Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
25 replies to this topic

#1 AngrySun86

AngrySun86

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 04 October 2011 - 04:04 PM

Oh boy...
I came to this forum so that I can get help figuring out how to solve this particular problem:

Before I begin explaiining what's going on, My computer is a custom-built computer with Windows XP with Service Pack 3. It has a floppy drive(A), two Hard Drives (C and D), a Cd Drive(E), and two USB drives(F and G I think). So, aside from the extra drives, it's a humble, simple computer.

So, on to my problem:

It all started when I was just browsing the internet one night on one of those dedicated wikis (you know, like Mariowiki), when suddenly, my Verizon Internet Suite alerted me that it's real-time scan has been shut off! So I tried to get it to do a quick search, but I get an "unexpected error" message. This also happened with doing a full search.

Then I tried Malwarebytes, and when I hit "full scan", it scans for 15 seconds, and then it abruptly shut down. When I tried to open it again, I get an error message saying that the Mbam file could not be found, even thought it is in its default directory.

I decided to google search for a way to solve this problem, but I got redirected to some random ad after clicking a link in the search results. So, I knew something bad is going down.

I then uninstalled and reinstalled Malwarebytes and rebooted the computer into safe mode. Although Verizon Suite is alerting me that it's scan is off, I think that may have been because Safe mode doesn't have network stuff in it, unless I reboot it in Safe Mode with Networking. Malwarebytes, on the other hand, was working quite fine, and found two of the following infected files:

Rootkit.0Access C:\documents and settings\(User)\application data\Sun\Javadeployment\cache\6.0\3\Saa7e403-39978121c

Rootkit.0Access C:\documents and settings\(User)\Local settings\Temp\6.4920097837455071.exe

I had them removed and deleted, but the problems still persisted. My brother looked into it using Norton PC checkup, but that did nothing. We then found out that there's a process in the Processes tab on the Task Manager and its name is a bunch of numbers with a colon in the middle. After some research on this site's forum, and some others, I can now confirm that it's a form of Malware!

Here's the name of the process:
"3016895728:265497932.exe"

My brother ended the process, but the computer could not boot up after shutting it down, so we rebooted it on Last Known Good Settings, and with that very process still there. The weird process does not show up on Safe Mode, but it does on Safe Mode with Networking.

Also, after another Malewarebytes search(And after uninstalling/reinsalling and updating it many times) on Safe mode, I found another bad file on my computer:

Exploit.Drop.2 C:\documents and settings\(User)\local settings\Temp\0.5354993341383579.exe
This one may have been from one of the random, infected ads that the Google Redirecting brought me to, before I decided to use a different computer to look up the problem.

And I also tried to disable my internet connection, thinking that the process is associated with internet connection. I tried to run Malwarebytes, and it doesn't work. So I reinstalled and updated it again, ran Safe Mode, and Malwarebytes runs just fine, and found nothing.

My computer is currently in Safe Mode without Networking, since I'm afraid to use Facebook or anything on my computer because this malware could take my personal information.

So if there's anyone out here whose reading this and understands what I coming across,
HEEEEEEEEEEEEEEEEEEELP!!! :o

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Then post your DDS and GMER logs as a reply to this topic. Once you have done that I will remove my reply and consolidate the posts so that you retain your correct place in the queue.

If you can produce at least some of the logs, then please explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.


Sorry I'm late, but I have followed the quide and took the necessary steps. So, here are the reports.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Bill at 2:13:38 on 2011-10-05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1997 [GMT -5:00]

.

AV: Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\3016895728:265497932.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Verizon\VSP\ServicepointService.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.youtube.com/user/dawnkeykawng

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111003203110.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278817807964

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278817830651

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.1.1 68.238.96.12

TCP: Interfaces\{7EAA9FB5-CD4C-48B7-B05A-1D77C05BF4F1} : DhcpNameServer = 192.168.1.1 68.238.96.12

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-16 461864]

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-16 89624]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-7-11 54760]

R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-12-26 47640]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-16 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-16 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-16 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-16 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-16 166024]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-16 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-12-16 148520]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-17 2214504]

R2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-12-16 689392]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-16 57432]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-16 180072]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-16 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-16 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-16 83688]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-22 136176]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-7-11 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-7-11 8456]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-22 136176]

S3 KID_USB;Kensington Input Devices USB filter driver;c:\windows\system32\drivers\KID_USB.sys [2001-9-5 16344]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-16 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-16 87808]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-16 214904]

.

=============== Created Last 30 ================

.

2011-10-05 02:38:22 1324 ----a-w- c:\documents and settings\bill\local settings\application data\d3d9caps.tmp

2011-10-04 23:23:08 -------- d-----w- c:\documents and settings\bill\local settings\application data\Safe mirror

2011-10-04 23:22:41 -------- d-----w- c:\program files\Cobian Backup 10

2011-10-04 23:10:37 -------- d-----w- c:\program files\Cobian Backup 8

2011-10-04 18:00:08 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-04 18:00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-04 01:23:24 -------- d-----w- c:\windows\system32\drivers\nortonpccheckup\02000F0.057

2011-10-04 01:23:24 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup

2011-10-04 01:23:23 -------- d-----w- c:\program files\Norton PC Checkup

2011-10-04 01:23:12 -------- d-----w- c:\program files\NortonInstaller

2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2011-09-28 15:24:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-24 17:52:15 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-08-24 17:52:15 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2011-08-15 15:00:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-08-15 15:00:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-08-15 15:00:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-08-15 15:00:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-08-15 15:00:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-08-15 15:00:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-08-15 15:00:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-08-15 15:00:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-08-15 15:00:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-08-15 15:00:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-07-30 12:49:12 7304 ----a-w- c:\windows\TMP0001.TMP

2011-07-27 19:19:19 0 ----a-w- c:\documents and settings\bill\zqjympijmh.tmp

2011-07-17 18:28:19 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-07-17 18:28:19 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-07-17 18:26:02 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

.

============= FINISH: 2:16:16.50 ===============



GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-10-05 02:40:20

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Bill\LOCALS~1\Temp\pwxirfog.sys





---- System - GMER 1.0.15 ----



Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7868254]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7868268]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread



---- Kernel code sections - GMER 1.0.15 ----



.text ntoskrnl.exe!IoAllocateIrp + C 804EAFC9 7 Bytes CALL 89FF8C75

.xreloc C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF74F6000, 0xC5E, 0x40000040]

.text netbt.sys!PCbsolfJUIuo__mld_dosl B8258000 214 Bytes [89, 01, 81, 7D, 10, 16, 00, ...]

.text netbt.sys!PCbsolfJUIuo__mld_dosl + D7 B82580D7 486 Bytes [8B, 03, 0F, C8, 89, 41, FC, ...]

.text netbt.sys!PCbsolfJUIuo__mld_dosl + 2BE B82582BE 80 Bytes [C2, 0C, 00, 8B, 4D, 0C, 01, ...]

.text netbt.sys!QJHSmhkk_LSFuh__ng_sqKNVIv_q_ + 8 B825830F 22 Bytes [FF, 8B, 57, 60, 39, 42, 04, ...]

.text netbt.sys!QJHSmhkk_LSFuh__ng_sqKNVIv_q_ + 1F B8258326 120 Bytes [8D, 55, 18, 52, 6A, 00, FF, ...]

.text netbt.sys!QJHSmhkk_LSFuh__ng_sqKNVIv_q_ + 98 B825839F 515 Bytes [FF, D7, 83, 7B, 18, 00, 8A, ...]

.text netbt.sys!QJHSmhkk_LSFuh__ng_sqKNVIv_q_ + 29C B82585A3 14 Bytes [D5, 00, 00, 8B, 45, 14, 89, ...]

.text netbt.sys!QJHSmhkk_LSFuh__ng_sqKNVIv_q_ + 2AB B82585B2 212 Bytes [8B, 45, 08, 8B, 48, 38, 8B, ...]

.text netbt.sys!lxz_xACY_OfrfD_FWF_QOb__lCKLIRTR + 3 B8258687 703 Bytes [A5, A5, A5, A5, C7, 03, 1A, ...]

.text netbt.sys!lxz_xACY_OfrfD_FWF_QOb__lCKLIRTR + 2C3 B8258947 19 Bytes [8B, F0, 85, F6, 0F, 84, 5D, ...] {MOV ESI, EAX; TEST ESI, ESI; JZ 0xcf67; XOR EAX, EAX; PUSH 0x6; POP ECX; MOV EDI, ESI; REP STOSD }

.text netbt.sys!lxz_xACY_OfrfD_FWF_QOb__lCKLIRTR + 2D7 B825895B 71 Bytes [7D, 94, 88, 46, 15, 8B, 45, ...]

.text netbt.sys!lxz_xACY_OfrfD_FWF_QOb__lCKLIRTR + 31F B82589A3 41 Bytes [A4, 89, 46, 08, 8B, 45, 98, ...]

.text netbt.sys!lxz_xACY_OfrfD_FWF_QOb__lCKLIRTR + 349 B82589CD 4 Bytes [8B, CE, FF, D7] {MOV ECX, ESI; CALL EDI}

.text netbt.sys!gfGUDVLWO_t_wdc_bQQ + 4 B82589D2 221 Bytes [65, FC, 00, 8A, D8, A1, 78, ...]

.text netbt.sys!gfGUDVLWO_t_wdc_bQQ + E2 B8258AB0 529 Bytes [01, 8B, 3D, 80, 22, 27, B8, ...]

.text netbt.sys!gfGUDVLWO_t_wdc_bQQ + 2F4 B8258CC2 366 Bytes [0F, 87, 20, 0A, 00, 00, FF, ...]

.text netbt.sys!CLCW_TV_bsvnsNXHHZVDNJkAATRD___Rxfiatf_joH + 144 B8258E31 149 Bytes [8D, 7D, F7, 83, 65, F8, 00, ...]

.text netbt.sys!CLCW_TV_bsvnsNXHHZVDNJkAATRD___Rxfiatf_joH + 1DA B8258EC7 130 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]

.text netbt.sys!CLCW_TV_bsvnsNXHHZVDNJkAATRD___Rxfiatf_joH + 25D B8258F4A 294 Bytes [0F, 8D, 03, 9D, 00, 00, 8D, ...]

.text netbt.sys!CLCW_TV_bsvnsNXHHZVDNJkAATRD___Rxfiatf_joH + 384 B8259071 10 Bytes [FF, 55, 8B, EC, 83, EC, 14, ...]

.text netbt.sys!CLCW_TV_bsvnsNXHHZVDNJkAATRD___Rxfiatf_joH + 38F B825907C 6 Bytes [83, 7D, 08, 00, 56, BE]

.text ...

.text netbt.sys!VM_EWTCj_pjas__A_mM_ywdozEPs_d + 23 B825B19C 11 Bytes CALL B8259B9D \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)

.text netbt.sys!VM_EWTCj_pjas__A_mM_ywdozEPs_d + 2F B825B1A8 98 Bytes [DE, 00, 00, 8A, 55, 0F, 8B, ...]

.text netbt.sys!VM_EWTCj_pjas__A_mM_ywdozEPs_d + 92 B825B20B 443 Bytes [D8, FF, FF, 8A, 55, 0B, 8B, ...]

.text netbt.sys!VM_EWTCj_pjas__A_mM_ywdozEPs_d + 24E B825B3C7 254 Bytes [C0, 68, 00, 20, 00, 00, F3, ...]

.text netbt.sys!juAPRTDZKYsqSNLZTkm__ncmaqoz_likckMP + 7 B825B4C6 73 Bytes [F6, 74, 0A, 8B, 7B, 18, 83, ...]

.text netbt.sys!juAPRTDZKYsqSNLZTkm__ncmaqoz_likckMP + 51 B825B510 325 Bytes [00, 8B, 48, 0E, 8B, 55, F8, ...]

.text netbt.sys!juAPRTDZKYsqSNLZTkm__ncmaqoz_likckMP + 197 B825B656 102 Bytes [88, 00, 00, 00, 00, 20, 00, ...]

.text netbt.sys!juAPRTDZKYsqSNLZTkm__ncmaqoz_likckMP + 1FE B825B6BD 186 Bytes [8A, CC, 66, 89, 4E, FE, 8B, ...]

.text netbt.sys!juAPRTDZKYsqSNLZTkm__ncmaqoz_likckMP + 2B9 B825B778 125 Bytes [BB, 81, 00, 00, 00, 00, 88, ...]

.text ...

.text netbt.sys!XQO___CAMFGK__ + BB B825B8FD 192 Bytes [0F, 84, 9E, E5, 00, 00, 8B, ...]

.text netbt.sys!XQO___CAMFGK__ + 17C B825B9BE 32 Bytes CALL B825BBA4 \SystemRoot\System32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)

.text netbt.sys!XQO___CAMFGK__ + 19D B825B9DF 129 Bytes [08, 00, 74, 0B, 6A, 00, FF, ...]

.text netbt.sys!XQO___CAMFGK__ + 21F B825BA61 265 Bytes [53, 0F, B7, 5D, EC, 89, 45, ...]

.text netbt.sys!XQO___CAMFGK__ + 329 B825BB6B 51 Bytes [10, 00, 66, C7, 40, 04, 10, ...]

.text ...

? C:\WINDOWS\System32\DRIVERS\netbt.sys suspicious PE modification



---- User code sections - GMER 1.0.15 ----



.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0170000A

.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0189000A

.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 016F000C

.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D9000A

.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01DA000A

.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01DB000A

.text C:\WINDOWS\System32\svchost.exe[1400] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01C0000A



---- Devices - GMER 1.0.15 ----



AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)



---- EOF - GMER 1.0.15 ----

The DDS Report was completed without a hitch, but the GMER one could not be completed because the program suddenly closes when it reaches a certain point, just like what happened with Malwarebytes. So, the GMER report I uploaded here is likely incomplete, but hopefully it should provide some information regarding this issue.

Now, the GMER scan was done on safe mode with networking, so the weird process with the bunch of numbers and colon in its name was an active process at the time. Anyway, the GMER scan stops right when it gets to directory \cdfs whe yet another item was found on GMER.

It is a Module, its name is (noname)(***hidden***), and its value is B827F000-B82A0000(135168 bytes)

I managed to get a screencap of it using the print screen button on my keyboard, and only need your or another admin's permission to attach it in a response. I'm new here, so I'm just trying to be careful in terms of attachments.

I might be away for the night or even two days, but as soon as I come home, I will immediately post back here. Thank you for your patience.

Edited by Budapest, 05 October 2011 - 04:50 PM.


BC AdBot (Login to Remove)

 


#2 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 06 October 2011 - 02:32 PM

I still have the problem, so I have been booting my computer in safe mode unless I need to get something online or I need to send an email. And I also did a search on my C Drive and found to instances of a (possibly) blank file named "3016895728", one on the WINDOWS directory, and one in the Refetch directory inside the WINDOWS directory. Do you suggest I should delete those? Should I send another DDS Report?

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 01:42 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\3016895728
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 October 2011 - 02:14 PM

:unsure: Um...
Sorry I don't have a Combofix report ready. I disabled the Firewall, real-time search, anti-spam, and updates for My Verizon Internet Suite, and my copy of MalwareBytes is unregistered, meaning I have no need to disable anything with that. I also disabled the Firewall for the Windows Security center, and Anti Virus is already off since the Verizon Internet Suite is basically disabled.

Anyway, I ran Combofix, and at first, it was doing good. It asked me to let it install the Microsoft Recovery Console, and I let it do that, but when the bar for downloading(installing?) it reached 100%, It just stopped. The Hard Drive Light was still blinking, but it seems to be doing nothing. This went on for half an hour, much longer than it should take for the Recovery Console to install, even manually.

So, after that half hour, I shut the computer off, rebooted it, and ran Combofix again. This time, it skipped the prompt to install the Recovery Console and went ahead with the scan. It then discovered the 0Access Rootkit and told me to let it restart and NOT RESTART IT MYSELF. :exclame:

The promblem? Once it got to the point in which the only things visible are my mouse cursor and the Wallpaper, nothing happens. I'm still able to get the taskmanager up, and that process with all those numbers and a colon in its name is not in the running processes. I'm planning to let the computer run until 4:00 pm. If it does nothing by then, I'll shut it off and reboot it. Should I go ahead and do that? :ph34r:

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 03:01 PM

Hello

reboot the computer and report what happens


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 October 2011 - 03:30 PM

Well, I've done as you have told me.
So, here's what happened:

As soon as my wallpaper shown up, Combofix has already started. :huh:
It starts as normal, and so far, it's gone to Stage_3
A Verizon Internet Suite pop up thing shows up telling me the computer's at risk, I click "cancel", and Combofix continues...
Or not. So far it's got to Stage_3, the underscore bleow it is still flashing, meaning that it works, so I think Stage_4 is taking a while?

I'll make a new post when or even IF it gets to or pass Stage_4.

Also, did the Recovery Console thing actually install, you think? Normally, it would've prompted a pop up saying that it's installed, but... should I have installed it manually? :mellow:

*Update*

WOW!!! :o
It's gotten to Stage_32 now! Maybe it'll be done shortly! :lol:

Now it's at Stage_50!
It deleted some things too.

And it seems to be running normally. Then again, this is the first time I ran this program, so I dunno...
I'll update if it does something weird.

Edited by AngrySun86, 08 October 2011 - 03:35 PM.


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 03:37 PM

Hello

make a new post when it completes


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 October 2011 - 03:53 PM

Tada! :thumbup2: As promised, here's the report:

ComboFix 11-10-08.02 - Bill 10/08/2011 15:19:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2582 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
AV: Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
c:\documents and settings\Bill\WINDOWS
c:\documents and settings\Bill\zqjympijmh.tmp
C:\Install.exe
c:\program files\google\common\google updater\googleupdaterservice.exe
c:\program files\messenger\msmsgsin.exe
c:\windows\$NtUninstallKB56672$
c:\windows\$NtUninstallKB56672$\2094798404
c:\windows\$NtUninstallKB56672$\4029469363\@
c:\windows\$NtUninstallKB56672$\4029469363\bckfg.tmp
c:\windows\$NtUninstallKB56672$\4029469363\cfg.ini
c:\windows\$NtUninstallKB56672$\4029469363\Desktop.ini
c:\windows\$NtUninstallKB56672$\4029469363\keywords
c:\windows\$NtUninstallKB56672$\4029469363\kwrd.dll
c:\windows\$NtUninstallKB56672$\4029469363\L\akygdmgo
c:\windows\$NtUninstallKB56672$\4029469363\lsflt7.ver
c:\windows\$NtUninstallKB56672$\4029469363\U\00000001.@
c:\windows\$NtUninstallKB56672$\4029469363\U\00000002.@
c:\windows\$NtUninstallKB56672$\4029469363\U\80000000.@
c:\windows\$NtUninstallKB56672$\4029469363\U\80000032.@
c:\windows\3016895728
c:\windows\system32\Cache
c:\windows\system32\d3d9caps.dat
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_f02cd2b3
.
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 18:29 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-08 17:49 . 2011-10-08 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-08 17:49 . 2011-10-08 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-10-05 02:38 . 2011-10-05 02:38 1324 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\d3d9caps.tmp
2011-10-04 23:23 . 2011-10-04 23:23 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Safe mirror
2011-10-04 23:22 . 2011-10-04 23:24 -------- d-----w- c:\program files\Cobian Backup 10
2011-10-04 23:10 . 2011-10-04 23:20 -------- d-----w- c:\program files\Cobian Backup 8
2011-10-04 18:00 . 2011-10-04 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 18:00 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-04 01:23 . 2011-10-04 01:23 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2011-10-04 01:23 . 2011-10-04 01:23 -------- d-----w- c:\program files\Norton PC Checkup
2011-10-04 01:23 . 2011-10-04 01:23 -------- d-----w- c:\program files\NortonInstaller
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-28 15:24 . 2011-05-15 03:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-24 17:52 . 2011-08-24 17:52 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-08-24 17:52 . 2011-08-24 17:52 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-08-15 15:00 . 2010-12-17 01:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 15:00 . 2010-12-17 01:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 15:00 . 2010-12-17 01:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 15:00 . 2010-12-17 01:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-08-15 15:00 . 2010-12-17 01:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 15:00 . 2010-12-17 01:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 15:00 . 2010-12-17 01:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 15:00 . 2010-12-17 01:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 15:00 . 2010-12-17 01:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 15:00 . 2010-12-17 01:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-07-30 12:49 . 2010-07-11 04:47 7304 ----a-w- c:\windows\TMP0001.TMP
2011-07-15 13:29 . 2001-08-23 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 21:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
2001-09-07 21:18 45056 ----a-w- c:\windows\system32\exshow95.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-07-30 02:59 136176 ----atw- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel AppUp(SM) center]
2011-03-23 17:29 933 ----a-w- c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 21:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-09-10 05:51 1317016 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2010-05-10 20:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2009-06-25 18:36 177152 ----a-w- c:\windows\system32\mqrt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-05-21 11:01 13895272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-21 11:01 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-05-05 05:02 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-08-17 10:39 90112 ----a-r- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-05-22 22:49 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2010-03-16 22:28 4281584 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"d:\\Steam\\steamapps\\angrysun86\\garrysmod\\hl2.exe"=
"d:\\Steam\\steamapps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"d:\\Steam\\steamapps\\common\\commander keen\\Keen 1.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\Keen 2.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\testapp3.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\testapp4.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\testapp5.bat"=
"d:\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD.exe"=
"d:\\Steam\\steamapps\\common\\serious sam hd the second encounter\\Bin\\SamHD_TSE.exe"=
"d:\\Steam\\steamapps\\common\\serious sam hd the second encounter\\Bin\\SamHD_TSE_Unrestricted.exe"=
"d:\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
"d:\\Steam\\steamapps\\common\\serioussamdoubled\\SSGame.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [7/5/2006 7:46 AM 63352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/16/2010 8:06 PM 89624]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 7:00 AM 14336]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/16/2010 8:06 PM 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [12/16/2010 8:06 PM 148520]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/17/2011 1:27 PM 2214504]
R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [12/16/2010 8:03 PM 689392]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/16/2010 8:06 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/16/2010 8:06 PM 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/16/2010 8:06 PM 83688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/22/2011 5:49 PM 136176]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/11/2010 12:50 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/11/2010 12:50 PM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/22/2011 5:49 PM 136176]
S3 KID_USB;Kensington Input Devices USB filter driver;c:\windows\system32\drivers\KID_USB.sys [9/5/2001 11:42 AM 16344]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/16/2010 8:06 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/16/2010 8:06 PM 87808]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-22 22:49]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-22 22:49]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1770027372-725345543-1003Core.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 02:59]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1770027372-725345543-1003UA.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 02:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/user/dawnkeykawng
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe
AddRemove-Steam App 220 - c:\program files\Steam\steam.exe
AddRemove-Steam App 31280 - c:\program files\Steam\steam.exe
AddRemove-Steam App 400 - c:\program files\Steam\steam.exe
AddRemove-Steam App 4000 - c:\program files\Steam\steam.exe
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe
AddRemove-Steam App 620 - c:\program files\Steam\steam.exe
AddRemove-Steam App 9180 - c:\program files\Steam\steam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 15:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-507921405-1770027372-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:6c,2b,33,ca,ed,ff,06,31,6e,2c,b7,eb,c2,ba,3b,e0,4f,5d,66,8f,07,
df,70,cf,51,76,a9,57,2c,a9,94,d2,88,33,d6,2a,b5,4d,02,ad,40,f3,27,10,23,2f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1884)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\System32\msdtc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\mqsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\System32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-10-08 15:47:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-08 20:47
.
Pre-Run: 200,495,288,320 bytes free
Post-Run: 204,412,514,304 bytes free
.
- - End Of File - - 79F709BACF5F5BE1CD10C4ECC8E56713

That infernal process with the numbers and the colon in its name is not up and running! :thumbsup: Thank you thank you thank you~! :clapping:

So, should I re-enable the firewall and everything and run MalwareBytes?

Edited by AngrySun86, 08 October 2011 - 04:00 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 04:02 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 October 2011 - 04:20 PM

ComboFix 11-10-08.04 - Bill 10/08/2011 16:08:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2394 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt
AV: Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 18:29 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-08 17:49 . 2011-10-08 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-08 17:49 . 2011-10-08 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2011-10-05 02:38 . 2011-10-05 02:38 1324 ----a-w- c:\documents and settings\Bill\Local Settings\Application Data\d3d9caps.tmp
2011-10-04 23:23 . 2011-10-04 23:23 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Safe mirror
2011-10-04 23:22 . 2011-10-04 23:24 -------- d-----w- c:\program files\Cobian Backup 10
2011-10-04 23:10 . 2011-10-04 23:20 -------- d-----w- c:\program files\Cobian Backup 8
2011-10-04 18:00 . 2011-10-04 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 18:00 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-04 01:23 . 2011-10-04 01:23 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2011-10-04 01:23 . 2011-10-04 01:23 -------- d-----w- c:\program files\Norton PC Checkup
2011-10-04 01:23 . 2011-10-04 01:23 -------- d-----w- c:\program files\NortonInstaller
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-28 15:24 . 2011-05-15 03:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-24 17:52 . 2011-08-24 17:52 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-08-24 17:52 . 2011-08-24 17:52 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-08-15 15:00 . 2010-12-17 01:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 15:00 . 2010-12-17 01:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 15:00 . 2010-12-17 01:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 15:00 . 2010-12-17 01:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-08-15 15:00 . 2010-12-17 01:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 15:00 . 2010-12-17 01:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 15:00 . 2010-12-17 01:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 15:00 . 2010-12-17 01:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 15:00 . 2010-12-17 01:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 15:00 . 2010-12-17 01:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-07-30 12:49 . 2010-07-11 04:47 7304 ----a-w- c:\windows\TMP0001.TMP
2011-07-15 13:29 . 2001-08-23 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 21:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXSHOW95.EXE]
2001-09-07 21:18 45056 ----a-w- c:\windows\system32\exshow95.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-07-30 02:59 136176 ----atw- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel AppUp(SM) center]
2011-03-23 17:29 933 ----a-w- c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 21:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-09-10 05:51 1317016 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2010-05-10 20:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2009-06-25 18:36 177152 ----a-w- c:\windows\system32\mqrt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-05-21 11:01 13895272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-21 11:01 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-05-05 05:02 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-08-17 10:39 90112 ----a-r- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-05-22 22:49 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2010-03-16 22:28 4281584 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"d:\\Steam\\steamapps\\angrysun86\\garrysmod\\hl2.exe"=
"d:\\Steam\\steamapps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"d:\\Steam\\steamapps\\common\\commander keen\\Keen 1.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\Keen 2.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\testapp3.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\testapp4.bat"=
"d:\\Steam\\steamapps\\common\\commander keen\\testapp5.bat"=
"d:\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD.exe"=
"d:\\Steam\\steamapps\\common\\serious sam hd the second encounter\\Bin\\SamHD_TSE.exe"=
"d:\\Steam\\steamapps\\common\\serious sam hd the second encounter\\Bin\\SamHD_TSE_Unrestricted.exe"=
"d:\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
"d:\\Steam\\steamapps\\common\\serioussamdoubled\\SSGame.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [7/5/2006 7:46 AM 63352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/16/2010 8:06 PM 89624]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/23/2001 7:00 AM 14336]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/16/2010 8:06 PM 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [12/16/2010 8:06 PM 148520]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/17/2011 1:27 PM 2214504]
R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [12/16/2010 8:03 PM 689392]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/16/2010 8:06 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/16/2010 8:06 PM 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/16/2010 8:06 PM 83688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/22/2011 5:49 PM 136176]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/11/2010 12:50 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/11/2010 12:50 PM 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/22/2011 5:49 PM 136176]
S3 KID_USB;Kensington Input Devices USB filter driver;c:\windows\system32\drivers\KID_USB.sys [9/5/2001 11:42 AM 16344]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/16/2010 8:06 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/16/2010 8:06 PM 87808]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/23/2001 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/16/2010 8:06 PM 214904]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-22 22:49]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-22 22:49]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1770027372-725345543-1003Core.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 02:59]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1770027372-725345543-1003UA.job
- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-29 02:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/user/dawnkeykawng
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 16:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-507921405-1770027372-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:6c,2b,33,ca,ed,ff,06,31,6e,2c,b7,eb,c2,ba,3b,e0,4f,5d,66,8f,07,
df,70,cf,51,76,a9,57,2c,a9,94,d2,88,33,d6,2a,b5,4d,02,ad,40,f3,27,10,23,2f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1876)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-08 16:19:02
ComboFix-quarantined-files.txt 2011-10-08 21:19
ComboFix2.txt 2011-10-08 20:47
.
Pre-Run: 204,317,417,472 bytes free
Post-Run: 204,303,335,424 bytes free
.
- - End Of File - - 693F35EB26357E4F0E6B8AF47D37C822

I'm not sure what that did, but here's to hoping... :wink:

My computer is doing fine at the moment. And the Google redirecting thing doesn't happen, either, though that might have been taken care of after the last scan.

Edited by AngrySun86, 08 October 2011 - 04:29 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 04:34 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 October 2011 - 04:37 PM

You mean this? :huh:

2007 Microsoft Office system
7-Zip 9.20
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
Alien Swarm
Angry Birds
Audiosurf
Batman: Arkham Asylum GOTY Edition
Bing Bar
Bing Rewards Client Installer
BomberMan Collection
Business Contact Manager for Outlook 2007 SP2
Cobian Backup 10
EASEUS Partition Master 6.0.1 Home Edition
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Half-Life 2: Episode Two
Half-Life: Source
Hitman 2: Silent Assassin
Hitman: Blood Money
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel AppUp(SM) center
Jamestown
Java Auto Updater
Java™ 6 Update 23
Junk Mail filter update
Left 4 Dead
Left 4 Dead 2
Lemmings for Windows 95
Lemmings Paintball
Lernout & Hauspie TruVoice American English TTS Engine
LogMeIn
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
MSVCRT
MSXML 6.0 Parser
Noitu Love 2: Devolution
Norton PC Checkup
NVIDIA Control Panel 275.33
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA Update 1.3.5
NVIDIA Update Components
Oddworld: Abe's Exoddus
Oddworld: Abe's Oddysee
OpenAL
Quake
Quake II
Quake II: Ground Zero
Quake II: The Reckoning
Quake III Arena
Quake Mission Pack 1: Scourge of Armagon
Quake Mission Pack 2: Dissolution of Eternity
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975254)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SEGA Genesis & Mega Drive Classics
Segoe UI
Serious Sam Double D
Serious Sam HD: The First Encounter
Serious Sam HD: The Second Encounter
Space Channel 5: Part 2
Speakonia
SPORE™
SPORE™ Creepy & Cute Parts Pack
Star Wars®: Knights of the Old Republic ™
StarCraft II
Steam
System Requirements Lab
Taito Legends 2
Terraria
Universe Sandbox
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (KB2553110)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Internet Security Suite
Verizon Servicepoint 3.5.18
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3

Edited by AngrySun86, 08 October 2011 - 04:38 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 04:41 PM

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 AngrySun86

AngrySun86
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 October 2011 - 05:16 PM

Alright! here are the reports:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7904

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/8/2011 5:13:47 PM
mbam-log-2011-10-08 (17-13-47).txt

Scan type: Quick scan
Objects scanned: 196230
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:14:26 PM, on 10/8/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Verizon\VSP\ServicepointService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/user/dawnkeykawng
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111008121312.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278817807964
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278817830651
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NVIDIA Driver Helper Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Verizon\VSP\ServicepointService.exe

--
End of file - 10393 bytes

Everything's good, except that my Verizon Internet Suite still won't do a scan, quick or full. :angry:
MalwareBytes works, though! :lol:

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 08 October 2011 - 05:31 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users