Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dealing with zeroaccess rootkit trojan on Vista


  • This topic is locked This topic is locked
17 replies to this topic

#1 Weary Blue

Weary Blue

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 21 September 2012 - 11:45 AM

My laptop is running vista 32-bit, with a subscription (about to expire) to McAfee, and acquired a zeroaccess trojan a couple of weeks ago. I have been trying to clean it ever since. It seems to have worked, but I have no idea how you know when the threat is actually gone. :scratchhead: I'm only semi-computer literate (comfortable with regular maintenance but have had a crash course in trying to understand this trojan, what it does, and how to fix it). My laptop is my baby and I couldn't afford to get it looked at by a computer specialist, but I'm completely lost without it!

I wrote down a considerable amount of information about what I did and the results, but didn't start keeping track in earnest until I realized this was going to be a serious process, so there is a lot I don't have copied verbatim, but I'll give as much detail as I can.

One day, my browser (Firefox) started to randomly open sketchy looking web pages and then a McAfee warning message popped up in the right hand corner, alerting me to the zeroaccess. I clicked to fix it but it kept popping back up. I panicked and shut down improperly to close everything immediately. Turned it back on and the warning kept popping up. However, a full McAfee scan yielded "0 threats", so I couldn't quarantine it. Still panicking, I did a disc clean up and system restore. Accessing somebody else's computer, I went about changing all important passwords (and have since avoided anything that requires a log-in, aside from windows itself).
Somebody told me that they had been getting spam from my (rarely used) gmail account, for about a week before the other symptoms started.

From McAfee's support forum, I found instructions for dealing with zeroaccess. First I disabled system restore, as recommended (re-enabling when finished with the following steps). Then, I was able to update the DAT. files, but not the engines. (The first time I tried, firefox crashed while attempting to open it. The next 2 times I got "Error: unable to find any qualifying mcafee products". ) Re-ran full scan anyway and this time it did find a handful of problems. The way I copied this by hand on a notebook is a little confusing, but hopefully gives the pertinent info.
FakeAlert-security
PWS-Zbot.gen.alf
Artemis!4=FA32EE6C82
Artemis!1CE69BOFFD7C

infected items quarentined:
users\jessica\appdata\local\temp\~!#717E.tmp
users\jessica\appdata\local\temp\~!#7C1B.tmp
users\jessica\appdata\local\temp\~!#6B08.tmp
users\jessica\appdata\locallow\deployment\cache\6.0\18\422 ...


(Not sure why I ended that last one with "..." in my notes)

I then downloaded and did full scans with:
Kaspersky (0 threats found)
Avast (0 threats found)
Malwarebytes (0 threats found)
SuperAntiSpyware (1 critical threat quarentined: HKCR/.exe System.BrokenFileAssociation)
ccleaner
Spybot (1 problem fixed. 1 entry - adaware, kind- directory. ""W3:1Q5.fraud" (SB1 $5ADC6E84) program directory\windows\systems32\A1_recyclebin\

I re-scanned with all and everything came up clean, but the computer was still acting a little sketchy. Running slow, unable to play movie DVD's, etc. I also noticed that my recycle bin contained all of these files for every app on my ipod, which I still don't understand. I hadn't plugged into itunes in ages and definitely didn't try to delete anything. (I didn't write down the extensions of the file type, but think it started with an A.)

I contacted a computer specialist who said that considering my comfortability trying to work with this on my own, that I could try to run combofix (he did give me the standard warnings, along with a link to CF through bleepingcomputer.com).
Ran combofix in Safe Mode.
Afterwards, I realized it emptied the recycle bin, which hopefully is not going to adversely effect my when I finally try to sync with itunes.
After a restart or two, things seemed to be running pretty smoothly.

I temporarily disabled system restore again (according to mcafee's instructions), installed and ran Stinger. Results: rootkit clean, clean master boot record, clean boot sector.

Then I started exploring this website for any additional advice.
I downloaded Revo uninstaller and ran in moderate mode to uninstall and reinstall java. While I was at it I scanned for unnecessary files, which freed up about 250 mb.
Uninstalled Adobe, but have not been able to reinstall it. It downloads, but then I cannot get the download to open.
Also uninstalled "AOL uninstaller", which windows add/remove was never able to get rid of. (I know I probably should have held off on making any additional changes like that, but got a little carried away).

Re-scanned with McAfee, malwarebytes, spybot, kaspersky, etc and everything is coming up clean.
I accidentally ran spybot immunize, which wouldn't let me stop it once it started. :oopsign:

Possibly unrelated, but yesterday I left the computer on with only a txt. file open and when I returned to it a few hours later, I had a message: McAfee security has stopped working. A problem has caused it to stop working correctly. Windows has closed the program and will notify you of a solution. However, McAfee seemed to be in perfectly good working order, so I X'ed out of the box instead of clicking OK.

At this point, I am still not using the laptop for anything requiring logging in and only connect to the internet when trying to find specific information about dealing with this trojan. I'm afraid to do anything else.
I wish I had realized this website existed and was legit a couple weeks ago! I'd be a lot more comfortable if I had had step-by-step advice from the start. I'm a little worried :o that maybe everything I've done has messed something up that I don't know how to find. Or that the scans are missing something (since they so sporadically caught threats). On a side note, I did backup on an external drive, several weeks before the problem started.

I am hoping that perhaps somebody can help tell me how it is looking and how to know if things are once again secure.

Edited by Weary Blue, 21 September 2012 - 11:48 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 24 September 2012 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.
    • DDS.pif
    • DDS.COM
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

Please post the logs for my review.

Please let me know in a few words what issues are persisting with this computer.

#3 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 24 September 2012 - 07:08 PM

I can't thank you enough for helping walk me through this. It had never occurred to me that there was a website like this. You guys are angels! I know you can't guarantee the outcome, but regardless, I really appreciate your taking the time to help a stranger in need.

I'm not noticing any particularly bad behavior with the laptop at this point. It runs a bit slow, but that's not really new ( C drive is nearly full). However, I've been so cautious with everything I do, since the day the trojan was first discovered, that it's entirely possible there are programs that aren't running right. I only connect to wi-fi long enough to do what I absolutely need to do online and then disconnect. I haven't plugged anything into it (external hard drive, ipod, etc.) or attempted to play games or edited photos or anything like that. Don't log into any sites (except this one, really). (I'm actually in pretty hard-core computer withdrawal at this point!)

Here are the logs you requested.

Combofix


ComboFix 12-09-24.02 - Jessica 09/24/2012 18:02:05.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1147 [GMT -4:00]
Running from: c:\users\Jessica\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-24 to 2012-09-24 )))))))))))))))))))))))))))))))
.
.
2012-09-24 22:11 . 2012-09-24 22:11 -------- d-----w- c:\users\Jessica\AppData\Local\temp
2012-09-24 22:11 . 2012-09-24 22:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-24 22:11 . 2012-09-24 22:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-09-20 01:35 . 2012-09-20 01:35 -------- d-----w- c:\program files\Common Files\Java
2012-09-20 01:33 . 2012-09-20 01:33 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-19 14:36 . 2012-09-19 14:36 -------- d-----w- c:\program files\VS Revo Group
2012-09-18 22:40 . 2012-09-18 22:40 14664 ----a-w- c:\windows\stinger.sys
2012-09-18 22:39 . 2012-09-18 23:01 -------- d-----w- c:\program files\stinger
2012-09-13 17:59 . 2012-09-13 20:36 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-13 17:59 . 2012-09-13 17:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-13 01:16 . 2012-09-13 01:16 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-09-12 16:30 . 2012-09-12 16:30 -------- d-----w- c:\users\Jessica\AppData\Roaming\SUPERAntiSpyware.com
2012-09-12 16:29 . 2012-09-15 03:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-12 16:29 . 2012-09-12 16:29 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-09-12 16:06 . 2012-09-12 16:06 -------- d-----w- c:\users\Jessica\AppData\Roaming\Ad-Aware Antivirus
2012-09-11 19:47 . 2012-09-11 19:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-11 19:47 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-06 18:24 . 2012-09-06 23:42 -------- d-----w- c:\programdata\AVAST Software
2012-09-06 18:18 . 2012-09-06 18:22 -------- d-----w- c:\users\Jessica\AppData\Roaming\ZipGenius
2012-09-06 18:16 . 2012-09-06 18:16 -------- d-----w- c:\program files\ZipGenius 6
2012-09-03 18:02 . 2012-09-03 18:02 -------- d-----w- c:\users\Jessica\AppData\Local\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 02:12 . 2012-04-06 04:54 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 02:12 . 2011-05-27 01:58 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-20 01:33 . 2010-04-19 23:11 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-18 22:39 . 2011-06-30 17:52 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-09-18 22:39 . 2011-06-30 17:31 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-09-18 22:39 . 2011-03-13 15:20 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-07-04 14:02 . 2012-08-16 07:02 2047488 ----a-w- c:\windows\system32\win32k.sys
2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-09-13 01:16 . 2011-04-10 20:21 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Facebook Update"="c:\users\Jessica\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"Spotify Web Helper"="c:\users\Jessica\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-05 1193176]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-21 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1318816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-09-21 184320]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2006-11-10 12:12 50736 ----a-w- c:\program files\AOL 9.0\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-05-21 05:42 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-12-09 01:26 323392 ----a-w- c:\users\Jessica\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-12-08 19:34 3444736 ----a-w- c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-11-02 09:45 8704 ----a-w- c:\windows\System32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-03-16 10:20 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-02 05:13 154392 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-02 05:14 138008 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 16:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2012-03-22 01:16 1318816 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-05-10 09:01 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-09-21 05:07 184320 ------w- c:\program files\DELL\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-02 05:14 133912 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-06-25 05:17 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 97623269
*Deregistered* - 97623269
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 02:12]
.
2012-09-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3847784399-2045439858-1336290091-1000Core.job
- c:\users\Jessica\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 21:59]
.
2012-09-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3847784399-2045439858-1336290091-1000UA.job
- c:\users\Jessica\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 21:59]
.
2012-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-29 20:00]
.
2012-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-29 20:00]
.
2012-09-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-08-07 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\lzp32kn0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-24 18:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-09-24 18:16:11
ComboFix-quarantined-files.txt 2012-09-24 22:15
ComboFix2.txt 2012-09-14 23:50
.
Pre-Run: 15,552,544,768 bytes free
Post-Run: 15,541,866,496 bytes free
.
- - End Of File - - D5C4BE988AA89104C0CEBD5A5ED28A65

#4 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 24 September 2012 - 07:10 PM

Security Check log

Results of screen317's Security Check version 0.99.51
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.0.1400
CCleaner
JavaFX 2.1.1
Java 7 Update 7
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.4.402.278
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (15.0.1)
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

adwcleaner log


# AdwCleaner v2.003 - Logfile created 09/24/2012 at 18:36:23
# Updated 23/09/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Jessica - JESSICA-PC
# Boot Mode : Normal
# Running from : C:\Users\Jessica\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\lzp32kn0.default\searchplugins\fast-browser-search.xml
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\ProgramData\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\lzp32kn0.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "Fast Browser Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&[...]
Deleted : user_pref("browser.search.order.1", "Fast Browser Search");

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Jessica\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2911 octets] - [24/09/2012 18:36:23]

########## EOF - C:\AdwCleaner[S1].txt - [2971 octets] ##########

#5 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 24 September 2012 - 07:11 PM

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Jessica at 19:04:16 on 2012-09-24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1178 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DELL\MediaDirect\PCMService.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jessica\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120630084233.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Facebook Update] "c:\users\jessica\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Spotify Web Helper] "c:\users\jessica\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{89740011-3895-44F6-9C90-84C58368DB1F} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F065A1A2-9539-4282-8B83-C1C44701275C} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jessica\appdata\roaming\mozilla\firefox\profiles\lzp32kn0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 475704]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-6-30 64912]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-6-30 169608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-11 399432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-30 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-30 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-30 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-6-30 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-30 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-6-30 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-30 159608]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-9-14 179712]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-6-30 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-19 180848]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-6-30 340920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-5-29 116648]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-11 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 250288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-5-29 116648]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-11 22856]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-30 59456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-30 87656]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-20 40552]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-7 114144]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-17 21744]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-24 22:16:13 -------- d-----w- c:\users\jessica\appdata\local\temp
2012-09-24 22:13:59 -------- dcsh--w- C:\$RECYCLE.BIN
2012-09-20 01:33:50 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-19 14:36:12 -------- d-----w- c:\program files\VS Revo Group
2012-09-18 22:40:48 14664 ----a-w- c:\windows\stinger.sys
2012-09-18 22:39:04 -------- d-----w- c:\program files\stinger
2012-09-14 23:33:42 98816 ----a-w- c:\windows\sed.exe
2012-09-14 23:33:42 518144 ----a-w- c:\windows\SWREG.exe
2012-09-14 23:33:42 256000 ----a-w- c:\windows\PEV.exe
2012-09-14 23:33:42 208896 ----a-w- c:\windows\MBR.exe
2012-09-13 17:59:36 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-13 17:59:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-13 01:16:24 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-09-12 16:30:19 -------- d-----w- c:\users\jessica\appdata\roaming\SUPERAntiSpyware.com
2012-09-12 16:29:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-09-12 16:29:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-12 16:06:09 -------- d-----w- c:\users\jessica\appdata\roaming\Ad-Aware Antivirus
2012-09-11 19:47:06 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-11 19:47:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-06 18:24:50 -------- d-----w- c:\programdata\AVAST Software
2012-09-06 18:18:11 -------- d-----w- c:\users\jessica\appdata\roaming\ZipGenius
2012-09-06 18:16:29 -------- d-----w- c:\program files\ZipGenius 6
2012-09-03 18:02:38 -------- d-----w- c:\users\jessica\appdata\local\WinZip
.
==================== Find3M ====================
.
2012-09-21 02:12:20 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-21 02:12:20 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-20 01:33:32 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-18 22:39:34 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-09-18 22:39:34 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-09-18 22:39:34 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-04 14:02:46 2047488 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:04:34.96 ===============

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 25 September 2012 - 09:18 AM

Your logs are clean.

Using the Add/Remove Programs applet delete this old version of Adobe Flash Player 10

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Please post the Attach.txt file that was created when you have executed the DDS tool.

#7 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 25 September 2012 - 09:59 PM

I have a subscription to McAfee that expires next week and I'm not renewing it. Does that mean I have to choose "yes, install..."?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 26 September 2012 - 07:56 AM

No.


When you decide to remove McAfee I suggest your use this tool.
McAfee's removal tool.
http://mcafee-removal-tool.com/

Make sure you install an other virus protection software.

Microsoft Security Essentials if free.
http://windows.microsoft.com/en-US/windows/products/security-essentials

#9 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 26 September 2012 - 09:39 PM

I'm a little confused...I'm not supposed to actually attach the file...just copy & paste the information from the attach.txt? The box that popped up when DDS was finished said that I had to zip the file and attach to post. But I know I kept coming across instructions that specifically said not to attach anything on forum posts and I don't want to do the wrong thing!

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 27 September 2012 - 08:34 AM

I like to see the text of the file when ask for it.

Under normal circumstance you should attach it.
Thanks.

#11 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 27 September 2012 - 10:22 AM

I'm still a little unclear, but think this is what you are requesting...

Attached Files



#12 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 27 September 2012 - 11:00 AM

Once again, I really thank you for taking the time to do this.

Edited by Weary Blue, 27 September 2012 - 12:12 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 27 September 2012 - 12:26 PM

It runs a bit slow, but that's not really new ( C drive is nearly full).


From the report.
C: is FIXED (NTFS) - 99 GiB total, 11.837 GiB free. 12% free space.
D: is FIXED (NTFS) - 10 GiB total, 5.228 GiB free. 52% free space.

Any new programs should be installed in the D: drive.

One thing you can also do is to transfer some old files from C to D, especially pictures or movies that take a log of space.
===

If the computer is still slow run this scan.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


#14 Weary Blue

Weary Blue
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:05 AM

Posted 28 September 2012 - 09:06 AM

I've always been a bit uncertain about what the D drive is for and wasn't sure what I could keep in it. I had it in my head that I couldn't install most things on D:. Are there any links to pages that might explain it to me? I'm really trying to get a solid grasp on how my computer works.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:05 AM

Posted 28 September 2012 - 01:23 PM

You probably have only one large hard drive in your computer.

It was divided by the manufacturer into 2 parts.

C:\ Where the Operating system was installed as well as other program.

They also created from the large drive a drive D:\

This drive can be used as you see fit.


Dividing a Hard Drive is call Partitioning.

You will find some good information here.
http://en.wikipedia.org/wiki/Disk_partitioning

I strongly suggest you do not attempt to increase or decrease the size of the drives.
Leave that to a computer expert.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users