]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe [2010-6-9 107856]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\System32\drivers\TurboB.sys [2009-8-6 13784]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-3-10 2314240]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2010-12-25 62800]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-3-10 56344]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-12-6 76912]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-12-25 190136]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2010-12-25 441328]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\System32\drivers\AmUStor.sys [2009-8-21 44032]
S3 bcm;WiMAX Network Adapter;C:\Windows\System32\drivers\drxvi314_64.sys [2010-3-26 359040]
S3 bcmbusctr;WiMAX Bus Driver;C:\Windows\System32\drivers\BcmBusCtr_64.sys [2010-3-26 62976]
S3 CACLEARWIRE;Clearwire Con App Svc;C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [2010-6-9 124240]
S3 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;C:\Program Files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe [2010-4-19 399872]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [2010-6-9 120144]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-3-10 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-3-10 79360]
S3 GemCCID;GemCCID;C:\Windows\System32\drivers\GemCCID.sys [2009-8-10 119680]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-12-25 94864]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;C:\Windows\System32\PCTINDIS5X64.sys [2010-6-9 43032]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-10 56832]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-8-6 118672]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-14 1255736]

=============== Created Last 30 ================

2010-12-31 08:51:18 8199504 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{3F8FA777-2D8F-46BA-9AEC-535B358A696C}\mpengine.dll
2010-12-26 05:27:14 -------- d-----w- C:\Program Files\McAfee.com
2010-12-26 05:27:08 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2010-12-26 05:26:54 149032 ----a-w- C:\Windows\System32\mfevtps.exe
2010-12-26 05:26:53 94864 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2010-12-26 05:26:53 75032 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2010-12-26 05:26:53 62800 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2010-12-26 05:26:53 529128 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2010-12-26 05:26:53 441328 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2010-12-26 05:26:53 283360 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2010-12-26 05:26:53 190136 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2010-12-26 05:26:53 121248 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2010-12-23 16:25:43 -------- d-----w- C:\Program Files\iTunes
2010-12-23 16:25:43 -------- d-----w- C:\Program Files\iPod
2010-12-19 16:48:04 -------- d-----w- C:\Program Files\McAfee
2010-12-19 16:48:04 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
2010-12-19 16:48:03 -------- d-----w- C:\Program Files\Common Files\McAfee
2010-12-19 16:48:02 -------- d-----w- C:\Program Files (x86)\McAfee.com
2010-12-19 16:48:01 -------- d-----w- C:\Program Files (x86)\McAfee
2010-12-18 18:09:47 -------- d-----w- C:\Users\Flash\AppData\Local\Yahoo
2010-12-18 16:31:13 -------- d-----w- C:\Program Files (x86)\Yahoo!
2010-12-18 15:47:27 -------- d-----w- C:\Users\Flash\AppData\Roaming\KodakCredentialStore
2010-12-16 23:00:00 1013248 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
2010-12-16 17:24:27 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-12-16 17:23:59 395776 ----a-w- C:\Windows\System32\webio.dll
2010-12-16 17:23:59 314368 ----a-w- C:\Windows\SysWow64\webio.dll
2010-12-16 17:23:57 516096 ----a-w- C:\Program Files (x86)\Windows Mail\wab.exe
2010-12-16 17:23:56 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
2010-12-16 17:23:56 35328 ----a-w- C:\Program Files\Windows Mail\wabfind.dll
2010-12-16 17:23:54 112000 ----a-w- C:\Windows\System32\consent.exe
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-09 13:56:41 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2010-12-07 04:58:05 76912 ----a-w- C:\Windows\System32\drivers\L1C62x64.sys

==================== Find3M ====================

2010-12-31 11:10:44 45056 ----a-w- C:\Windows\System32\acovcnt.exe
2010-11-29 23:38:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-19 16:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe

============= FINISH: 12:29:09.63 ===============


DDS (Ver_10-12-12.02)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/7/2010 10:06:05 AM
System Uptime: 12/30/2010 7:06:19 PM (17 hours ago)

Motherboard: ASUSTeK Computer Inc. | | G73Jh
Processor: Intel® Core™ i7 CPU Q 720 @ 1.60GHz | Socket 989 | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 446 GiB total, 381.392 GiB free.
E: is CDROM ()
G: is FIXED (FAT32) - 466 GiB total, 236.96 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP121: 12/18/2010 9:38:00 AM - Windows Backup
RP122: 12/19/2010 8:06:25 AM - Windows Backup
RP123: 12/19/2010 8:09:19 AM - Removed ooVoo
RP124: 12/19/2010 8:13:50 AM - Removed Skype™ 4.2
RP125: 12/19/2010 8:33:21 AM - Removed Symantec Endpoint Protection.
RP126: 12/19/2010 8:48:18 AM - Installed Microsoft Fix it 50362
RP127: 12/19/2010 7:00:10 PM - Windows Backup
RP128: 12/26/2010 7:00:09 PM - Windows Backup
RP129: 12/31/2010 2:51:01 AM - Windows Update
RP130: 12/31/2010 11:22:41 AM - Windows Backup

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1 MUI
Alcor Micro USB Card Reader
Apple Application Support
Apple Software Update
ApproveIt Desktop
ASUS AI Recovery
ASUS FancyStart
ASUS LifeFrame3
ASUS Live Update
ASUS SmartLogon
ASUS Splendid Video Enhancement Technology
ASUS Virtual Camera
ASUS_Notebook_G73 Screen Saver
ATK Package
Best Buy Software Installer
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Citrix Presentation Server Client - Web Only
Compatibility Pack for the 2007 Office system
Creative MediaSource 5
Express Gate
IBM Lotus Forms Viewer 3.5.1
Intel® Management Engine Components
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java™ 6 Update 20
Junk Mail filter update
Kodak EasyShare software
McAfee AntiVirus Plus
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MSXML 4.0 SP3 Parser (KB973685)
NVIDIA PhysX v8.10.29
ooVoo_Video_Chat Toolbar
Realtek High Definition Audio Driver
Roxio Burn
Roxio Roxio Burn
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Sound Blaster Audigy HD
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2466076)
VLC media player 1.1.3
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Wireless Console 3
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

12/31/2010 6:25:35 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer PEACHCEDAR that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9465DDAE-9272-41C5-ABA3-CC388B2BA4E8}. The master browser is stopping or an election is being forced.
12/31/2010 5:55:08 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address The computer with the IP address did not allow the name to be claimed by this computer.
12/30/2010 9:42:59 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address The computer with the IP address did not allow the name to be claimed by this computer.
12/30/2010 8:46:09 PM, Error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is PEACHCEDAR.
12/30/2010 3:23:43 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
12/30/2010 10:09:52 PM, Error: Tcpip [4199] - The system detected an address conflict for IP address with the system having network hardware address C4-17-FE-D7-41-36. Network operations on this system may be disrupted as a result.
12/25/2010 2:44:57 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
12/25/2010 2:40:15 PM, Error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/24/2010 3:17:43 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address The computer with the IP address did not allow the name to be claimed by this computer.

==== End Of File ===========================

BC AdBot (Login to Remove)


#2 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:05:28 AM

Posted 07 January 2011 - 09:29 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



#3 questrage77

  • Topic Starter

  • Members
  • 2 posts
  • Gender:Male
  • Local time:01:58 PM

Posted 10 January 2011 - 02:46 PM

same problem as above here is the updated logs. When i ran the GMER again i still got a message that it did not find anything.

Attached Files

#4 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 11 January 2011 - 12:03 PM

Hello, questrage77
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop.

Link 1
Link 2


Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:

Please download Rootkit Unhooker from one of the following links and save it to your desktop. Link 1 (.exe file) Link 2 (zipped file) Link 3 (.rar file) In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
  • Double-click on RKUnhookerLE.exe to start the program. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber



  • Malware Response Team
  • 24,794 posts
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:28 AM

Posted 16 January 2011 - 11:44 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users