Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP System Restore Lingering After Effects


  • This topic is locked This topic is locked
12 replies to this topic

#1 Foglight

Foglight

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 26 June 2011 - 07:55 PM

I had already started a thread on 19 June 2011 , here, where I recieved a lot of guidance and help and my machine seemed to be back ( almost ) to normal ...

The only thing I knew was still wrong at that point was that I still had no sound, but felt I could deal with that on my own.

And so I began trying to get my sound back. Early on I determined that I had no system sounds like beeps and such, the VolCtrl icon would not display in the task bar when enabled in Control Panel, but I did have sound for movies and such played through videoLan, but no sound when viewing YouTube videos via Flash 10 ...

In the process of looking into what others had done for the same issue , I eventually ended up re-installing my sound drivers , which was where I think I made an unfortunate mistake -- I allowed the wizard to find the drivers , instead of reinstalling from my product disc ... the wizard found some drivers cached ( I guess ) from an earlier install and used them ...

This is where I believe I got re-infected with something ... I ran a McAfee full scan right away and it did indeed find and quarantine what it called two 'trojans', one being 'NirCmd' and the other having something to do with AdWare ... I told McAfee to delete them and then things seemed ok with my system again , except for some kind of exception that got thrown on the next two reboots involving GDI something or other ... these aren't happening anymore on reboot.

So, I continued trying to get my Flash sound restored and finally stumbled on the fix.

Apparently in the initial incident of the 'XP System Restore' attack on the morning of June 13th, the malware went in and altered the security permission of this key :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

so that neither my own logon ID or the Administrator ID had permission to use them ... this is where the 'wavemapper' entry is for Macromedia sound playback ... once this was fixed by placing my own login ID back in the allowed permissions list the 'Volume Icon' popped on in the taskbar , and I got my YouTube sound back ...

But , then I got to thinking - "What other permissions in my registry were altered at the time of this attack ?"

Next , I discovered that although the 'UnHide' tool available on this site was used with apparent success in the course of the help I received in the first thread, referred to above, it only appeared to work on the surface -- what I mean is that although my program groups and entries were once again visible in the 'Start' list , it turns out that almost ( but not all , strangely enough ) of the program groups were empty , like Microsoft Office for instance , among many , many others ...

So, I figured I would just put all the shortcuts back in by hand , and that is when I found out that not only were the permissions of keys in my registry altered , but so also were the permissions for the start folder and program groups folders altered ... they are ALL write protected , and I can't turn the write protection off ...

I really didn't try all that hard to fix the permissions on the start folders , because I have a funny feeling that who knows how many other system folder and file permissions have been altered as well ?

So, that's when I made up my mind to come back here for more help , admitting total defeat once again ...

There are two main issues on my mind which are the reason for this post - (1) Is my machine still infected with something ?
, and (2) Is there a ready made tool which can be run to restore ** ALL ** registry and system folder and file permissions to their 'default' states ?

Finally , I know that maybe this post should logically be tailed onto the first thread referred to above , but it has been locked , and so I made a new thread. I would understand , and even agree that this post might better serve the community by being appended onto the end of my first thread.

Whatever the admins decide will make sense, I am sure.

((((((((((((((((((((((((((((((((((( Logs now to follow )))))))))))))))))))))))))))))))))))))))))

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by gLee at 14:03:21 on 2011-06-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.434 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
D:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
D:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\USBStorage\USBDetector.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\WINDOWS\system32\taskmgr.exe
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
D:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/openmanage
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - d:\program files\common files\mcafee\systemcore\ScriptSn.20110513065529.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {C9D9459B-5873-4CB3-92B6-F67A5E1C8596} - No File
mRun: [OpenDNS Update] "d:\program files\opendns updater\OpenDNS Updater.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ATIPTA] "d:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [LogitechCommunicationsManager] "d:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "d:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [USBDetector] c:\usbstorage\USBDetector.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bankofamerica.com\onlineeast3
Trusted Zone: centershift.com
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F2BFD7F-E51E-4E0E-8687-FF7A80A4DDB9} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{9F2BFD7F-E51E-4E0E-8687-FF7A80A4DDB9} : DhcpNameServer = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;d:\windows\system32\drivers\mfehidk.sys [2007-5-29 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;d:\windows\system32\drivers\mfetdi2k.sys [2010-7-22 84200]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 McMPFSvc;McAfee Personal Firewall Service;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-22 271480]
R2 McProxy;McAfee Proxy Service;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-22 271480]
R2 McShield;McShield;d:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-22 171168]
R2 mfefire;McAfee Firewall Core Service;d:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;d:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-22 141792]
R3 cfwids;McAfee Inc. cfwids;d:\windows\system32\drivers\cfwids.sys [2010-7-22 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;d:\windows\system32\drivers\mfeavfk.sys [2007-5-29 153280]
R3 mfebopk;McAfee Inc. mfebopk;d:\windows\system32\drivers\mfebopk.sys [2007-5-29 52320]
R3 mfefirek;McAfee Inc. mfefirek;d:\windows\system32\drivers\mfefirek.sys [2010-7-22 314088]
R3 mfendiskmp;mfendiskmp;d:\windows\system32\drivers\mfendisk.sys [2010-7-22 88736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz132;cpuz132;\??\d:\docume~1\glee\locals~1\temp\cpuz132\cpuz132_x32.sys --> d:\docume~1\glee\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;d:\windows\system32\drivers\mfendisk.sys [2010-7-22 88736]
S3 mferkdet;McAfee Inc. mferkdet;d:\windows\system32\drivers\mferkdet.sys [2010-7-22 84488]
S3 mferkdk;McAfee Inc. mferkdk;d:\windows\system32\drivers\mferkdk.sys [2007-5-29 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;d:\windows\system32\drivers\mfesmfk.sys [2007-5-29 40552]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate1c9aab03cddd30a;Google Update Service (gupdate1c9aab03cddd30a);d:\program files\google\update\GoogleUpdate.exe [2009-3-22 133104]
S4 gupdatem;Google Update Service (gupdatem);d:\program files\google\update\GoogleUpdate.exe [2009-3-22 133104]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2011-06-26 00:33:41 5183 ----a-w- d:\windows\system32\drivers\usbu2a.sys
2011-06-26 00:00:57 753664 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-06-26 00:00:57 69714 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-06-26 00:00:57 5632 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-06-26 00:00:57 274432 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-06-26 00:00:57 184320 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-06-26 00:00:56 331908 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-06-26 00:00:56 200836 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-06-25 23:58:48 56080 ----a-w- d:\windows\KHALMNPR.Exe
2011-06-25 23:58:48 36112 ----a-w- d:\windows\system32\drivers\LMouFilt.Sys
2011-06-25 23:58:48 34832 ----a-w- d:\windows\system32\drivers\LHidFilt.Sys
2011-06-25 23:58:47 28688 ----a-w- d:\windows\system32\drivers\LUsbFilt.sys
2011-06-25 23:58:47 1419024 ----a-w- d:\windows\system32\WdfCoInstaller01005.dll
2011-06-25 23:58:40 69632 ----a-w- d:\windows\system32\KemXML.dll
2011-06-25 23:58:40 163840 ----a-w- d:\windows\system32\kemutb.dll
2011-06-25 23:58:40 135168 ----a-w- d:\windows\system32\KemUtil.dll
2011-06-25 23:58:40 110592 ----a-w- d:\windows\system32\KemWnd.dll
2011-06-25 23:48:10 490776 ----a-w- d:\windows\system32\drivers\LV561AV.SYS
2011-06-25 23:48:10 195096 ----a-w- d:\windows\system32\lvci1150.dll
2011-06-25 23:26:56 37248 ----a-w- d:\windows\system32\drivers\isapnp.sys
2011-06-25 23:26:33 68224 -c--a-w- d:\windows\system32\dllcache\pci.sys
2011-06-25 23:26:33 68224 ----a-w- d:\windows\system32\drivers\pci.sys
2011-06-25 23:26:16 30208 ----a-w- d:\windows\system32\drivers\usbehci.sys
2011-06-25 23:26:14 7168 ----a-w- d:\windows\system32\hccoin.dll
2011-06-25 23:25:44 74240 -c--a-w- d:\windows\system32\dllcache\usbui.dll
2011-06-25 23:25:44 74240 ----a-w- d:\windows\system32\usbui.dll
2011-06-25 23:25:44 20608 -c--a-w- d:\windows\system32\dllcache\usbuhci.sys
2011-06-25 23:25:44 20608 ----a-w- d:\windows\system32\drivers\usbuhci.sys
2011-06-25 23:25:43 59520 -c--a-w- d:\windows\system32\dllcache\usbhub.sys
2011-06-25 23:25:43 59520 ----a-w- d:\windows\system32\drivers\usbhub.sys
2011-06-25 23:25:43 143872 -c--a-w- d:\windows\system32\dllcache\usbport.sys
2011-06-25 23:25:43 143872 ----a-w- d:\windows\system32\drivers\usbport.sys
2011-06-25 23:25:32 53248 ----a-r- d:\windows\system32\CSVer.dll
2011-06-25 23:03:49 1288192 -c----w- d:\windows\system32\dllcache\ole32.dll
2011-06-25 22:54:51 -------- d-----w- D:\Intel
2011-06-25 22:51:55 5050368 ----a-w- d:\windows\system32\atioglxx.dll
2011-06-25 22:43:05 74240 ----a-w- d:\windows\system32\spool\prtprocs\w32x86\hpzpp054.dll
2011-06-25 22:43:05 48128 ----a-w- d:\windows\system32\hpzll054.dll
2011-06-25 21:58:59 -------- d-----w- d:\documents and settings\all users\application data\UAB
2011-06-25 21:58:53 -------- d-----w- d:\documents and settings\glee\local settings\application data\PC_Drivers_Headquarters
2011-06-25 21:57:39 -------- d-----w- d:\program files\PC Drivers HeadQuarters
2011-06-25 21:49:57 73216 -c--a-w- d:\windows\system32\dllcache\avwav.dll
2011-06-25 20:51:45 -------- d-----w- d:\documents and settings\glee\application data\ElevatedDiagnostics
2011-06-25 20:36:12 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 10:12:43 -------- d-----w- d:\documents and settings\glee\application data\SUPERAntiSpyware.com
2011-06-24 02:41:26 71680 ----a-w- d:\windows\system32\CTDPROXY.DLL
2011-06-24 02:41:25 73728 ----a-w- d:\windows\system32\PIAPROXY.DLL
2011-06-24 00:43:06 138752 ----a-w- d:\windows\system32\sndvol32.exe
2011-06-21 09:33:26 -------- d-----w- d:\program files\ESET
2011-06-21 09:20:15 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-06-19 01:04:34 -------- dc----w- d:\windows\ie8
2011-06-18 14:20:43 -------- d-----w- d:\documents and settings\glee\local settings\application data\PCHealth
2011-06-18 01:37:48 -------- d-----w- D:\fd577bc1256811e056f45f66202b
2011-05-28 01:54:52 -------- d-----w- d:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-06-20 05:44:16 52352 ----a-w- d:\windows\system32\drivers\volsnap.sys
2011-05-04 08:52:22 472808 ----a-w- d:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- d:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- d:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- d:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- d:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- d:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 78336 ------w- d:\windows\system32\ieencode.dll
2011-04-25 12:01:22 385024 ------w- d:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- d:\windows\system32\drivers\mup.sys
2011-04-14 18:01:38 95824 ----a-w- d:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01:38 9344 ----a-w- d:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01:38 88736 ----a-w- d:\windows\system32\drivers\mfendisk.sys
2011-04-14 18:01:38 84488 ----a-w- d:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01:38 84200 ----a-w- d:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 18:01:38 56064 ----a-w- d:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01:38 52320 ----a-w- d:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01:38 387480 ----a-w- d:\windows\system32\drivers\mfehidk.sys
2011-04-14 18:01:38 314088 ----a-w- d:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01:38 153280 ----a-w- d:\windows\system32\drivers\mfeavfk.sys
.
============= FINISH: 14:05:26.46 ===============

*********************
*********************

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-26 20:12:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.10.0
Running: gmer.exe; Driver: D:\DOCUME~1\gLee\LOCALS~1\Temp\uwlirpog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7241210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7241224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7241250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF72412A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF72411FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF72411D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF72411E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF724123A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF724127C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7241266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF72412D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF72412BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7241290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Just checking for a reply. Hopefully someone can comment today and I will check in again around 6:30pm EST.

EDIT: Please be patient. There are over 270 unanswered topics in this forum at present and the current average wait time to receive help is 8 days. ~Budapest

So, I understand about the delay -- it's quite apparent there's some kind of large scale internet 'attack' on individual private users in progress now and for the past several weeks --- funny how we haven't heard a 'peep' about this on the news ... hmmm ...

Anyways , anticipating I might be interacting with one of the helpers here , I went ahead and ran an updated mbam while I was out of the house today and here's the log -

(((((((((((((((((((((((((( mbam log )))))))))))))))))))))))))))))))

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6959

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/27/2011 9:22:44 AM
mbam-log-2011-06-27 (09-22-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 382298
Time elapsed: 2 hour(s), 19 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(((((((((((((((((((((((((( end mbam log )))))))))))))))))))))))))))))))

Interestingly , even though mbam had completed normally and without error , here's what was waiting for me on my screen when I got home today -

Posted Image

So, I'll just sit tight now , and post things here as they develop , but as advised - I won't make any changes to my configuration until I see a response here ...

Best Wishes to All ( in these very strange times ) ,

Foglight

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 28 June 2011 - 05:02 PM.
PM sent.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:23 PM

Posted 10 July 2011 - 02:57 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 11 July 2011 - 05:53 AM

Thanks for not forgetting about me !

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by gLee at 6:45:04 on 2011-07-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.630 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\WINDOWS\Explorer.EXE
svchost.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
D:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\WINDOWS\system32\CTXFIHLP.EXE
D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\Logitech\QuickCam\Quickcam.exe
D:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\USBStorage\USBDetector.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/openmanage
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - d:\program files\common files\mcafee\systemcore\ScriptSn.20110513065529.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {C9D9459B-5873-4CB3-92B6-F67A5E1C8596} - No File
mRun: [OpenDNS Update] "d:\program files\opendns updater\OpenDNS Updater.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ATIPTA] "d:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [LogitechCommunicationsManager] "d:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "d:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [USBDetector] c:\usbstorage\USBDetector.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bankofamerica.com\onlineeast3
Trusted Zone: centershift.com
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F2BFD7F-E51E-4E0E-8687-FF7A80A4DDB9} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{9F2BFD7F-E51E-4E0E-8687-FF7A80A4DDB9} : DhcpNameServer = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;d:\windows\system32\drivers\mfehidk.sys [2007-5-29 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;d:\windows\system32\drivers\mfetdi2k.sys [2010-7-22 84200]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 McMPFSvc;McAfee Personal Firewall Service;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-22 271480]
R2 McProxy;McAfee Proxy Service;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-22 271480]
R2 McShield;McShield;d:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-22 171168]
R2 mfefire;McAfee Firewall Core Service;d:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;d:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-22 141792]
R3 cfwids;McAfee Inc. cfwids;d:\windows\system32\drivers\cfwids.sys [2010-7-22 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;d:\windows\system32\drivers\mfeavfk.sys [2007-5-29 153280]
R3 mfefirek;McAfee Inc. mfefirek;d:\windows\system32\drivers\mfefirek.sys [2010-7-22 314088]
R3 mfendiskmp;mfendiskmp;d:\windows\system32\drivers\mfendisk.sys [2010-7-22 88736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpuz132;cpuz132;\??\d:\docume~1\glee\locals~1\temp\cpuz132\cpuz132_x32.sys --> d:\docume~1\glee\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 mfebopk;McAfee Inc. mfebopk;d:\windows\system32\drivers\mfebopk.sys [2007-5-29 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;d:\windows\system32\drivers\mfendisk.sys [2010-7-22 88736]
S3 mferkdet;McAfee Inc. mferkdet;d:\windows\system32\drivers\mferkdet.sys [2010-7-22 84488]
S3 mferkdk;McAfee Inc. mferkdk;d:\windows\system32\drivers\mferkdk.sys [2007-5-29 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;d:\windows\system32\drivers\mfesmfk.sys [2007-5-29 40552]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate1c9aab03cddd30a;Google Update Service (gupdate1c9aab03cddd30a);d:\program files\google\update\GoogleUpdate.exe [2009-3-22 133104]
S4 gupdatem;Google Update Service (gupdatem);d:\program files\google\update\GoogleUpdate.exe [2009-3-22 133104]
.
=============== Created Last 30 ================
.
2011-07-04 12:38:33 -------- d-----w- d:\windows\system32\Dell
2011-07-04 12:38:33 -------- d-----w- d:\program files\Dell
2011-06-26 00:33:41 5183 ----a-w- d:\windows\system32\drivers\usbu2a.sys
2011-06-26 00:00:57 753664 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-06-26 00:00:57 69714 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-06-26 00:00:57 5632 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-06-26 00:00:57 274432 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-06-26 00:00:57 184320 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-06-26 00:00:56 331908 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-06-26 00:00:56 200836 ----a-w- d:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-06-25 23:58:48 56080 ----a-w- d:\windows\KHALMNPR.Exe
2011-06-25 23:58:48 36112 ----a-w- d:\windows\system32\drivers\LMouFilt.Sys
2011-06-25 23:58:48 34832 ----a-w- d:\windows\system32\drivers\LHidFilt.Sys
2011-06-25 23:58:47 28688 ----a-w- d:\windows\system32\drivers\LUsbFilt.sys
2011-06-25 23:58:47 1419024 ----a-w- d:\windows\system32\WdfCoInstaller01005.dll
2011-06-25 23:58:40 69632 ----a-w- d:\windows\system32\KemXML.dll
2011-06-25 23:58:40 163840 ----a-w- d:\windows\system32\kemutb.dll
2011-06-25 23:58:40 135168 ----a-w- d:\windows\system32\KemUtil.dll
2011-06-25 23:58:40 110592 ----a-w- d:\windows\system32\KemWnd.dll
2011-06-25 23:48:10 490776 ----a-w- d:\windows\system32\drivers\LV561AV.SYS
2011-06-25 23:48:10 195096 ----a-w- d:\windows\system32\lvci1150.dll
2011-06-25 23:26:56 37248 ----a-w- d:\windows\system32\drivers\isapnp.sys
2011-06-25 23:26:33 68224 -c--a-w- d:\windows\system32\dllcache\pci.sys
2011-06-25 23:26:33 68224 ----a-w- d:\windows\system32\drivers\pci.sys
2011-06-25 23:26:16 30208 ----a-w- d:\windows\system32\drivers\usbehci.sys
2011-06-25 23:26:14 7168 ----a-w- d:\windows\system32\hccoin.dll
2011-06-25 23:25:44 74240 -c--a-w- d:\windows\system32\dllcache\usbui.dll
2011-06-25 23:25:44 74240 ----a-w- d:\windows\system32\usbui.dll
2011-06-25 23:25:44 20608 -c--a-w- d:\windows\system32\dllcache\usbuhci.sys
2011-06-25 23:25:44 20608 ----a-w- d:\windows\system32\drivers\usbuhci.sys
2011-06-25 23:25:43 59520 -c--a-w- d:\windows\system32\dllcache\usbhub.sys
2011-06-25 23:25:43 59520 ----a-w- d:\windows\system32\drivers\usbhub.sys
2011-06-25 23:25:43 143872 -c--a-w- d:\windows\system32\dllcache\usbport.sys
2011-06-25 23:25:43 143872 ----a-w- d:\windows\system32\drivers\usbport.sys
2011-06-25 23:25:32 53248 ----a-r- d:\windows\system32\CSVer.dll
2011-06-25 23:03:49 1288192 -c----w- d:\windows\system32\dllcache\ole32.dll
2011-06-25 22:54:51 -------- d-----w- D:\Intel
2011-06-25 22:51:55 5050368 ----a-w- d:\windows\system32\atioglxx.dll
2011-06-25 22:43:05 74240 ----a-w- d:\windows\system32\spool\prtprocs\w32x86\hpzpp054.dll
2011-06-25 22:43:05 48128 ----a-w- d:\windows\system32\hpzll054.dll
2011-06-25 21:58:59 -------- d-----w- d:\documents and settings\all users\application data\UAB
2011-06-25 21:58:53 -------- d-----w- d:\documents and settings\glee\local settings\application data\PC_Drivers_Headquarters
2011-06-25 21:57:39 -------- d-----w- d:\program files\PC Drivers HeadQuarters
2011-06-25 21:49:57 73216 -c--a-w- d:\windows\system32\dllcache\avwav.dll
2011-06-25 20:51:45 -------- d-----w- d:\documents and settings\glee\application data\ElevatedDiagnostics
2011-06-25 20:36:12 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 10:12:43 -------- d-----w- d:\documents and settings\glee\application data\SUPERAntiSpyware.com
2011-06-24 02:41:26 71680 ----a-w- d:\windows\system32\CTDPROXY.DLL
2011-06-24 02:41:25 73728 ----a-w- d:\windows\system32\PIAPROXY.DLL
2011-06-24 00:43:06 138752 ----a-w- d:\windows\system32\sndvol32.exe
2011-06-21 09:33:26 -------- d-----w- d:\program files\ESET
2011-06-21 09:20:15 22712 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-06-19 01:04:34 -------- dc----w- d:\windows\ie8
2011-06-18 14:20:43 -------- d-----w- d:\documents and settings\glee\local settings\application data\PCHealth
2011-06-18 01:37:48 -------- d-----w- D:\fd577bc1256811e056f45f66202b
.
==================== Find3M ====================
.
2011-06-20 05:44:16 52352 ----a-w- d:\windows\system32\drivers\volsnap.sys
2011-05-29 13:11:30 39984 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 08:52:22 472808 ----a-w- d:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- d:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- d:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- d:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- d:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- d:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- d:\windows\system32\inetcpl.cpl
2011-04-25 15:51:57 78336 ------w- d:\windows\system32\ieencode.dll
2011-04-25 12:01:22 385024 ------w- d:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- d:\windows\system32\drivers\mup.sys
2011-04-14 18:01:38 95824 ----a-w- d:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01:38 9344 ----a-w- d:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01:38 88736 ----a-w- d:\windows\system32\drivers\mfendisk.sys
2011-04-14 18:01:38 84488 ----a-w- d:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01:38 84200 ----a-w- d:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 18:01:38 56064 ----a-w- d:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01:38 52320 ----a-w- d:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01:38 387480 ----a-w- d:\windows\system32\drivers\mfehidk.sys
2011-04-14 18:01:38 314088 ----a-w- d:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01:38 153280 ----a-w- d:\windows\system32\drivers\mfeavfk.sys
.
============= FINISH: 6:46:41.31 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:23 PM

Posted 11 July 2011 - 07:09 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 11 July 2011 - 06:05 PM

ComboFix 11-07-11.02 - gLee 07/11/2011 18:37:13.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.569 [GMT -4:00]
Running from: d:\documents and settings\gLee\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-11 to 2011-07-11 )))))))))))))))))))))))))))))))
.
.
2011-07-04 12:38 . 2011-07-04 12:38 -------- d-----w- d:\windows\system32\Dell
2011-07-04 12:38 . 2011-07-04 12:38 -------- d-----w- d:\program files\Dell
2011-06-26 00:33 . 2003-04-03 22:57 5183 ----a-w- d:\windows\system32\drivers\usbu2a.sys
2011-06-26 00:00 . 2005-04-04 03:02 753664 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-06-26 00:00 . 2005-04-04 03:02 69714 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-06-26 00:00 . 2005-04-04 03:01 274432 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-06-26 00:00 . 2005-04-04 03:00 184320 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-06-26 00:00 . 2005-04-04 02:59 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-06-26 00:00 . 2011-06-26 00:00 331908 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-06-26 00:00 . 2011-06-26 00:00 200836 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-06-26 00:00 . 2011-06-26 00:00 -------- d-----w- d:\documents and settings\gLee\Application Data\Logitech
2011-06-25 23:58 . 2007-04-11 19:32 36112 ----a-w- d:\windows\system32\drivers\LMouFilt.Sys
2011-06-25 23:26 . 2008-04-13 18:36 37248 ----a-w- d:\windows\system32\drivers\isapnp.sys
2011-06-25 23:26 . 2008-04-13 18:36 68224 -c--a-w- d:\windows\system32\dllcache\pci.sys
2011-06-25 23:26 . 2008-04-13 18:36 68224 ----a-w- d:\windows\system32\drivers\pci.sys
2011-06-25 23:26 . 2008-04-13 18:45 30208 ----a-w- d:\windows\system32\drivers\usbehci.sys
2011-06-25 23:26 . 2008-04-14 00:11 7168 ----a-w- d:\windows\system32\hccoin.dll
2011-06-25 23:25 . 2008-04-14 00:12 74240 -c--a-w- d:\windows\system32\dllcache\usbui.dll
2011-06-25 23:25 . 2008-04-14 00:12 74240 ----a-w- d:\windows\system32\usbui.dll
2011-06-25 23:25 . 2008-04-13 18:45 20608 -c--a-w- d:\windows\system32\dllcache\usbuhci.sys
2011-06-25 23:25 . 2008-04-13 18:45 20608 ----a-w- d:\windows\system32\drivers\usbuhci.sys
2011-06-25 23:25 . 2008-04-13 18:45 59520 -c--a-w- d:\windows\system32\dllcache\usbhub.sys
2011-06-25 23:25 . 2008-04-13 18:45 59520 ----a-w- d:\windows\system32\drivers\usbhub.sys
2011-06-25 23:25 . 2008-04-13 18:45 143872 -c--a-w- d:\windows\system32\dllcache\usbport.sys
2011-06-25 23:25 . 2008-04-13 18:45 143872 ----a-w- d:\windows\system32\drivers\usbport.sys
2011-06-25 23:25 . 2010-12-23 15:09 53248 ----a-r- d:\windows\system32\CSVer.dll
2011-06-25 23:03 . 2010-07-16 12:05 1288192 -c----w- d:\windows\system32\dllcache\ole32.dll
2011-06-25 22:54 . 2011-06-25 22:54 -------- d-----w- D:\Intel
2011-06-25 22:51 . 2006-06-07 17:43 5050368 ----a-w- d:\windows\system32\atioglxx.dll
2011-06-25 22:43 . 2006-04-10 18:03 48128 ----a-w- d:\windows\system32\hpzll054.dll
2011-06-25 22:43 . 2006-04-10 18:02 74240 ----a-w- d:\windows\system32\Spool\prtprocs\w32x86\hpzpp054.dll
2011-06-25 22:41 . 2011-06-25 22:41 -------- d-----w- d:\program files\Hewlett-Packard
2011-06-25 21:58 . 2011-06-25 21:58 -------- d-----w- d:\documents and settings\All Users\Application Data\UAB
2011-06-25 21:58 . 2011-06-25 21:58 -------- d-----w- d:\documents and settings\gLee\Local Settings\Application Data\PC_Drivers_Headquarters
2011-06-25 21:57 . 2011-06-25 21:57 -------- d-----w- d:\program files\PC Drivers HeadQuarters
2011-06-25 21:49 . 2004-08-04 10:00 73216 -c--a-w- d:\windows\system32\dllcache\avwav.dll
2011-06-25 20:51 . 2011-06-29 00:19 -------- d-----w- d:\documents and settings\gLee\Application Data\ElevatedDiagnostics
2011-06-25 20:36 . 2011-06-25 20:36 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 10:12 . 2011-06-24 10:12 -------- d-----w- d:\documents and settings\gLee\Application Data\SUPERAntiSpyware.com
2011-06-24 02:41 . 2005-11-09 00:15 71680 ----a-w- d:\windows\system32\CTDPROXY.DLL
2011-06-24 02:41 . 2005-11-09 00:14 73728 ----a-w- d:\windows\system32\PIAPROXY.DLL
2011-06-24 00:43 . 2001-08-18 02:36 138752 ----a-w- d:\windows\system32\sndvol32.exe
2011-06-21 09:33 . 2011-06-21 09:33 -------- d-----w- d:\program files\ESET
2011-06-21 09:20 . 2011-05-29 13:11 22712 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-06-19 01:04 . 2011-06-19 01:09 -------- dc----w- d:\windows\ie8
2011-06-18 14:20 . 2011-06-18 14:20 -------- d-----w- d:\documents and settings\gLee\Local Settings\Application Data\PCHealth
2011-06-18 01:37 . 2011-06-18 01:44 -------- d-----w- D:\fd577bc1256811e056f45f66202b
2011-06-14 00:09 . 2011-06-14 00:09 -------- d-----w- d:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-20 05:44 . 2004-08-04 10:00 52352 ----a-w- d:\windows\system32\drivers\volsnap.sys
2011-06-16 23:32 . 2011-05-24 00:41 112832 ----a-w- d:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-05-29 13:11 . 2009-05-03 03:32 39984 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 08:52 . 2010-04-28 20:49 472808 ----a-w- d:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2010-04-28 20:49 73728 ----a-w- d:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2007-05-29 01:29 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- d:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- d:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2006-03-04 03:33 916480 ----a-w- d:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 10:00 43520 ------w- d:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 10:00 1469440 ------w- d:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2011-04-25 15:51 78336 ------w- d:\windows\system32\ieencode.dll
2011-04-25 12:01 . 2004-08-04 10:00 385024 ------w- d:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- d:\windows\system32\drivers\mup.sys
2011-04-14 18:01 . 2010-07-22 20:58 9344 ----a-w- d:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01 . 2010-07-22 20:58 88736 ----a-w- d:\windows\system32\drivers\mfendisk.sys
2011-04-14 18:01 . 2010-07-22 20:58 84488 ----a-w- d:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01 . 2010-07-22 20:58 84200 ----a-w- d:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 18:01 . 2010-07-22 20:58 314088 ----a-w- d:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01 . 2010-07-22 20:58 95824 ----a-w- d:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01 . 2010-07-22 20:58 56064 ----a-w- d:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01 . 2007-05-29 04:53 52320 ----a-w- d:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01 . 2007-05-29 04:53 387480 ----a-w- d:\windows\system32\drivers\mfehidk.sys
2011-04-14 18:01 . 2007-05-29 04:53 153280 ----a-w- d:\windows\system32\drivers\mfeavfk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Update"="d:\program files\OpenDNS Updater\OpenDNS Updater.exe" [2009-02-12 315392]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"ATIPTA"="d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-06-07 344064]
"LogitechCommunicationsManager"="d:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="d:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2011-6-25 692224]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=d:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=d:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^gLee^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=d:\documents and settings\gLee\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=d:\windows\pss\Adobe Media Player.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-06-07 20:27 344064 ----a-w- d:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 14:46 19456 ----a-w- d:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 16:00 18944 ----a-w- d:\windows\system32\CTXFIHLP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- d:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraService(E)]
2004-11-01 21:22 262144 ----a-w- d:\windows\system32\ElkCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-12-09 19:32 225280 ----a-w- d:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2011-04-05 15:50 1195408 ----a-w- d:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-04-05 15:50 1195408 ----a-w- d:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- d:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SiteAdvisor Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"ose"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9aab03cddd30a"=2 (0x2)
"wlidsvc"=2 (0x2)
"SeaPort"=2 (0x2)
"MDM"=2 (0x2)
"gupdatem"=3 (0x3)
"BBSvc"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"CTAudSvcService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\WINDOWS\\system32\\dxdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\WINDOWS\\system32\\ftp.exe"=
"d:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;d:\windows\system32\drivers\mfetdi2k.sys [7/22/2010 4:58 PM 84200]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\windows\system32\drivers\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 McMPFSvc;McAfee Personal Firewall Service;"d:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/22/2010 4:58 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"d:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/22/2010 4:58 PM 271480]
R2 mfefire;McAfee Firewall Core Service;d:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/22/2010 4:58 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;d:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/22/2010 4:58 PM 141792]
R3 cfwids;McAfee Inc. cfwids;d:\windows\system32\drivers\cfwids.sys [7/22/2010 4:58 PM 56064]
R3 mfefirek;McAfee Inc. mfefirek;d:\windows\system32\drivers\mfefirek.sys [7/22/2010 4:58 PM 314088]
R3 mfendiskmp;mfendiskmp;d:\windows\system32\drivers\mfendisk.sys [7/22/2010 4:58 PM 88736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;d:\windows\system32\drivers\mfendisk.sys [7/22/2010 4:58 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;d:\windows\system32\drivers\mferkdet.sys [7/22/2010 4:58 PM 84488]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 gupdate1c9aab03cddd30a;Google Update Service (gupdate1c9aab03cddd30a);d:\program files\Google\Update\GoogleUpdate.exe [3/22/2009 1:37 AM 133104]
S4 gupdatem;Google Update Service (gupdatem);d:\program files\Google\Update\GoogleUpdate.exe [3/22/2009 1:37 AM 133104]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-11 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 05:36]
.
2011-07-11 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 05:36]
.
2011-07-11 d:\windows\Tasks\User_Feed_Synchronization-{04AD313B-3577-4F3A-BE2A-969DC36318AF}.job
- d:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
2011-07-11 d:\windows\Tasks\User_Feed_Synchronization-{4BFB1B66-51A2-430A-B75B-D114FC65B3B7}.job
- d:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/mail?.intl=us
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/openmanage
Trusted Zone: bankofamerica.com\onlineeast3
Trusted Zone: centershift.com
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9F2BFD7F-E51E-4E0E-8687-FF7A80A4DDB9}: NameServer = 208.67.222.222,208.67.220.220
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-LogitechCameraAssistant - d:\program files\Logitech\Video\CameraAssistant.exe
MSConfigStartUp-LogitechVideo[inspector] - d:\program files\Logitech\Video\InstallHelper.exe
AddRemove-QcDrv - d:\program files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-11 18:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-299502267-706699826-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1336)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
d:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3948)
d:\windows\system32\WININET.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
d:\windows\system32\msi.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-11 18:54:33
ComboFix-quarantined-files.txt 2011-07-11 22:54
.
Pre-Run: 50,169,765,888 bytes free
Post-Run: 50,514,169,856 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlog
.
- - End Of File - - AAA6CC9F5A6AF2134CFDA79076ECB09D

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:23 PM

Posted 12 July 2011 - 03:21 AM

Hi there, how are things running at this point?

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


Please launch Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 12 July 2011 - 05:01 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7084

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/12/2011 8:56:31 AM
mbam-log-2011-07-12 (08-56-30).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 365684
Time elapsed: 2 hour(s), 15 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Posted Image

Posted Image

Posted Image

Edited by Foglight, 12 July 2011 - 05:02 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:23 PM

Posted 13 July 2011 - 02:47 AM

Don't worry, Norton only detects an item in System Restore, which is not malicious anyway. It detected this because MBAM was scanning it. The same may happen during the following scan.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 13 July 2011 - 05:36 PM

Posted Image

#10 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 13 July 2011 - 05:43 PM

Hi,

Maybe the infection is gone now , but some troublesome 'after effects' remain.

If there is any utility , tool , or method you know of to restore the 'standard' registry keys and system folders to their 'default' security settings it would be very helpful to me. I know I probably didn't say that technically exactly correct , since for all I know there may not even be such a thing as a 'standard' registry key ... but , hopefully you've caught my meaning and can offer some idea which might be helpful.

Additionally , thank you very much for your time and effort up to this point - it is really appreciated !

Best Regards , Foglight

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:23 PM

Posted 14 July 2011 - 06:48 AM

If there is any utility , tool , or method you know of to restore the 'standard' registry keys and system folders to their 'default' security settings

Tools like DDS show a bunch of standard registry entries so you can be pretty sure they are as they should be, everything looks good. There are no tools that will automatically restore settings, as they are user and computer dependent.

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:02:23 PM

Posted 14 July 2011 - 05:31 PM

Thank you for all your help , Elise.

System seems to be OK now.

Take Care, Foglight

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,408 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:23 PM

Posted 15 July 2011 - 01:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users