Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing Control Panel; Unable to run DDS in normal mode


  • This topic is locked This topic is locked
22 replies to this topic

#1 morsun

morsun

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 24 April 2013 - 03:50 AM

My Window XP Home Edition system has issue. It lost the control panel. Anti-Malware application is unable to start. DDS is unable to run completely in normal mode. The following information from DDS is generated in safe mode. Please help.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 MINIMAL
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.15.2
Run by leo at 1:33:02 on 2013-04-24
Microsoft Windows XP Home Edition  5.1.2600.3.936.86.1033.18.3070.2807 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
FW: Norton Security Suite *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: {00000ADA-7E0D-47C1-986C-F017D09C4304} - <orphaned>
BHO: 1362C356-E03F-F9B3-FDD9-7D3B22A5FDF8 Class: {1362C356-E03F-F9B3-FDD9-7D3B22A5FDF8} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\5.2.2.3\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: 87B5D43A-17FE-B724-79F6-8B2D8BBE136D Class: {87B5D43A-17FE-B724-79F6-8B2D8BBE136D} -
BHO: {889D2FEB-5411-4565-8998-1DD2C5261283} - <orphaned>
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [085] c:\documents and settings\leo\application data\1e471\085.js
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\documents and settings\leo\start menu\programs\startup\535.js
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\535.js
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\belkin\nostromo\nost_LM.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWindowsUpdate = 1
uPolicies-Explorer: NoControlPanel = 1
uPolicies-Explorer: NofolderOptions = 1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.micrel.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1316078801046
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{612D552A-F609-4013-ADD1-97A7C692C6C9} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2013-4-21 64832]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-16 744568]
S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2013-4-21 565888]
S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130322.001\bhdrvx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130322.001\BHDrvx86.sys [?]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2013-4-21 91640]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-16 136312]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-23 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-4-23 701512]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2013-4-21 203840]
S2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2013-4-21 169320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-4-21 172416]
S2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2012-7-16 130008]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-4-21 60920]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2013-4-22 146872]
S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130411.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130411.001\IDSxpx86.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-23 22856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-24 40776]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2013-4-21 203080]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-4-21 235264]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-4-21 65928]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-4-21 363080]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-4-21 92632]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\NAVEX15.SYS [?]
S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?]
S3 SDGame;SDGAME;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 SdoKeyCrypt;SdoKeyCrypt;c:\windows\system32\SdoKeyCrypt.sys [2012-4-10 415160]
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2012-8-11 162176]
S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
.
=============== Created Last 30 ================
.
2013-04-24 08:21:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-04-24 01:28:21 -------- d-----w- c:\documents and settings\leo\application data\Malwarebytes
2013-04-23 23:55:51 -------- d-----w- c:\documents and settings\leo\local settings\application data\McAfee Anti-Theft
2013-04-23 23:50:37 -------- d-sh--w- c:\documents and settings\leo\PrivacIE
2013-04-23 20:52:25 -------- d-----w- c:\documents and settings\leo\local settings\application data\Sun
2013-04-23 20:47:24 -------- d-sh--w- c:\documents and settings\leo\application data\1e471
2013-04-23 20:20:28 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-04-23 15:31:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-04-23 15:31:55 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-23 15:31:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-22 08:25:39 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-04-22 01:45:53 64832 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2013-04-22 01:42:29 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-22 01:42:24 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-22 01:42:24 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-04-22 01:42:24 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-04-22 01:42:24 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-04-22 01:42:24 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-22 01:42:19 -------- d-----w- c:\program files\common files\Mcafee
2013-04-22 01:42:18 -------- d-----w- c:\program files\McAfee.com
2013-04-22 01:41:32 -------- d-----w- c:\program files\McAfee
2013-04-22 01:37:36 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-22 01:37:33 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-22 01:37:32 91640 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-04-22 01:36:38 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-22 01:36:38 161144 ----a-r- c:\windows\system32\mfevtps.exe.51f3.deleteme
2013-04-22 01:36:38 161144 ----a-r- c:\windows\system32\mfevtps.exe.1a7e.deleteme
2013-04-22 01:33:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-04-22 01:33:59 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-22 01:02:41 -------- d-----w- c:\program files\Symantec
2013-04-22 01:02:41 -------- d-----w- c:\program files\NortonInstaller
2013-04-22 01:02:41 -------- d-----w- c:\program files\common files\Symantec Shared
2013-04-22 01:02:21 -------- d-----w- c:\program files\Norton Security Suite
2013-04-21 20:56:23 -------- d-----w- c:\program files\McAfee(2).com
2013-04-21 20:56:23 -------- d-----w- c:\program files\common files\Mcafee(2)
2013-04-21 20:55:36 -------- d-----w- c:\program files\McAfee(2)
2013-04-21 20:41:20 161144 ----a-r- c:\windows\system32\mfevtps.exe.eb8e.deleteme
2013-04-21 20:41:20 161144 ----a-r- c:\windows\system32\mfevtps.exe.b1f7.deleteme
2013-04-21 08:05:08 -------- d-----w- c:\documents and settings\all users\application data\ACE650E1A219F91D0000ACE5A3FEFC1B
2013-04-18 05:23:09 -------- d-sh--w- c:\program files\014f0
2013-04-18 05:23:09 -------- d-sh--w- C:\1f
.
==================== Find3M  ====================
.
2013-03-13 06:32:30 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 06:32:30 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv(2)(2)(2)(3).dll
2013-03-07 01:28:24 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:28 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2013-03-02 02:06:31 1212928 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2013-03-02 02:06:31 105984 ----a-w- c:\windows\system32\url(3)(2)(3).dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 2004992 ----a-w- c:\windows\system32\iertutil(2)(2)(2)(3).dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 02:06:29 11111424 ----a-w- c:\windows\system32\ieframe(2)(2)(2)(3).dll
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k(2)(2)(2)(2).sys
2013-03-02 01:08:47 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-24 09:35:25 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-24 09:35:22 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-24 09:35:22 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-24 09:35:22 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet(4)(2).dll
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2013-02-05 20:05:47 1212928 ----a-w- c:\windows\system32\urlmon(4)(2).dll
2013-02-05 20:05:47 1212928 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2013-02-05 20:05:47 105984 ----a-w- c:\windows\system32\url(4)(2).dll
2013-02-05 20:05:47 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2013-02-05 20:05:45 184320 ----a-w- c:\windows\system32\iepeers(2).dll
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
.
============= FINISH:  1:33:50.84 ===============
 

Attached Files


Edited by morsun, 24 April 2013 - 04:11 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 25 April 2013 - 09:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop, DO NOT ATTACH THE LOG.
===

; Purpose: Restore the control panel and other...
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
 

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel"-
"NoWindowsUpdate"-
"NofolderOptions"-

; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Restart the computer normally.

Edited by nasdaq, 25 April 2013 - 09:51 AM.


#3 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 25 April 2013 - 04:39 PM

After running the RougeKiller, the mouse start to stuck a while and able to move a while and then repeat stuck and move.

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : leo [Admin rights]
Mode : Scan -- Date : 04/25/2013 14:34:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ROGUE ST] 097.exe -- C:\Documents and Settings\leo\Local Settings\Temp\097.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][ROGUE ST] HKCU\[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> FOUND
[RUN][ROGUE ST] HKUS\S-1-5-21-1085031214-412668190-725345543-1011[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0x8944CB40)
SSDT[97] : NtLoadDriver @ 0x80579714 -> HOOKED (Unknown @ 0x8A0695E8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3200822A +++++
--- User ---
[MBR] 45d6d0c0cd5c065205c000d6da6b8d1d
[BSP] a7c5c8dfee893117247a1a7abd9c9822 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 62997 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129018015 | Size: 62997 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 258036030 | Size: 64785 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04252013_02d1434.txt >>
RKreport[1]_S_04252013_02d1434.txt

 

===

 

After running Fix.reg, the mouse stuck issue is fixed. However, the control panel is still missing after reboot.


Edited by morsun, 25 April 2013 - 05:45 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 26 April 2013 - 07:05 AM

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)

[RUN][ROGUE ST] HKCU\[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> FOUND
[RUN][ROGUE ST] HKUS\S-1-5-21-1085031214-412668190-725345543-1011[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND



Now click Delete on the right hand column under Options

===

REMOVAL FROM THE PROCESS SECTION.
Next click on the Processes tab and put a check next to these and uncheck the rest. (if found)

[ROGUE ST] 097.exe -- C:\Documents and Settings\leo\Local Settings\Temp\097.exe [-] -> KILLED [TermProc]

Now click Delete on the right hand column under Options

Restart the computer normally.

===
Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please paste the logs in your next reply, DO NOT ATTACH THEM

p.s.
If the Control panel is still not available run the .reg files I previously suggested.

Let me know what problem persists.

#5 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 26 April 2013 - 10:59 AM

Hi nasdaq,

 

  This time the bad process is not shown, so there is no action on deleting bad process 097.exe

 

  This is the log after RogueKiller scan:

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : leo [Admin rights]
Mode : Scan -- Date : 04/26/2013 08:00:29
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][ROGUE ST] HKCU\[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> FOUND
[RUN][ROGUE ST] HKUS\S-1-5-21-1085031214-412668190-725345543-1011[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0x89139D30)
SSDT[97] : NtLoadDriver @ 0x80579714 -> HOOKED (Unknown @ 0x8A04D0C0)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3200822A +++++
--- User ---
[MBR] 45d6d0c0cd5c065205c000d6da6b8d1d
[BSP] a7c5c8dfee893117247a1a7abd9c9822 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 62997 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129018015 | Size: 62997 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 258036030 | Size: 64785 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_S_04262013_02d0800.txt >>
RKreport[1]_S_04252013_02d1434.txt ; RKreport[2]_S_04262013_02d0800.txt

 

  This is the log after RogueKiller finished delete:

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : leo [Admin rights]
Mode : Remove -- Date : 04/26/2013 08:04:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][ROGUE ST] HKCU\[...]\Run : 085 (C:\Documents and Settings\leo\Application Data\1e471\085.js) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0x89139D30)
SSDT[97] : NtLoadDriver @ 0x80579714 -> HOOKED (Unknown @ 0x8A04D0C0)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3200822A +++++
--- User ---
[MBR] 45d6d0c0cd5c065205c000d6da6b8d1d
[BSP] a7c5c8dfee893117247a1a7abd9c9822 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 62997 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129018015 | Size: 62997 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 258036030 | Size: 64785 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_04262013_02d0804.txt >>
RKreport[1]_S_04252013_02d1434.txt ; RKreport[2]_S_04262013_02d0800.txt ; RKreport[3]_D_04262013_02d0804.txt

 

====

 

I am stuck in using ComboFix step. I stopped all other program include McAfee Anti-Virus. After double clicked ComboFix icon on desktop, it reached to Open File - Security Warning Page. Then click Run. The ComboFix Disclaimer Menu came up. Before I was able to click the "I Agree" button, the ComboFix application was closed by the system. I tried raced with the system to click the "I Agree" button for few times and I successed. A process loading box from ComboFix with some green words showed. However, within half a second, the ComboFix application was closed by the system again. Since ComboFix stage was unable to go through, I did not touch any AdwCleaner steps at all.

 

Please advise on how to do ComboFix when I am encountering the situation like this.

 

 

 

 

 

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 26 April 2013 - 12:30 PM

  • Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
  • When the Windows Advanced Options menu appears, select an option, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Delete these files/folder in bold if found.

c:\documents and settings\leo\application data\1e471\ <- folder
StartupFolder: c:\documents and settings\leo\start menu\programs\startup\535.js <- file
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\535.js <- file

Restart the computer normally.

Post a fresh DDS log for my review.

Please let me know what problem persists.

#7 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 26 April 2013 - 03:43 PM

Hi nasdaq,

 

  I try safe mode and unable to see "1e471" directory. I goto "startup" directory, there is no 535.js. However, there is 5f1.js, I take no action on it. After that, I reboot with F8 go to Command Line mode. I go to c:\documents an settings\leo\applicatoin data, still do not see "1e471" directory. Instead, I blindly do "cd 1e471", it lets me enter to the "1e471" directory. There is a file 085.js. I deleted 085.js. Then I go back up one level of directory and do "rmdir 1e471" to delete the 1e471 directory. I go to the "startup" directory and delete the file 5j1.js. I went to the "Adminstrator" account and found "1e471, 085.js and 5f1.js" accordingly. I deleted all of them.

 

  I restart to normal mode, this is the first time I am able to run DDS under normal mode. Here is the fresh DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.15.2
Run by leo at 13:16:01 on 2013-04-26
Microsoft Windows XP Home Edition  5.1.2600.3.936.86.1033.18.3070.2467 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
FW: Norton Security Suite *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Skype\Updater\Updater.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: {00000ADA-7E0D-47C1-986C-F017D09C4304} - <orphaned>
BHO: 1362C356-E03F-F9B3-FDD9-7D3B22A5FDF8 Class: {1362C356-E03F-F9B3-FDD9-7D3B22A5FDF8} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\5.2.2.3\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: 87B5D43A-17FE-B724-79F6-8B2D8BBE136D Class: {87B5D43A-17FE-B724-79F6-8B2D8BBE136D} -
BHO: {889D2FEB-5411-4565-8998-1DD2C5261283} - <orphaned>
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [085] c:\documents and settings\leo\application data\1e471\085.js
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\belkin\nostromo\nost_LM.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWindowsUpdate = 1
uPolicies-Explorer: NoControlPanel = 1
uPolicies-Explorer: NofolderOptions = 1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.micrel.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1316078801046
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{612D552A-F609-4013-ADD1-97A7C692C6C9} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2013-4-21 64832]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2013-4-21 565888]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-16 744568]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2013-4-21 91640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-23 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-4-23 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2013-4-21 203840]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2013-4-21 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-4-21 172416]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2012-7-16 130008]
R2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-4-21 60920]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2013-4-22 146872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-23 22856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-4-21 235264]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-4-21 363080]
R3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2012-8-11 162176]
S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130322.001\bhdrvx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130322.001\BHDrvx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-16 136312]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130411.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130411.001\IDSxpx86.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-24 40776]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2013-4-21 203080]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-4-21 65928]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-4-21 92632]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\NAVEX15.SYS [?]
S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?]
S3 SDGame;SDGAME;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 SdoKeyCrypt;SdoKeyCrypt;c:\windows\system32\SdoKeyCrypt.sys [2012-4-10 415160]
S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
.
=============== Created Last 30 ================
.
2013-04-26 14:58:58 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-04-25 21:16:48 -------- d-----w- c:\documents and settings\leo\application data\NVIDIA
2013-04-24 08:21:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-04-24 01:28:21 -------- d-----w- c:\documents and settings\leo\application data\Malwarebytes
2013-04-23 23:55:51 -------- d-----w- c:\documents and settings\leo\local settings\application data\McAfee Anti-Theft
2013-04-23 23:50:37 -------- d-sh--w- c:\documents and settings\leo\PrivacIE
2013-04-23 20:52:25 -------- d-----w- c:\documents and settings\leo\local settings\application data\Sun
2013-04-23 20:20:28 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-04-23 15:31:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-04-23 15:31:55 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-23 15:31:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-22 08:25:39 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-04-22 01:45:53 64832 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2013-04-22 01:42:29 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-22 01:42:24 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-22 01:42:24 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-04-22 01:42:24 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-04-22 01:42:24 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-04-22 01:42:24 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-22 01:42:19 -------- d-----w- c:\program files\common files\Mcafee
2013-04-22 01:42:18 -------- d-----w- c:\program files\McAfee.com
2013-04-22 01:41:32 -------- d-----w- c:\program files\McAfee
2013-04-22 01:37:36 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-22 01:37:33 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-22 01:37:32 91640 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-04-22 01:36:38 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-22 01:36:38 161144 ----a-r- c:\windows\system32\mfevtps.exe.51f3.deleteme
2013-04-22 01:36:38 161144 ----a-r- c:\windows\system32\mfevtps.exe.1a7e.deleteme
2013-04-22 01:33:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-04-22 01:33:59 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-22 01:02:41 -------- d-----w- c:\program files\Symantec
2013-04-22 01:02:41 -------- d-----w- c:\program files\NortonInstaller
2013-04-22 01:02:41 -------- d-----w- c:\program files\common files\Symantec Shared
2013-04-22 01:02:21 -------- d-----w- c:\program files\Norton Security Suite
2013-04-21 20:56:23 -------- d-----w- c:\program files\McAfee(2).com
2013-04-21 20:56:23 -------- d-----w- c:\program files\common files\Mcafee(2)
2013-04-21 20:55:36 -------- d-----w- c:\program files\McAfee(2)
2013-04-21 20:41:20 161144 ----a-r- c:\windows\system32\mfevtps.exe.eb8e.deleteme
2013-04-21 20:41:20 161144 ----a-r- c:\windows\system32\mfevtps.exe.b1f7.deleteme
2013-04-21 08:05:08 -------- d-----w- c:\documents and settings\all users\application data\ACE650E1A219F91D0000ACE5A3FEFC1B
2013-04-18 05:23:09 -------- d-sh--w- c:\program files\014f0
2013-04-18 05:23:09 -------- d-sh--w- C:\1f
.
==================== Find3M  ====================
.
2013-03-13 06:32:30 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 06:32:30 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv(2)(2)(2)(3).dll
2013-03-07 01:28:24 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:28 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2013-03-02 02:06:31 1212928 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2013-03-02 02:06:31 105984 ----a-w- c:\windows\system32\url(3)(2)(3).dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 2004992 ----a-w- c:\windows\system32\iertutil(2)(2)(2)(3).dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 02:06:29 11111424 ----a-w- c:\windows\system32\ieframe(2)(2)(2)(3).dll
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k(2)(2)(2)(2).sys
2013-03-02 01:08:47 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-24 09:35:25 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-24 09:35:22 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-24 09:35:22 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-24 09:35:22 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet(4)(2).dll
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2013-02-05 20:05:47 1212928 ----a-w- c:\windows\system32\urlmon(4)(2).dll
2013-02-05 20:05:47 1212928 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2013-02-05 20:05:47 105984 ----a-w- c:\windows\system32\url(4)(2).dll
2013-02-05 20:05:47 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2013-02-05 20:05:45 184320 ----a-w- c:\windows\system32\iepeers(2).dll
.
============= FINISH: 13:17:01.37 ===============
 

 

Control Panel is still missing. Base on DDS log, "1e471/085.js" is coming back after reboot. Please advice me the next action.


Edited by morsun, 26 April 2013 - 04:17 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 27 April 2013 - 06:47 AM


The malware is possibly disabling the Control Panel.
Will have to deal with it when it's removed.

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#9 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 27 April 2013 - 11:27 AM

My Norton Security is totally uninstalled before I install McAfee Total Protection. Therefore, I have no access in turning off the Norton Security. I assume the Warning message about "Norton Security is up" will not affect the ComboFix.

 

This is the log generated after combo fix running:

 

Chinese to English to help understanding:

执行位置: Running from:

被删除的档案: Other Deletions

驱动/服务: Process/Service

2013-03-27 至 2013-04-27 的新的档案: Files Created from 2013-03-27 to 2013-04-27

在三个月内被修改的档案: Find3M Report

重要登入点: Reg Loading Points

*注意* 空白与合法缺省登录将不会被显示: *Note* empty entries & legit default entries are not shown
 ‘计划任务’ 文件夹 里的内容: Contents of the 'Scheduled Tasks' folder

而外的扫描: Supplementary Scan

扫描被隐藏的进程 : scanning hidden processes

扫描被隐藏的启动组 : scanning hidden autostart entries

扫描被隐藏的文件: scanning hidden files

扫描完成: scan completed successfully

被隐藏的档案: hidden files

运行进程下的动态链接库:DLLs Loaded Under Running Processes

其他运行进程: Other running process

完成时间: 2013-04-27  08:43:11 - 电脑已重新启动: Completion Time: 2013-04-27  08:43:11 - Computer Restart
 

====

 

ComboFix 13-04-26.01 - leo 7/2013 Sat   8:30.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.936.86.1033.18.3070.2601 [GMT -7:00]
执行位置: c:\documents and settings\leo\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   被删除的档案   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\leol\Application Data\0000142A1341AA
c:\documents and settings\leol\Application Data\004D5649544E41
c:\documents and settings\leol\Application Data\004D5649544E41696E66
c:\program files\Baidu\{87B5D43A-17FE-B724-79F6-8B2D8BBE136D}\AddressBar.dll
.
.
(((((((((((((((((((((((((((((((((((((((   驱动/服务   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
-------\Service_RkHit
.
.
(((((((((((((((((((((((((  2013-03-27 至 2013-04-27 的新的档案  )))))))))))))))))))))))))))))))
.
.
2013-04-26 14:58 . 2013-04-26 14:58 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-04-24 08:21 . 2013-04-24 08:21 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-04-23 20:44 . 2013-04-23 23:50 -------- d-----w- c:\documents and settings\leo
2013-04-23 20:44 . 2013-04-23 20:44 -------- d-----w- c:\documents and settings\UpdatusUser
2013-04-23 20:40 . 2013-04-23 20:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\McAfee Anti-Theft
2013-04-23 20:20 . 2008-04-14 12:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-04-23 20:02 . 2013-04-23 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-04-23 15:31 . 2013-04-23 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-04-23 15:31 . 2013-04-23 15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-23 15:31 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-22 08:25 . 2012-04-20 23:40 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-04-22 01:45 . 2012-09-14 23:26 64832 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2013-04-22 01:42 . 2013-02-19 21:11 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-22 01:42 . 2013-02-19 21:15 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-04-22 01:42 . 2013-02-19 21:10 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-22 01:42 . 2013-02-19 21:09 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-04-22 01:42 . 2013-02-19 21:08 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-04-22 01:42 . 2013-02-19 21:08 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-22 01:42 . 2013-04-22 08:43 -------- d-----w- c:\program files\Common Files\Mcafee
2013-04-22 01:41 . 2013-04-27 05:11 -------- d-----w- c:\program files\McAfee
2013-04-22 01:37 . 2013-02-19 21:07 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-22 01:37 . 2013-02-19 21:09 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-22 01:37 . 2013-02-19 21:11 91640 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-04-22 01:36 . 2013-02-19 21:12 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-22 01:33 . 2013-04-22 01:33 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\Symantec
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\NortonInstaller
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\Norton Security Suite
2013-04-21 16:50 . 2013-04-21 16:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2013-04-21 16:48 . 2013-04-21 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2013-04-21 08:05 . 2013-04-22 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ACE650E1A219F91D0000ACE5A3FEFC1B
2013-04-21 01:24 . 2013-04-21 01:24 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2013-04-18 05:23 . 2013-04-18 05:23 -------- d-----w- C:\1f
2013-04-18 05:23 . 2013-04-18 05:23 -------- d-sh--w- c:\program files\014f0
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 06:32 . 2012-04-11 06:54 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 06:32 . 2011-10-24 06:18 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 08:36 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 08:36 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv(2)(2)(2)(3).dll
2013-03-07 01:28 . 2004-08-04 12:00 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2013-03-02 02:06 . 2004-08-04 12:00 1212928 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2013-03-02 02:06 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(3)(2)(3).dll
2013-03-02 02:06 . 2009-03-08 11:32 2004992 ----a-w- c:\windows\system32\iertutil(2)(2)(2)(3).dll
2013-03-02 02:06 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 02:06 . 2009-03-08 11:39 11111424 ----a-w- c:\windows\system32\ieframe(2)(2)(2)(3).dll
2013-03-02 01:25 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:25 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k(2)(2)(2)(2).sys
2013-03-02 01:08 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2011-09-15 08:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-24 09:35 . 2013-02-24 09:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-24 09:35 . 2013-02-24 09:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-02-24 09:35 . 2012-06-15 18:45 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-24 09:35 . 2011-11-06 17:43 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 00:32 . 2011-09-15 08:39 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-04 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(4)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 1212928 ----a-w- c:\windows\system32\urlmon(4)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 1212928 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(4)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 184320 ----a-w- c:\windows\system32\iepeers(2).dll
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2012-08-10 10:13 247760 ----a-w- c:\program files\Common Files\Thunder Network\Kankan\xappex.1.1.1.39.(368).dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
5f1.js [2013-4-26 46154]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-23 442368]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallDisableNotify"="1"
"FirewallOverride"="1"
"AntiVirusDisableNotify"="1"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\DragonNest\\龙之谷\\DragonNest.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"e:\\DragonNest\\龙之谷\\newkoo\\newkoo_dn\\NKHost.exe"=
"c:\\Program Files\\盛大网络\\盛大下载器\\sdDown.exe"=
"e:\\San12VS\\San12VS.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\duowan\\gamebox\\3.4.251752.372\\yygamebox.exe"=
"c:\\Program Files\\duowan\\gamebox\\3.4.251752.372\\bugreport.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"e:\\DragonNest\\áú??1è\\DragonNest.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [4/21/2013 6:45 PM 64832]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [7/16/2012 11:43 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [7/16/2012 11:43 PM 744568]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/21/2013 6:37 PM 91640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/23/2013 8:31 AM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/23/2013 8:31 AM 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/21/2013 6:42 PM 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/21/2013 6:36 PM 172416]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [7/16/2012 11:42 PM 130008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/28/2012 8:41 AM 92632]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/21/2013 6:42 PM 60920]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [4/22/2013 1:25 AM 146872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/23/2013 8:31 AM 22856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/21/2013 6:42 PM 363080]
R3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [8/11/2012 10:26 PM 162176]
S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130322.001\BHDrvx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [7/16/2012 11:43 PM 136312]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130411.001\IDSxpx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130411.001\IDSxpx86.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/24/2013 1:21 AM 40776]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [4/21/2013 6:48 PM 203080]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/21/2013 6:42 PM 92632]
S3 SDGame;SDGAME;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 SdoKeyCrypt;SdoKeyCrypt;c:\windows\system32\SdoKeyCrypt.sys [4/10/2012 10:52 PM 415160]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ    XLServicePlatform
.
 ‘计划任务’ 文件夹 里的内容
.
2013-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 06:32]
.
.
------- 而外的扫描 -------
.
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{00000ADA-7E0D-47C1-986C-F017D09C4304} - (no file)
BHO-{1362C356-E03F-F9B3-FDD9-7D3B22A5FDF8} - c:\program files\Baidu\{87B5D43A-17FE-B724-79F6-8B2D8BBE136D}\AddressBar.dll
BHO-{87B5D43A-17FE-B724-79F6-8B2D8BBE136D} - c:\program files\Baidu\{87B5D43A-17FE-B724-79F6-8B2D8BBE136D}\AddressBar.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-27 08:40
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程 。。。 
.
扫描被隐藏的启动组 。。。
.
扫描被隐藏的文件 。。。 
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
.
- - - - - - - > 'lsass.exe'(824)
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
.
- - - - - - - > 'explorer.exe'(3240)
c:\windows\system32\WININET.dll
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Common Files\Thunder Network\KanKan\xappex.1.1.1.39.(368).dll
c:\program files\Belkin\Nostromo\nost_FSH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(744)
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\conime.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\mcafee.com\agent\McUpdate.exe
.
**************************************************************************
.
完成时间: 2013-04-27  08:43:11 - 电脑已重新启动
ComboFix-quarantined-files.txt  2013-04-27 15:43
.
Pre-Run: 43,039,285,248 bytes free
Post-Run: 43,463,471,104 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A31C1CF240FF643F4356F540899D7ED2
 

===

 

I do not see ComboFix detect any virus or malware, but I noticed my control panel is back. Since running the ComboFix, I have not activate my anti virus yet. Please advice my next action.


Edited by morsun, 27 April 2013 - 11:38 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 27 April 2013 - 12:57 PM

Open notepad and copy/paste the text in the quote box below into it:
 
File::
c:\documents and settings\Default User\Start Menu\Programs\Startup\5f1.js

SecCenter::
{E10A9785-9598-4754-B552-92431C1C35F8}
{7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

You can restart your McAfee virus protection after running ComboFix.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please run the DDS tool and post a fresh log as well.

Let me know what problem persists.

#11 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 27 April 2013 - 09:34 PM

During the run of the ComboFix, it said that the ComboFix need an update to proceed. I let it to do and continue.

 

Here is the log for the ComboFix:

 

ComboFix 13-04-27.04 - leo 7/2013 Sat  18:52:28.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.936.86.1033.18.3070.2452 [GMT -7:00]
执行位置: c:\documents and settings\leo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\leo\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\Default User\Start Menu\Programs\Startup\5f1.js"
.
.
(((((((((((((((((((((((((  2013-03-28 至 2013-04-28 的新的档案  )))))))))))))))))))))))))))))))
.
.
2013-04-26 14:58 . 2013-04-26 14:58 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-04-24 08:21 . 2013-04-24 08:21 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-04-23 20:44 . 2013-04-23 23:50 -------- d-----w- c:\documents and settings\leo
2013-04-23 20:44 . 2013-04-23 20:44 -------- d-----w- c:\documents and settings\UpdatusUser
2013-04-23 20:40 . 2013-04-23 20:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\McAfee Anti-Theft
2013-04-23 20:20 . 2008-04-14 12:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-04-23 20:02 . 2013-04-23 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-04-23 15:31 . 2013-04-23 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-04-23 15:31 . 2013-04-23 15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-23 15:31 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-22 08:25 . 2012-04-20 23:40 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-04-22 01:45 . 2012-09-14 23:26 64832 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2013-04-22 01:42 . 2013-02-19 21:11 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-22 01:42 . 2013-02-19 21:15 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-04-22 01:42 . 2013-02-19 21:10 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-22 01:42 . 2013-02-19 21:09 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-04-22 01:42 . 2013-02-19 21:08 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-04-22 01:42 . 2013-02-19 21:08 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-22 01:42 . 2013-04-22 08:43 -------- d-----w- c:\program files\Common Files\Mcafee
2013-04-22 01:41 . 2013-04-27 05:11 -------- d-----w- c:\program files\McAfee
2013-04-22 01:37 . 2013-02-19 21:07 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-22 01:37 . 2013-02-19 21:09 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-22 01:37 . 2013-02-19 21:11 91640 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-04-22 01:36 . 2013-02-19 21:12 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-22 01:33 . 2013-04-22 01:33 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\Symantec
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\NortonInstaller
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2013-04-22 01:02 . 2013-04-22 01:02 -------- d-----w- c:\program files\Norton Security Suite
2013-04-21 16:50 . 2013-04-21 16:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2013-04-21 16:48 . 2013-04-21 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2013-04-21 08:05 . 2013-04-22 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ACE650E1A219F91D0000ACE5A3FEFC1B
2013-04-21 01:24 . 2013-04-21 01:24 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2013-04-18 05:23 . 2013-04-18 05:23 -------- d-----w- C:\1f
2013-04-18 05:23 . 2013-04-18 05:23 -------- d-sh--w- c:\program files\014f0
.
.
.
((((((((((((((((((((((((((((((((((((((((   在三个月内被修改的档案   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 06:32 . 2012-04-11 06:54 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 06:32 . 2011-10-24 06:18 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 08:36 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 08:36 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv(2)(2)(2)(3).dll
2013-03-07 01:28 . 2004-08-04 12:00 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2013-03-02 02:06 . 2004-08-04 12:00 1212928 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2013-03-02 02:06 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(3)(2)(3).dll
2013-03-02 02:06 . 2009-03-08 11:32 2004992 ----a-w- c:\windows\system32\iertutil(2)(2)(2)(3).dll
2013-03-02 02:06 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 02:06 . 2009-03-08 11:39 11111424 ----a-w- c:\windows\system32\ieframe(2)(2)(2)(3).dll
2013-03-02 01:25 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:25 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k(2)(2)(2)(2).sys
2013-03-02 01:08 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2011-09-15 08:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-24 09:35 . 2013-02-24 09:35 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-24 09:35 . 2013-02-24 09:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-02-24 09:35 . 2012-06-15 18:45 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-24 09:35 . 2011-11-06 17:43 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 00:32 . 2011-09-15 08:39 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-04 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(4)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 1212928 ----a-w- c:\windows\system32\urlmon(4)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 1212928 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(4)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2013-02-05 20:05 . 2004-08-04 12:00 184320 ----a-w- c:\windows\system32\iepeers(2).dll
.
.
(((((((((((((((((((((((((((((((((((((   重要登入点   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AAADesktopTips]
@="{4562B511-62E9-4533-B7B2-56A8BB10B482}"
[HKEY_CLASSES_ROOT\CLSID\{4562B511-62E9-4533-B7B2-56A8BB10B482}]
2012-08-10 10:13 247760 ----a-w- c:\program files\Common Files\Thunder Network\Kankan\xappex.1.1.1.39.(368).dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1278064]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
5f1.js [2013-4-26 46154]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-23 442368]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallDisableNotify"="1"
"FirewallOverride"="1"
"AntiVirusDisableNotify"="1"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\DragonNest\\龙之谷\\DragonNest.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"e:\\DragonNest\\龙之谷\\newkoo\\newkoo_dn\\NKHost.exe"=
"c:\\Program Files\\盛大网络\\盛大下载器\\sdDown.exe"=
"e:\\San12VS\\San12VS.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\duowan\\gamebox\\3.4.251752.372\\yygamebox.exe"=
"c:\\Program Files\\duowan\\gamebox\\3.4.251752.372\\bugreport.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"e:\\DragonNest\\áú??1è\\DragonNest.exe"=
"e:\dragonnest\¨¢¨2??1¨¨\DragonNest.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [4/21/2013 6:45 PM 64832]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [7/16/2012 11:43 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [7/16/2012 11:43 PM 744568]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/21/2013 6:37 PM 91640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/21/2013 6:42 PM 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/21/2013 6:36 PM 172416]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [7/16/2012 11:42 PM 130008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/28/2012 8:41 AM 92632]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/21/2013 6:42 PM 60920]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [4/22/2013 1:25 AM 146872]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/21/2013 6:42 PM 363080]
R3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [8/11/2012 10:26 PM 162176]
S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130322.001\BHDrvx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130322.001\BHDrvx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [7/16/2012 11:43 PM 136312]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/23/2013 8:31 AM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/23/2013 8:31 AM 701512]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130411.001\IDSxpx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130411.001\IDSxpx86.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/23/2013 8:31 AM 22856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/24/2013 1:21 AM 40776]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [4/21/2013 6:48 PM 203080]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/21/2013 6:42 PM 92632]
S3 SDGame;SDGAME;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 SdoKeyCrypt;SdoKeyCrypt;c:\windows\system32\SdoKeyCrypt.sys [4/10/2012 10:52 PM 415160]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/21/2013 6:42 PM 167784]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
XLServicePlatform REG_MULTI_SZ    XLServicePlatform
.
 ‘计划任务’ 文件夹 里的内容
.
2013-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 06:32]
.
.
------- 而外的扫描 -------
.
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-27 18:58
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程 。。。 
.
扫描被隐藏的启动组 。。。
.
扫描被隐藏的文件 。。。 
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
.
- - - - - - - > 'lsass.exe'(820)
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
.
- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Common Files\Thunder Network\KanKan\xappex.1.1.1.39.(368).dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(740)
c:\program files\McAfee\Gkp\HcApi.dll
c:\program files\McAfee\Gkp\HIPHandlers.dll
.
完成时间: 2013-04-27  19:00:11
ComboFix-quarantined-files.txt  2013-04-28 02:00
ComboFix2.txt  2013-04-27 15:43
.
Pre-Run: 43,457,642,496 bytes free
Post-Run: 43,447,668,736 bytes free
.
- - End Of File - - D49D981460CF9A44605C1795B4CA01E2
 

===

 

Here is the log for AdwCleaner:

 

# AdwCleaner v2.202 - Logfile created 04/27/2013 at 19:17:10
# Updated 23/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : leo - SUN
# Boot Mode : Normal
# Running from : C:\Documents and Settings\leo\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [824 octets] - [27/04/2013 19:17:10]

########## EOF - C:\AdwCleaner[S1].txt - [883 octets] ##########

 

===

 

Here is the log for Security Check:

 

 Results of screen317's Security Check version 0.99.63 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 McAfee Total Protection   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 15 
 Java version out of Date!
 Adobe Reader 10.1.6 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 1%
````````````````````End of Log``````````````````````
 

 

===

 

Here is the log for DDS:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.15.2
Run by leo at 19:25:08 on 2013-04-27
Microsoft Windows XP Home Edition  5.1.2600.3.936.86.1033.18.3070.2337 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\5.2.2.3\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {889D2FEB-5411-4565-8998-1DD2C5261283} - <orphaned>
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\belkin\nostromo\nost_LM.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.micrel.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1316078801046
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{612D552A-F609-4013-ADD1-97A7C692C6C9} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2013-4-21 64832]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2013-4-21 565888]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-16 744568]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2013-4-21 91640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-4-23 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-4-23 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2013-4-21 203840]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2013-4-21 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-4-21 172416]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2012-7-16 130008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-4-21 60920]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2013-4-22 146872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-23 22856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-4-21 235264]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-4-21 363080]
R3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2012-8-11 162176]
S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130322.001\bhdrvx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130322.001\BHDrvx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-16 136312]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130411.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130411.001\IDSxpx86.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-24 40776]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2013-4-21 203080]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-4-21 65928]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-4-21 92632]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130412.003\NAVEX15.SYS [?]
S3 SDGame;SDGAME;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 SdoKeyCrypt;SdoKeyCrypt;c:\windows\system32\SdoKeyCrypt.sys [2012-4-10 415160]
S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2013-4-21 167784]
.
=============== Created Last 30 ================
.
2013-04-28 00:06:50 -------- d-----w- c:\documents and settings\leo\local settings\application data\Temp
2013-04-28 00:06:50 -------- d-----w- c:\documents and settings\leo\local settings\application data\Adobe
2013-04-27 15:28:41 -------- d-sha-r- C:\cmdcons
2013-04-27 15:25:49 98816 ----a-w- c:\windows\sed.exe
2013-04-27 15:25:49 256000 ----a-w- c:\windows\PEV.exe
2013-04-27 15:25:49 208896 ----a-w- c:\windows\MBR.exe
2013-04-26 14:58:58 15616 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2013-04-25 21:16:48 -------- d-----w- c:\documents and settings\leo\application data\NVIDIA
2013-04-24 08:21:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-04-24 01:28:21 -------- d-----w- c:\documents and settings\leo\application data\Malwarebytes
2013-04-23 23:55:51 -------- d-----w- c:\documents and settings\leo\local settings\application data\McAfee Anti-Theft
2013-04-23 23:50:37 -------- d-sh--w- c:\documents and settings\leo\PrivacIE
2013-04-23 20:52:25 -------- d-----w- c:\documents and settings\leo\local settings\application data\Sun
2013-04-23 20:20:28 221184 ----a-w- c:\windows\system32\wmpns.dll
2013-04-23 15:31:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-04-23 15:31:55 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-23 15:31:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-22 08:25:39 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-04-22 01:45:53 64832 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2013-04-22 01:42:29 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-22 01:42:24 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-22 01:42:24 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-04-22 01:42:24 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-04-22 01:42:24 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-04-22 01:42:24 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-22 01:42:19 -------- d-----w- c:\program files\common files\Mcafee
2013-04-22 01:42:18 -------- d-----w- c:\program files\McAfee.com
2013-04-22 01:41:32 -------- d-----w- c:\program files\McAfee
2013-04-22 01:37:36 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-22 01:37:33 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-22 01:37:32 91640 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-04-22 01:36:38 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-22 01:36:38 161144 ----a-r- c:\windows\system32\mfevtps.exe.51f3.deleteme
2013-04-22 01:36:38 161144 ----a-r- c:\windows\system32\mfevtps.exe.1a7e.deleteme
2013-04-22 01:33:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-04-22 01:33:59 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-22 01:02:41 -------- d-----w- c:\program files\Symantec
2013-04-22 01:02:41 -------- d-----w- c:\program files\NortonInstaller
2013-04-22 01:02:41 -------- d-----w- c:\program files\common files\Symantec Shared
2013-04-22 01:02:21 -------- d-----w- c:\program files\Norton Security Suite
2013-04-21 20:56:23 -------- d-----w- c:\program files\McAfee(2).com
2013-04-21 20:56:23 -------- d-----w- c:\program files\common files\Mcafee(2)
2013-04-21 20:55:36 -------- d-----w- c:\program files\McAfee(2)
2013-04-21 20:41:20 161144 ----a-r- c:\windows\system32\mfevtps.exe.eb8e.deleteme
2013-04-21 20:41:20 161144 ----a-r- c:\windows\system32\mfevtps.exe.b1f7.deleteme
2013-04-21 08:05:08 -------- d-----w- c:\documents and settings\all users\application data\ACE650E1A219F91D0000ACE5A3FEFC1B
2013-04-18 05:23:09 -------- d-sh--w- c:\program files\014f0
2013-04-18 05:23:09 -------- d-----w- C:\1f
.
==================== Find3M  ====================
.
2013-03-13 06:32:30 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 06:32:30 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv(2)(2)(2)(3).dll
2013-03-07 01:28:24 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:28 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2013-03-02 02:06:31 1212928 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2013-03-02 02:06:31 105984 ----a-w- c:\windows\system32\url(3)(2)(3).dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 2004992 ----a-w- c:\windows\system32\iertutil(2)(2)(2)(3).dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 02:06:29 11111424 ----a-w- c:\windows\system32\ieframe(2)(2)(2)(3).dll
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k(2)(2)(2)(2).sys
2013-03-02 01:08:47 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-24 09:35:25 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-24 09:35:22 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-24 09:35:22 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-24 09:35:22 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet(4)(2).dll
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2013-02-05 20:05:47 1212928 ----a-w- c:\windows\system32\urlmon(4)(2).dll
2013-02-05 20:05:47 1212928 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2013-02-05 20:05:47 105984 ----a-w- c:\windows\system32\url(4)(2).dll
2013-02-05 20:05:47 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2013-02-05 20:05:45 184320 ----a-w- c:\windows\system32\iepeers(2).dll
.
============= FINISH: 19:25:59.87 ===============
 

Attached File  attach.txt   22.48KB   0 downloads

 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 28 April 2013 - 08:04 AM

  • Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
  • When the Windows Advanced Options menu appears, select an option, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Delete the file in bold.
c:\documents and settings\Default User\Start Menu\Programs\Startup\5f1.js

Restart the computer normally.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 15

Note
Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Secunia Personal Software Inspector (PSI)
http://secunia.com/vulnerability_scanning/personal/
Secunia PSI is a security scanner which identifies programs that are insecure and need updates.
If interested in security I would download the tool and run it.
<<<>>>

Please let me know of any remaining issues with this computer.

#13 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 29 April 2013 - 10:46 PM

Hi nasqad,

 

  The control panel is good now. But it is obviously slower than before. I have follow your steps in getting new Java, and PSI. But PSI will load from startup. Due to the computer running slow, I moved the PSI from startup to see will the situation get improve. The result is still the same and not running as fast as before the virus attack. 

 

  It is great that you have guided me all along to help me get rid of all those virus in my computer. Thanks you very much.

 

 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 30 April 2013 - 01:16 PM

Lets check further.

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop, DO NOT ATTACH THE LOG.

====

#15 morsun

morsun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 30 April 2013 - 03:02 PM

Hi nasqad,

 

Below is the RogueKiller log:

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : leo [Admin rights]
Mode : Scan -- Date : 04/30/2013 12:57:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0x8A9F2998)
SSDT[97] : NtLoadDriver @ 0x80579714 -> HOOKED (Unknown @ 0x8A8BACC8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3200822A +++++
--- User ---
[MBR] 45d6d0c0cd5c065205c000d6da6b8d1d
[BSP] a7c5c8dfee893117247a1a7abd9c9822 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 62997 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129018015 | Size: 62997 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 258036030 | Size: 64785 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_04302013_02d1257.txt >>
RKreport[1]_S_04252013_02d1434.txt ; RKreport[2]_S_04262013_02d0800.txt ; RKreport[3]_D_04262013_02d0804.txt ; RKreport[4]_S_04302013_02d1257.txt

 

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users