Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ping.exe/Google Redirect Problem


  • This topic is locked This topic is locked
16 replies to this topic

#1 Gladiator12

Gladiator12

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 13 December 2011 - 08:43 PM

Here is my original post in the "Am I Infected?" section of the forum:

A couple days ago I started noticing my computer running slower and sometimes running at 80-90%. Ran two McAfee scans, but nothing came up. Did some research and saw that it might be the ping.exe virus. Yesterday, when I searched google (but also happened with bing), I started getting redirected to a different search engine/adsite. The first part of the site read as follows "63.209.69.107"
Looks like some others on the forum have had similar problems. What can be done to fix this and are the ping.exe and google redirect problem the same thing? I am running windows XP with google chrome as my browser.

Any help is appreciated.

I have run the DDS and GMER log. Below is the DDS log as instructed by the forum. Also attached are the attach.txt and ark.text files.

Thanks and any suggestions would be greatly appreciated!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_29
Run by Kent Games at 17:49:25 on 2011-12-13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.494 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel Audio Studio\bak\IntelAudioStudio.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kent Games\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Kent Games\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kent Games\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kent Games\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Documents and Settings\Kent Games\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111126172352.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [<NO NAME>]
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpyDefender Shield] "c:\program files\spydefender pro\SpyDefender.exe" --scan2
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [GetModule32] "c:\program files\getmodule\GetModule32.exe"
uRun: [system tool] c:\windows\sysguard.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\documents and settings\kent games\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\bak\IntelAudioStudio.exe" TRAY
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HostManager] c:\program files\common files\aol\1156684526\ee\AOLSoftware.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\Liveupdate.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\Load.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{792C7977-8C4C-4EAE-942B-F52296728255} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4ECE80D-8BC9-4B1E-AD18-D426CBD6504A} : NameServer = 24.177.176.38,24.197.160.18
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: ggrisv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: esperantido: {67dc0736-075a-4647-95f5-d5421b838fed} - c:\windows\system32\svxmhpz.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBtSJyY
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-11-26 64048]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-11-26 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-11-26 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-26 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-26 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-26 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-26 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-11-26 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-11-26 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-11-26 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-3 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2006-8-26 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2006-8-26 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2006-8-26 9088]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-11-26 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-28 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-28 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-11-26 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-11-26 83856]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-11-26 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-11-26 87656]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-28 40552]
.
=============== Created Last 30 ================
.
2011-11-26 23:27:14 -------- d-----w- c:\program files\McAfeeMOBK
2011-11-26 23:27:04 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-11-26 23:26:59 -------- d-----w- c:\program files\McAfee Online Backup
2011-11-26 23:26:43 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-11-26 23:26:42 -------- d-----w- c:\documents and settings\kent games\local settings\application data\McAfee Anti-Theft
2011-11-26 23:23:52 28760 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2011-11-26 23:23:51 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-11-26 23:23:40 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-11-26 23:23:39 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-11-26 23:23:39 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-11-26 23:23:39 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-11-26 23:23:39 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-11-26 23:07:10 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-11-17 23:59:41 -------- d-----w- c:\program files\TeamViewer
.
==================== Find3M ====================
.
2011-11-11 01:27:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-19 00:50:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-19 00:50:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-15 19:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2007-02-11 00:39:40 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 17:54:58.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 17 December 2011 - 10:32 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 17 December 2011 - 11:32 AM

Thanks for the information. I ran combofix and below is the log. I did experience a problem. I can no longer access the internet on the infected computer. Every time I click on the Chrome shortcut the following message appears "Google Chrome has encountered a problem and needs to close. We are sorry for the inconvenience." When I was running combofix a message came up from combofix saying that the internet may not work due to the type of rootkit that was detected. I tried rebooting once and it didn't help. Combofix suggested that I run combofix again, however I DID NOT run combofix again per your instructions. Thanks again for all your help and your time. Just let me know what I need to do next.

Here is the Combofix Log:

ComboFix 11-12-16.03 - Kent Games 12/17/2011 9:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.675 [GMT -6:00]
Running from: c:\documents and settings\Kent Games\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Online Security Guide.url
c:\documents and settings\All Users\Start Menu\security troubleshooting.url
c:\documents and settings\Kent Games\Favorites\Online Security Test.url
c:\documents and settings\Kent Games\System
c:\documents and settings\Kent Games\System\win_qs8.jqx
c:\documents and settings\Kent Games\WINDOWS
c:\documents and settings\NetworkService\Application Data\Adobe\sp.DLL
c:\program files\GetModule
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Internet Explorer\sxs.dll
c:\program files\WinBudget
c:\program files\WinBudget\bin\matrix.dat
c:\windows\$NtUninstallKB11899$\435369864\@
c:\windows\$NtUninstallKB11899$\435369864\bckfg.tmp
c:\windows\$NtUninstallKB11899$\435369864\cfg.ini
c:\windows\$NtUninstallKB11899$\435369864\Desktop.ini
c:\windows\$NtUninstallKB11899$\435369864\keywords
c:\windows\$NtUninstallKB11899$\435369864\kwrd.dll
c:\windows\$NtUninstallKB11899$\435369864\L\fmefydes
c:\windows\$NtUninstallKB11899$\435369864\lsflt7.ver
c:\windows\$NtUninstallKB11899$\435369864\U\00000001.@
c:\windows\$NtUninstallKB11899$\435369864\U\00000002.@
c:\windows\$NtUninstallKB11899$\435369864\U\00000004.@
c:\windows\$NtUninstallKB11899$\435369864\U\80000000.@
c:\windows\$NtUninstallKB11899$\435369864\U\80000004.@
c:\windows\$NtUninstallKB11899$\435369864\U\80000032.@
c:\windows\$NtUninstallKB11899$\586650858
c:\windows\CSC\d6
c:\windows\dasetup.log
c:\windows\system32\YyJStBeg.ini
c:\windows\system32\YyJStBeg.ini2
c:\windows\wiaserviv.log
c:\windows\$NtUninstallKB11899$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 )))))))))))))))))))))))))))))))
.
.
2011-11-26 23:27 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfeeMOBK
2011-11-26 23:27 . 2010-04-14 02:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-11-26 23:26 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfee Online Backup
2011-11-26 23:26 . 2011-04-11 20:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-11-26 23:26 . 2011-11-26 23:26 -------- d-----w- c:\documents and settings\Kent Games\Local Settings\Application Data\McAfee Anti-Theft
2011-11-26 23:23 . 2011-10-18 20:29 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-11-26 23:23 . 2011-10-15 19:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-11-26 23:23 . 2011-10-15 19:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-11-26 23:23 . 2011-10-15 19:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-11-26 23:23 . 2011-10-15 19:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-11-26 23:23 . 2011-10-15 19:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-11-26 23:23 . 2011-10-15 19:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-11-26 23:09 . 2011-11-26 23:09 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-26 23:07 . 2011-10-18 20:32 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-11-17 23:59 . 2011-11-27 15:30 -------- d-----w- c:\program files\TeamViewer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 01:27 . 2011-09-05 19:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-19 00:50 . 2011-10-19 00:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-19 00:50 . 2011-10-19 00:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-15 19:16 . 2011-03-13 17:20 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2008-12-28 20:14 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2008-12-28 20:14 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2008-06-27 11:08 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2007-02-11 00:39 . 2007-02-11 00:39 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [N/A]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [N/A]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [N/A]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [N/A]
"SpyDefender Shield"="c:\program files\SpyDefender Pro\SpyDefender.exe" [N/A]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"GetModule32"="c:\program files\GetModule\GetModule32.exe" [N/A]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [N/A]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\bak\IntelAudioStudio.exe" [2005-08-09 8597586]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [N/A]
"HostManager"="c:\program files\Common Files\AOL\1156684526\ee\AOLSoftware.exe" [N/A]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [N/A]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe" [N/A]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [N/A]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\Load.exe [2005-8-5 36864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156684526\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/26/2011 5:26 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/26/2011 5:23 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [11/26/2011 5:27 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/26/2011 5:24 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/26/2011 5:07 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:38 AM 24652]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [8/26/2006 5:17 PM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [8/26/2006 5:17 PM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [8/26/2006 5:17 PM 9088]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/26/2011 5:23 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/26/2011 5:23 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/26/2011 5:23 PM 87656]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003Core.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003UA.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4ECE80D-8BC9-4B1E-AD18-D426CBD6504A}: NameServer = 24.177.176.38,24.197.160.18
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
AddRemove-Information Center - c:\program files\Video Add-on\icun.exe
AddRemove-Move Networks Player_is1 - c:\documents and settings\Kent Games\Application Data\Move Networks\ie_bin\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-17 10:16
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name of App = c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe??w???w???????w???w??o????????????w???????????????????????????????|????]??w????;?E??????!;???D???J??????pD???????;????? ???A?F?????b?@?????]??w ???;?E????????????????????w???w????????????????????????????x?G
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3660)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\vssvc.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-12-17 10:18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-17 16:18
.
Pre-Run: 216,423,403,520 bytes free
Post-Run: 218,565,185,536 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2A5FCB9DC20DB0A53BC2A1C5FD6FCE52

Attached Files


Edited by Gladiator12, 17 December 2011 - 11:37 AM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 17 December 2011 - 01:46 PM

Gladiator12:

Please run ComboFix once more and reboot. If you are still unable to access the internet, please do this:

Posted Image Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check the "Include All Files" box
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Please include the following in your next post:
  • ComboFix log
  • FSS log (if applicable)

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 18 December 2011 - 08:07 AM

I ran combofix again and a reboot and I am still receiving the same error message as above. See both Combofix and FSS logs below.

Thanks for all your help!


ComboFix 11-12-16.03 - Kent Games 12/18/2011 6:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.467 [GMT -6:00]
Running from: c:\documents and settings\Kent Games\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-11-26 23:27 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfeeMOBK
2011-11-26 23:27 . 2010-04-14 02:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-11-26 23:26 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfee Online Backup
2011-11-26 23:26 . 2011-04-11 20:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-11-26 23:26 . 2011-11-26 23:26 -------- d-----w- c:\documents and settings\Kent Games\Local Settings\Application Data\McAfee Anti-Theft
2011-11-26 23:23 . 2011-10-18 20:29 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-11-26 23:23 . 2011-10-15 19:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-11-26 23:23 . 2011-10-15 19:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-11-26 23:23 . 2011-10-15 19:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-11-26 23:23 . 2011-10-15 19:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-11-26 23:23 . 2011-10-15 19:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-11-26 23:23 . 2011-10-15 19:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-11-26 23:09 . 2011-11-26 23:09 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-26 23:07 . 2011-10-18 20:32 150856 ----a-w- c:\windows\system32\mfevtps.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 01:27 . 2011-09-05 19:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-19 00:50 . 2011-10-19 00:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-19 00:50 . 2011-10-19 00:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-15 19:16 . 2011-03-13 17:20 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2008-12-28 20:14 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2008-12-28 20:14 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2008-06-27 11:08 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2007-02-11 00:39 . 2007-02-11 00:39 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-17_16.14.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-18 12:29 . 2011-12-18 12:29 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2011-12-18 12:28 . 2011-12-18 12:28 16384 c:\windows\Temp\Perflib_Perfdata_6c8.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-06-15 01:49 . 2005-06-15 01:49 53248 c:\program files\ATI Multimedia\main\bak\ATIDtct.EXE
.
2005-06-15 01:50 . 2005-06-15 01:50 36864 c:\program files\ATI Multimedia\main\bak\ATISched.EXE
.
2005-06-15 01:53 . 2005-06-15 01:53 102400 c:\program files\ATI Multimedia\main\bak\launchpd.exe
.
2005-05-10 20:21 . 2005-05-10 20:21 1482752 c:\program files\ATI Multimedia\RemCtrl\bak\ATIRW.exe
.
2005-08-06 05:07 . 2005-08-06 05:07 61440 c:\program files\ATI Technologies\ATI.ACE\bak\cli.exe
.
2006-05-10 00:24 . 2006-05-10 00:24 50760 c:\program files\Common Files\AOL\1156684526\ee\bak\AOLSoftware.exe
.
2006-02-17 16:59 . 2006-02-17 16:59 124520 c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe
.
2007-01-02 18:05 . 2007-01-02 18:05 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
.
2004-02-29 20:44 . 2004-02-29 20:44 66680 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
.
2006-09-06 22:08 . 2003-10-31 23:42 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
.
2006-08-26 08:49 . 2005-08-09 21:35 8597586 c:\program files\Intel Audio Studio\bak\IntelAudioStudio.exe
.
2007-06-01 20:51 . 2007-06-01 20:51 257088 c:\program files\iTunes\bak\iTunesHelper.exe
2011-03-07 21:33 . 2011-03-07 21:33 421160 c:\program files\iTunes\iTunesHelper.exe
.
2007-04-08 01:34 . 2006-12-15 07:23 75520 c:\program files\Java\jre1.5.0_11\bin\bak\jusched.exe
.
2004-06-03 08:50 . 2004-06-03 08:50 204800 c:\program files\Microsoft IntelliPoint\bak\point32.exe
.
2004-06-03 08:51 . 2004-06-03 08:51 172032 c:\program files\Microsoft IntelliType Pro\bak\type32.exe
.
2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\qttask.exe
2010-11-29 23:38 . 2010-11-29 23:38 421888 c:\program files\QuickTime\QTTask.exe
.
2004-03-12 19:18 . 2004-03-12 19:18 124128 c:\program files\Symantec AntiVirus\bak\VPTray.exe
.
2004-08-03 22:56 . 2004-08-03 22:56 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-03 22:56 . 2004-08-03 22:56 15360 c:\windows\system32\ctfmon.exe
.
2006-08-26 21:08 . 2001-07-09 14:50 155648 c:\windows\system32\bak\NeroCheck.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [N/A]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [N/A]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [N/A]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [N/A]
"SpyDefender Shield"="c:\program files\SpyDefender Pro\SpyDefender.exe" [N/A]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"GetModule32"="c:\program files\GetModule\GetModule32.exe" [N/A]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [N/A]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\bak\IntelAudioStudio.exe" [2005-08-09 8597586]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [N/A]
"HostManager"="c:\program files\Common Files\AOL\1156684526\ee\AOLSoftware.exe" [N/A]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [N/A]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe" [N/A]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [N/A]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\Load.exe [2005-8-5 36864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156684526\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/26/2011 5:26 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/26/2011 5:23 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [11/26/2011 5:27 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/26/2011 5:24 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/26/2011 5:07 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:38 AM 24652]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [8/26/2006 5:17 PM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [8/26/2006 5:17 PM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [8/26/2006 5:17 PM 9088]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/26/2011 5:23 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/26/2011 5:23 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/26/2011 5:23 PM 87656]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003Core.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003UA.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4ECE80D-8BC9-4B1E-AD18-D426CBD6504A}: NameServer = 24.177.176.38,24.197.160.18
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 06:47
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name of App = c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe??w???w???????w???w??o????????????w???????????????????????????????|????]??w????;?E??????!;???D???J??????pD???????;????? ???A?F?????b?@?????]??w ???;?E????????????????????w???w????????????????????????????x?G
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3928)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-18 06:49:01
ComboFix-quarantined-files.txt 2011-12-18 12:48
ComboFix2.txt 2011-12-17 16:18
.
Pre-Run: 218,571,874,304 bytes free
Post-Run: 218,558,185,472 bytes free
.
- - End Of File - - C3065BBAB87D5710593AC0068E1974F9


Farbar Service Scanner
Ran by Kent Games (administrator) on 18-12-2011 at 06:58:14
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-03 16:56] - [2005-07-25 22:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-03 16:56] - [2006-05-19 06:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-03 15:14] - [2006-04-20 05:51] - 0359808 ____A (Microsoft Corporation) 1DBF125862891817F374F407626967F4

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A () A66A526B352E48EFEB2C2906216405C4

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 18 December 2011 - 12:17 PM

Gladiator12:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above AWF::

AWF::
c:\program files\ATI Multimedia\main\bak\ATIDtct.EXE
c:\program files\ATI Multimedia\main\bak\ATISched.EXE
c:\program files\ATI Multimedia\main\bak\launchpd.exe
c:\program files\ATI Multimedia\RemCtrl\bak\ATIRW.exe
c:\program files\ATI Technologies\ATI.ACE\bak\cli.exe
c:\program files\Common Files\AOL\1156684526\ee\bak\AOLSoftware.exe
c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Microsoft IntelliPoint\bak\point32.exe
c:\program files\Microsoft IntelliType Pro\bak\type32.exe
c:\program files\QuickTime\bak\qttask.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\NeroCheck.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please run Farbar Service Scanner again.
  • Type the following in the Search box:

    ipsec.sys
  • Click Search Files button and post the log (FSS.txt) it makes to your reply.
Please include the following in your next post:
  • ComboFix log
  • FSS log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 20 December 2011 - 10:40 PM

Thanks for your continued help. I completed your instructions and below are the combofix and FSS logs which you requested. The combofix log will be first followed by the FSS log. Thanks again for your help.


ComboFix 11-12-16.03 - Kent Games 12/20/2011 21:15:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.549 [GMT -6:00]
Running from: c:\documents and settings\Kent Games\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kent Games\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))
.
.
2011-11-26 23:27 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfeeMOBK
2011-11-26 23:27 . 2010-04-14 02:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-11-26 23:26 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfee Online Backup
2011-11-26 23:26 . 2011-04-11 20:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-11-26 23:26 . 2011-11-26 23:26 -------- d-----w- c:\documents and settings\Kent Games\Local Settings\Application Data\McAfee Anti-Theft
2011-11-26 23:23 . 2011-10-18 20:29 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-11-26 23:23 . 2011-10-15 19:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-11-26 23:23 . 2011-10-15 19:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-11-26 23:23 . 2011-10-15 19:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-11-26 23:23 . 2011-10-15 19:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-11-26 23:23 . 2011-10-15 19:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-11-26 23:23 . 2011-10-15 19:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-11-26 23:09 . 2011-11-26 23:09 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-26 23:07 . 2011-10-18 20:32 150856 ----a-w- c:\windows\system32\mfevtps.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 01:27 . 2011-09-05 19:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-19 00:50 . 2011-10-19 00:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-19 00:50 . 2011-10-19 00:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-15 19:16 . 2011-03-13 17:20 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2008-12-28 20:14 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2008-12-28 20:14 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2008-06-27 11:08 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2007-02-11 00:39 . 2007-02-11 00:39 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-17_16.14.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-21 03:13 . 2011-12-21 03:13 16384 c:\windows\Temp\Perflib_Perfdata_3f0.dat
+ 2006-08-26 21:08 . 2001-07-09 14:50 155648 c:\windows\system32\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2005-06-15 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-06-15 53248]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-05-10 1482752]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-06-15 36864]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\bak\IntelAudioStudio.exe" [2005-08-09 8597586]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HostManager"="c:\program files\Common Files\AOL\1156684526\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-02 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\Load.exe [2005-8-5 36864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156684526\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/26/2011 5:26 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/26/2011 5:23 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [11/26/2011 5:27 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/26/2011 5:24 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/26/2011 5:07 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:38 AM 24652]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [8/26/2006 5:17 PM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [8/26/2006 5:17 PM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [8/26/2006 5:17 PM 9088]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/26/2011 5:23 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/26/2011 5:23 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/26/2011 5:23 PM 87656]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003Core.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003UA.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4ECE80D-8BC9-4B1E-AD18-D426CBD6504A}: NameServer = 24.177.176.38,24.197.160.18
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SpyDefender Shield - c:\program files\SpyDefender Pro\SpyDefender.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-GetModule32 - c:\program files\GetModule\GetModule32.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKLM-Run-Name of App - c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 21:28
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Name of App = c:\program files\SAMSUNG\FW LiveUpdate\Liveupdate.exe??w???w???????w???w??o????????????w???????????????????????????????|????]??w????;?E??????!;???D???J??????pD???????;????? ???A?F?????b?@?????]??w ???;?E????????????????????w???w????????????????????????????x?G
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3032)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-12-20 21:31:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-21 03:31
ComboFix2.txt 2011-12-18 12:49
ComboFix3.txt 2011-12-17 16:18
.
Pre-Run: 218,536,538,112 bytes free
Post-Run: 218,521,927,680 bytes free
.
- - End Of File - - 7E7E6A7075A9AEA78EB6B24901D6C5EB


Farbar Service Scanner
Ran by Kent Games (administrator) on 20-12-2011 at 21:33:22
Microsoft Windows XP Service Pack 2 (X86)

************************************************
================== Search: "ipsec.sys" ===================

C:\WINDOWS\system32\drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A () A66A526B352E48EFEB2C2906216405C4

C:\WINDOWS\system32\dllcache\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ___AC (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

====== End Of Search ======

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 20 December 2011 - 10:46 PM

Gladiator12:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Reboot the computer

Posted Image Please run Farbar Service Scanner again.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Please include the following in your next post:
  • ComboFix log
  • FSS log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 21 December 2011 - 12:03 PM

I have completed your instructions. Please see combofix and FSS logs below. I am now able to access the internet on the infected computer. Please let me know what I need to do next. Thanks for all your time. Below are the logs:


ComboFix 11-12-16.03 - Kent Games 12/21/2011 10:40:57.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.372 [GMT -6:00]
Running from: c:\documents and settings\Kent Games\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kent Games\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))
.
.
2011-11-26 23:27 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfeeMOBK
2011-11-26 23:27 . 2010-04-14 02:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-11-26 23:26 . 2011-11-26 23:27 -------- d-----w- c:\program files\McAfee Online Backup
2011-11-26 23:26 . 2011-04-11 20:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-11-26 23:26 . 2011-11-26 23:26 -------- d-----w- c:\documents and settings\Kent Games\Local Settings\Application Data\McAfee Anti-Theft
2011-11-26 23:23 . 2011-10-18 20:29 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-11-26 23:23 . 2011-10-15 19:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-11-26 23:23 . 2011-10-15 19:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-11-26 23:23 . 2011-10-15 19:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-11-26 23:23 . 2011-10-15 19:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-11-26 23:23 . 2011-10-15 19:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-11-26 23:23 . 2011-10-15 19:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-11-26 23:09 . 2011-11-26 23:09 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-26 23:07 . 2011-10-18 20:32 150856 ----a-w- c:\windows\system32\mfevtps.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 01:27 . 2011-09-05 19:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-19 00:50 . 2011-10-19 00:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-19 00:50 . 2011-10-19 00:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-15 19:16 . 2011-03-13 17:20 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2008-12-28 20:14 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 19:16 . 2008-12-28 20:14 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2008-06-27 11:08 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2007-02-11 00:39 . 2007-02-11 00:39 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-17_16.14.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-21 16:33 . 2011-12-21 16:33 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2011-12-21 16:33 . 2011-12-21 16:33 16384 c:\windows\Temp\Perflib_Perfdata_4f4.dat
+ 2006-08-26 21:08 . 2001-07-09 14:50 155648 c:\windows\system32\NeroCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2005-06-15 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-06-15 53248]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-05-10 1482752]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2005-06-15 36864]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\bak\IntelAudioStudio.exe" [2005-08-09 8597586]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HostManager"="c:\program files\Common Files\AOL\1156684526\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-02 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\Load.exe [2005-8-5 36864]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156684526\\ee\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/26/2011 5:26 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/26/2011 5:23 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [11/26/2011 5:27 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/26/2011 5:23 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/26/2011 5:24 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/26/2011 5:07 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:38 AM 24652]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [8/26/2006 5:17 PM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [8/26/2006 5:17 PM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [8/26/2006 5:17 PM 9088]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/26/2011 5:23 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/26/2011 5:23 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/26/2011 5:23 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/26/2011 5:23 PM 87656]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003Core.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1275210071-839522115-1003UA.job
- c:\documents and settings\Kent Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-27 15:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E4ECE80D-8BC9-4B1E-AD18-D426CBD6504A}: NameServer = 24.177.176.38,24.197.160.18
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-21 10:49
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3808)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-21 10:54:33
ComboFix-quarantined-files.txt 2011-12-21 16:54
ComboFix2.txt 2011-12-21 03:31
ComboFix3.txt 2011-12-18 12:49
ComboFix4.txt 2011-12-17 16:18
.
Pre-Run: 218,517,471,232 bytes free
Post-Run: 218,504,609,792 bytes free
.
- - End Of File - - D54602F1CEE80EE563D1953F6B0D3E9C


Farbar Service Scanner
Ran by Kent Games (administrator) on 21-12-2011 at 10:58:09
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-03 16:56] - [2005-07-25 22:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-03 16:56] - [2006-05-19 06:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-03 15:14] - [2006-04-20 05:51] - 0359808 ____A (Microsoft Corporation) 1DBF125862891817F374F407626967F4

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 21 December 2011 - 10:14 PM

Gladiator12:

Excellent! Please do this next:

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 22 December 2011 - 06:20 PM

Okay. Ran the MBAM scan and got the following log. Thanks for all your time and effort! Let me know what needs to be done next.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122205

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/22/2011 5:17:14 PM
mbam-log-2011-12-22 (17-17-14).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 233441
Time elapsed: 28 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{B0E43034-50F5-1F84-8098-824B44F2DBC3} (Adware.Admedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SWD123 (Rogue.SpyDefender) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\spydefender pro (Rogue.SpyDefender) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\spydefender pro\spydefender.ini (Rogue.SpyDefender) -> Quarantined and deleted successfully.

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 22 December 2011 - 08:18 PM

Gladiator12:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the insatller you just downloaded
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 23 December 2011 - 07:55 PM

Great. Thanks. My computer is running much quicker than before. The ping.exe process is no longer popping up in my task manager and the Google searches are working great. I have not gotten a redirect in about 20 searches that I just completed. I removed/updated the Java Script as you requested and now I am running Java 7 Update 2. I also ran the ESET you requested below is the log. Thanks again for all your help!


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=00cf6042951ddb4a9e0b9fb5228246f7
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-23 11:09:12
# local_time=2011-12-23 05:09:12 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 16776549 100 75 2243458 25052746 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=63788
# found=23
# cleaned=0
# scan_time=1669
C:\Qoobox\Quarantine\C\WINDOWS\system32\YyJStBeg.ini2.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ipsec.sys.vir Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP799\A0148047.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP799\A0148164.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP799\A0148440.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0148680.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0148722.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0149722.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0149741.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0150741.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0150766.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP800\A0150790.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP801\A0150826.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP801\A0150853.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP802\A0150875.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP802\A0150893.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP802\A0150913.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP802\A0150935.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP803\A0150957.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP803\A0150970.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP803\A0150989.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP803\A0151007.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{C396F5FD-8AFE-483B-A102-CD63A8F0BAF2}\RP805\A0152506.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 24 December 2011 - 10:51 AM

Gladiator12:

Your logs look good! Those ESET detections are all in either the ComboFix quarantine or your system resotre cache and all of them will be removed when we uninstall ComboFix.

All I have left for you are some very important updates and cleanup:

Posted Image You need to update your OS. Windows XP SP2 is no longer supported, thus you are not receiving critical security updates which makes you very vulnerable to malware

Download the latest Windows XP service pack from the Microsoft Download Center (the link is below). This page will say that this installation package is intended for IT professionals and developers. However, you can safely download this file.

http://www.microsoft.com/downloads/details.aspx?FamilyID=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • FSS
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Gladiator12

Gladiator12
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 24 December 2011 - 09:59 PM

Great! Okay I have made all the updates that you suggested and I have removed all of the programs which we worked with. Thank you again for all your help! I can actually enjoy my computer again! One more question: Can I re-enable my CD-emulator with Defogger?
Thanks Again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users