Jump to content

CallOfBooty

Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

 Content Type 

Everything posted by CallOfBooty

  1. CallOfBooty
    Hey, It's all good and I appreciate you for taking my case. Take care.
  2. CallOfBooty
    Hi, here goes: C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\55a2d3ce-2889e0f1 a variant of Java/TrojanDownloader.OpenStream.NBF trojan deleted - quarantined C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\43\7a0b54eb-3793b8e1 multiple threats deleted - quarantined C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application cleaned by deleting - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP670\A0154883.exe Win32/OpenCandy application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP670\A0154884.exe Win32/OpenCandy application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP670\A0154885.exe Win32/OpenCandy application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176469.exe Win32/Toolbar.Zugo application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176470.exe Win32/Toolbar.Zugo application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176471.exe Win32/Toolbar.Zugo application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176472.exe Win32/Toolbar.Zugo application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP711\A0176473.exe Win32/Toolbar.Zugo application deleted - quarantined C:\System Volume Information\_restore{FCCC5C14-46B9-4F46-AA1A-A772432EBE24}\RP720\A0179324.exe Win32/RegistryBooster application cleaned by deleting - quarantined C:\WINDOWS\system32\brcoin32.dll probably a variant of Win32/KeyLogger.EliteKeylogger.46 application cleaned by deleting - quarantined C:\WINDOWS\system32\nsuD62.tmp a variant of Win32/KeyLogger.EliteKeylogger.46 application cleaned by deleting - quarantined C:\WINDOWS\system32\tscsvr.exe a variant of Win32/KeyLogger.EliteKeylogger.46 application deleted - quarantined C:\WINDOWS\system32\winsx86.dll a variant of Win32/KeyLogger.EliteKeylogger.46 application cleaned by deleting - quarantined Thank you.
  3. CallOfBooty
    Hi, Almost forgot, is there anything you recommend with my two other drives (both non-system)?
  4. CallOfBooty
    Hi, Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6528 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/7/2011 10:53:31 PM mbam-log-2011-05-07 (22-53-31).txt Scan type: Full scan (C:\|F:\|K:\|) Objects scanned: 700605 Time elapsed: 5 hour(s), 18 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hey, I found the boot.ini file and got to see my starup options screen for the first time. Could you show me this in any of my scan logs, if you don't mind? Otherwise, that's it. All is well, and I'm out of the doghouse at home. Thank you very much. I learned an immeasurable amount lately.
  5. CallOfBooty
    Hi, The ATI software undid a lot of my havoc which is excellent. Uninstalling the java software gave me an error and it won't uninstall, any workaround? I would like to increase the RC timer for the screen stays for only the blink of a eye, way too fast. Thanks.
  6. CallOfBooty
    Hi, The new combofix log is below: ComboFix 11-05-06.05 - Owner 05/07/2011 13:52:51.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2386 [GMT -5:00] Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\TEMP\logishrd\LVPrcInj01.dll . . ((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 ))))))))))))))))))))))))))))))) . . 2011-05-07 18:40 . 2011-05-07 18:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ATI 2011-05-07 18:40 . 2011-05-07 18:40 -------- d-----w- c:\documents and settings\Owner\Application Data\ATI 2011-05-07 18:40 . 2011-05-07 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI 2011-05-07 18:39 . 2011-05-07 18:39 0 ----a-w- c:\windows\ativpsrm.bin 2011-05-07 18:34 . 2003-11-10 23:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll 2011-05-07 18:34 . 2003-11-10 23:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll 2011-05-07 18:34 . 2003-11-10 23:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll 2011-05-07 18:34 . 2003-11-10 23:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll 2011-05-07 18:34 . 2003-11-10 23:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe 2011-05-07 18:34 . 2003-11-10 23:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll 2011-05-07 18:34 . 2011-05-07 18:34 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll 2011-05-07 18:34 . 2011-05-07 18:34 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll 2011-05-07 18:34 . 2010-02-11 02:20 593920 ------w- c:\windows\system32\ati2sgag.exe 2011-05-07 18:33 . 2011-05-07 18:37 -------- d-----w- c:\program files\ATI Technologies 2011-05-07 10:22 . 2011-05-07 10:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee 2011-05-07 08:53 . 2011-05-07 08:53 -------- d-----w- C:\HelpAsst_backup 2011-05-05 10:22 . 2011-05-05 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2011-05-05 10:22 . 2011-05-07 10:22 -------- d-----w- c:\program files\McAfee Security Scan 2011-05-05 10:03 . 2011-05-05 10:13 -------- d-----w- c:\program files\a-squared Free 2011-05-05 09:50 . 2011-05-05 09:50 -------- d-----w- c:\program files\Sophos 2011-05-05 07:58 . 2011-05-05 07:58 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2011-05-05 07:55 . 2011-05-05 07:55 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-04 16:21 . 2011-05-04 16:21 -------- d-----w- c:\windows\system32\wbem\Repository 2011-05-04 10:25 . 2011-05-04 10:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help 2011-05-04 09:25 . 2011-05-04 09:25 -------- d-----w- C:\ATI 2011-05-02 02:59 . 2011-05-02 02:59 -------- d-----w- c:\program files\Common Files\Java 2011-04-14 17:26 . 2011-02-14 07:42 25216 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys 2011-04-14 17:26 . 2011-02-14 07:42 20096 ----a-w- c:\windows\system32\drivers\lgusbgps.sys 2011-04-14 17:26 . 2011-02-14 07:42 20864 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys 2011-04-14 17:26 . 2011-02-14 07:42 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys 2011-04-14 17:26 . 2011-04-14 17:26 -------- d-----w- c:\program files\LG Electronics 2011-04-14 17:25 . 2011-04-14 17:25 -------- d-----w- C:\LGMN240 2011-04-14 16:48 . 2006-05-04 13:33 53248 ----a-w- c:\windows\system32\CommonDL.dll 2011-04-14 16:48 . 2005-10-04 06:39 44544 ----a-w- c:\windows\system32\msxml4a.dll 2011-04-14 16:48 . 2011-04-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX 2011-04-14 16:45 . 2011-04-14 16:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Sony Corporation 2011-04-14 02:47 . 2011-04-14 02:47 -------- d-----w- c:\program files\MSXML 4.0 2011-04-14 02:47 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll 2011-04-14 02:46 . 2011-04-14 02:46 -------- d-----w- c:\windows\Logs 2011-04-14 02:45 . 2011-04-14 02:45 -------- d-----w- c:\program files\Sony 2011-04-14 02:45 . 2011-04-14 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-07 05:01 . 2004-02-06 01:03 60416 ----a-w- c:\windows\ALCFDRTM.VER 2011-03-10 10:40 . 2009-02-10 20:10 737280 ----a-w- c:\windows\iun6002.exe 2011-03-07 05:33 . 2004-02-05 01:55 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2002-02-26 22:58 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-07-15 00:09 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-07-15 00:08 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-07-15 00:08 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 23:06 . 2004-02-07 02:05 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-22 01:12 . 2009-11-07 00:48 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-18 21:36 . 2010-03-26 16:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2011-02-18 21:36 . 2010-03-26 16:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2011-02-17 13:18 . 2004-07-15 00:08 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-07-15 00:08 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:32 . 2009-09-18 06:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-07-15 00:08 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-07-15 00:08 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-07-15 00:08 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-07-15 00:08 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-07-15 00:08 974848 ----a-w- c:\windows\system32\mfc42u.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2010-10-14 04:28 . 2011-03-02 02:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688] "Athan"="c:\program files\Athan\Athan.exe" [2011-03-07 1208320] "SoundMan"="SOUNDMAN.EXE" [2004-07-01 73728] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-08 198160] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-01-30 36760] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-01-30 821144] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160] "PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440] . c:\documents and settings\Aayshi\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk.disabled [2010-2-13 1808] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] Microsoft Office.lnk.disabled [2009-1-29 1730] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "CHotkey"=zHotkey.exe "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe "AlcWzrd"=ALCWZRD.EXE "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "mmtask"=c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe "NeroFilterCheck"=c:\windows\system32\NeroCheck.exe "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1035:TCP"= 1035:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/1/2011 9:05 PM 84072] R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/5/2011 5:03 AM 1872320] R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/14/2004 7:08 PM 14336] R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [11/24/2010 6:59 AM 440616] R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [11/24/2010 6:59 AM 2324848] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/16/2009 9:58 AM 363344] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/18/2009 4:17 AM 88176] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/1/2011 9:05 PM 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/1/2011 9:05 PM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/1/2011 9:05 PM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/1/2011 9:05 PM 141792] R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [11/27/2010 12:55 AM 398176] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/1/2011 9:05 PM 55840] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/16/2009 9:58 AM 20952] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/1/2011 9:05 PM 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/1/2011 9:05 PM 88544] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 8:52 PM 136176] S2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [1/31/2010 2:32 PM 17984] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [9/23/2009 10:56 PM 2944] S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [9/23/2009 10:56 PM 60416] S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [9/23/2009 10:56 PM 11008] S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [9/23/2009 11:00 PM 10368] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 8:52 PM 136176] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1A.tmp --> c:\windows\system32\1A.tmp [?] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/1/2011 9:05 PM 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/1/2011 9:05 PM 84264] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [4/14/2011 12:26 PM 20096] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504] S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2011-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . 2011-05-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-25 21:22] . 2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 01:52] . 2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 01:52] . 2010-04-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-16 21:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://att.net IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxukj3n6.default\ FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-07 14:09 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\1A.tmp" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1080) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(5024) c:\windows\system32\WININET.dll c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL c:\windows\system32\Msi.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\Ati2evxx.exe c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\rundll32.exe c:\windows\SOUNDMAN.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2011-05-07 14:16:34 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-07 19:16 ComboFix2.txt 2011-05-07 06:02 . Pre-Run: 422,980,599,808 bytes free Post-Run: 422,973,087,744 bytes free . - - End Of File - - 3A18D48FE69AAA05A8E650C6A9D0E09B How can I get the console recovery page to hang around for 2 seconds? Right now it only displays as a quick flash and is gone. Thanks for the ati info as well.
  7. CallOfBooty
    Just googled the video driver specs and found the 2 suspect sites. Using the search string: ati radeon x300 driver download I remember going to these two sites: driverscollection.com members.driverguide.com They looked legit but I'm not sure. Also their downloads may be compromised. Would it be worth the time to get someone from your team to check it out?
  8. CallOfBooty
    Hi, Ran the tool. Log is below: C:\Documents and Settings\Owner\My Documents\Downloads\RootkitRemoval\HelpAsst_mebroot_fix.exe Sat 05/07/2011 at 3:57:38.93 HelpAssistant account Inactive ~~ Checking for termsrv32.dll ~~ termsrv32.dll not found ~~ Checking firewall ports ~~ HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list ~~ Checking profile list ~~ No HelpAssistant profile in registry ~~ Checking mbr ~~ user & kernel MBR OK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Status check on Sat 05/07/2011 at 4:28:02.98 Account active No Local Group Memberships ~~ Checking mbr ~~ Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 0x03A384C41 ~~ Checking for termsrv32.dll ~~ termsrv32.dll not found HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll ~~ Checking profile list ~~ No HelpAssistant profile in registry ~~ Checking for HelpAssistant directories ~~ none found ~~ Checking firewall ports ~~ [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] ~~ EOF ~~ If that is not too much trouble finding the drivers, cool. I have an ATI Radeon x300. Oh, I almost forgot. Before posting to this forum I ran MBRcheck which found the sinowal rootkit. I followed the instructions and since then it shows the mbr to be a regular xp installation. This last tool you gave me mentioned the sinowal rootkit and reminded me of some output is saw on this computer. Could you tell me what clues were there on the Combofix log? Also should I be concerned about 2 persistent kernel patches? Using GMER: GMER 1.0.15.15627 - http://www.gmer.net Rootkit quick scan 2011-05-07 04:49:16 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 ST3500320AS rev.SD81 Running: 5rmh6o3t.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtdapod.sys ---- System - GMER 1.0.15 ---- Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF74640A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF74640B8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) ---- EOF - GMER 1.0.15 ---- The two Zw* entries above are identified as kernel patches in other scanners. I have also noticed that the PF usage creeps upwards from the usual 7XX MB and later winds up 12xx MB or so. Hey its also cool to get the recovery console. Thanks.
  9. CallOfBooty
    Hi, Combofix ran and installed the recovery console, thank you. Log is included in this post. Fortunately there are no serious performance problems other than this old computer gracefully slowing down. I tried to upgrade my video card (stock) drivers and that is when I realized there was a serious problem. Lately (before infection) browsers have been scrolling slower and have been slow to launch when clicked so I thought about the video card. We're budgeting for a newer machine in the mean time. Do you know a good site to update my video drivers from...(half-seriously)? ////////////////////////////////////////////////////////// ComboFix 11-05-06.03 - Owner 05/07/2011 0:25.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2382 [GMT -5:00] Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Aayshi\WINDOWS c:\windows\system32\AutoRun.inf c:\windows\system32\BSTIEPrintCtl1.dll c:\windows\system32\Thumbs.db c:\windows\TEMP\logishrd\LVPrcInj01.dll . . ((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 ))))))))))))))))))))))))))))))) . . 2011-05-05 10:22 . 2011-05-05 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2011-05-05 10:22 . 2011-05-05 10:22 -------- d-----w- c:\program files\McAfee Security Scan 2011-05-05 10:03 . 2011-05-05 10:13 -------- d-----w- c:\program files\a-squared Free 2011-05-05 09:50 . 2011-05-05 09:50 -------- d-----w- c:\program files\Sophos 2011-05-05 07:58 . 2011-05-05 07:58 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2011-05-05 07:55 . 2011-05-05 07:55 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-05-04 16:21 . 2011-05-04 16:21 -------- d-----w- c:\windows\system32\wbem\Repository 2011-05-04 10:25 . 2011-05-04 10:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help 2011-05-04 09:25 . 2011-05-04 09:25 -------- d-----w- C:\ATI 2011-05-02 02:59 . 2011-05-02 02:59 -------- d-----w- c:\program files\Common Files\Java 2011-04-14 17:26 . 2011-02-14 07:42 25216 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys 2011-04-14 17:26 . 2011-02-14 07:42 20096 ----a-w- c:\windows\system32\drivers\lgusbgps.sys 2011-04-14 17:26 . 2011-02-14 07:42 20864 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys 2011-04-14 17:26 . 2011-02-14 07:42 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys 2011-04-14 17:26 . 2011-04-14 17:26 -------- d-----w- c:\program files\LG Electronics 2011-04-14 17:25 . 2011-04-14 17:25 -------- d-----w- C:\LGMN240 2011-04-14 16:48 . 2006-05-04 13:33 53248 ----a-w- c:\windows\system32\CommonDL.dll 2011-04-14 16:48 . 2005-10-04 06:39 44544 ----a-w- c:\windows\system32\msxml4a.dll 2011-04-14 16:48 . 2011-04-14 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX 2011-04-14 16:45 . 2011-04-14 16:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Sony Corporation 2011-04-14 02:47 . 2011-04-14 02:47 -------- d-----w- c:\program files\MSXML 4.0 2011-04-14 02:47 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll 2011-04-14 02:46 . 2011-04-14 02:46 -------- d-----w- c:\windows\Logs 2011-04-14 02:45 . 2011-04-14 02:45 -------- d-----w- c:\program files\Sony 2011-04-14 02:45 . 2011-04-14 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-07 05:01 . 2004-02-06 01:03 60416 ----a-w- c:\windows\ALCFDRTM.VER 2011-03-10 10:40 . 2009-02-10 20:10 737280 ----a-w- c:\windows\iun6002.exe 2011-03-07 05:33 . 2004-02-05 01:55 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2002-02-26 22:58 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-07-15 00:09 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-07-15 00:08 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-07-15 00:08 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 23:06 . 2004-02-07 02:05 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-22 01:12 . 2009-11-07 00:48 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-18 21:36 . 2010-03-26 16:23 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2011-02-18 21:36 . 2010-03-26 16:23 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2011-02-17 13:18 . 2004-07-15 00:08 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-07-15 00:08 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:32 . 2009-09-18 06:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-07-15 00:08 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-07-15 00:08 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-07-15 00:08 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-07-15 00:08 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-07-15 00:08 974848 ----a-w- c:\windows\system32\mfc42u.dll 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2010-10-14 04:28 . 2011-03-02 02:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688] "Athan"="c:\program files\Athan\Athan.exe" [2011-03-07 1208320] "SoundMan"="SOUNDMAN.EXE" [2004-07-01 73728] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-08 198160] "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-01-30 36760] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-01-30 821144] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160] "PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] . c:\documents and settings\Aayshi\Start Menu\Programs\Startup\ Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk.disabled [2010-2-13 1808] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] Microsoft Office.lnk.disabled [2009-1-29 1730] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "CHotkey"=zHotkey.exe "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe "AlcWzrd"=ALCWZRD.EXE "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "mmtask"=c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe "NeroFilterCheck"=c:\windows\system32\NeroCheck.exe "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\IJJIGame\\PLauncher.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "2898:TCP"= 2898:TCP:Services "3291:TCP"= 3291:TCP:Services "7742:TCP"= 7742:TCP:Services "4539:TCP"= 4539:TCP:Services "2274:TCP"= 2274:TCP:Services "9636:TCP"= 9636:TCP:Services "9153:TCP"= 9153:TCP:Services "6119:TCP"= 6119:TCP:Services "6120:TCP"= 6120:TCP:Services "8415:TCP"= 8415:TCP:Services "2009:TCP"= 2009:TCP:Services "8102:TCP"= 8102:TCP:Services "9117:TCP"= 9117:TCP:Services "7136:TCP"= 7136:TCP:Services "7927:TCP"= 7927:TCP:Services "2772:TCP"= 2772:TCP:Services "1039:TCP"= 1039:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/1/2011 9:05 PM 84072] R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [5/5/2011 5:03 AM 1872320] R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/14/2004 7:08 PM 14336] R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\GFI\GFIBAC~1\GFIHInst.exe [11/24/2010 6:59 AM 440616] R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\GFI\GFIBAC~1\GFIHSC~1.EXE [11/24/2010 6:59 AM 2324848] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/16/2009 9:58 AM 363344] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/18/2009 4:17 AM 88176] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/1/2011 9:05 PM 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/1/2011 9:05 PM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/1/2011 9:05 PM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/1/2011 9:05 PM 141792] R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [11/27/2010 12:55 AM 398176] R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [1/31/2010 2:32 PM 17984] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/1/2011 9:05 PM 55840] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/16/2009 9:58 AM 20952] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/1/2011 9:05 PM 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/1/2011 9:05 PM 88544] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 8:52 PM 136176] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [9/23/2009 10:56 PM 2944] S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [9/23/2009 10:56 PM 60416] S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [9/23/2009 10:56 PM 11008] S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [9/23/2009 11:00 PM 10368] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 8:52 PM 136176] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1A.tmp --> c:\windows\system32\1A.tmp [?] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/1/2011 9:05 PM 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/1/2011 9:05 PM 84264] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [4/14/2011 12:26 PM 20096] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504] S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2011-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . 2011-05-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-25 21:22] . 2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 01:52] . 2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 01:52] . 2010-04-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-16 21:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://att.net IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxukj3n6.default\ FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file) ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file) AddRemove-{8ADE24B2-DCA4-4A1E-8B52-A5B435522D9E} - c:\program files\InstallShield Installation Information\{8ADE24B2-DCA4-4A1E-8B52-A5B435522D9E}\setup.exe AddRemove-{901DC58A-5C1B-4315-BA40-5AD3D3A463B9} - c:\program files\InstallShield Installation Information\{901DC58A-5C1B-4315-BA40-5AD3D3A463B9}\setup.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-07 00:55 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\1A.tmp" . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2724) c:\windows\system32\WININET.dll c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL c:\windows\system32\Msi.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe c:\windows\SOUNDMAN.EXE c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-05-07 01:02:07 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-07 06:01 . Pre-Run: 423,312,498,688 bytes free Post-Run: 423,438,118,912 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn . - - End Of File - - E1F843D99787E5B6631A03733E56C76B
  10. CallOfBooty
    Hi Elise, Thanks for the reply. I read the instructions after I posted, here is DDS: . DDS (Ver_11-03-05.01) - NTFSx86 Run by Owner at 21:50:33.87 on Thu 05/05/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2362 [GMT -5:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE svchost.exe C:\Program Files\a-squared Free\a2service.exe C:\WINDOWS\System32\svchost.exe -k Akamai C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Athan\Athan.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://att.net uWindow Title = Windows Internet Explorer provided by Yahoo! uDefault_Page_URL = hxxp://att.net uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110301200535.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe mRun: [Athan] c:\program files\athan\Athan.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [<NO NAME>] mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000 IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12 Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xxukj3n6.default\ FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/ FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefoxExtn.dll FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\program files\google\google updater\2.4.1441.4352\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\adobe\acrobat 10.0\acrobat\browser\WCFirefoxExtn FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 386840] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84072] R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2011-5-5 1872320] R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-7-14 14336] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-18 54752] R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2010-11-24 440616] R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2010-11-24 2324848] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-16 363344] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-18 88176] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-1 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-1 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-1 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792] R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-11-27 398176] R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2010-1-31 17984] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 55840] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-16 20952] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-18 152960] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-18 52104] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88544] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-29 136176] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2009-9-23 2944] S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2009-9-23 60416] S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2009-9-23 11008] S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2009-9-23 10368] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-29 136176] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1a.tmp --> c:\windows\system32\1A.tmp [?] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84264] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-18 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-18 40552] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2011-4-14 20096] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] . =============== Created Last 30 ================ . 2011-05-05 10:22:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan 2011-05-05 10:22:40 -------- d-----w- c:\program files\McAfee Security Scan 2011-05-05 10:03:22 -------- d-----w- c:\program files\a-squared Free 2011-05-05 09:50:01 -------- d-----w- c:\program files\Sophos 2011-05-05 07:58:11 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2011-05-05 07:55:12 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2011-05-04 16:21:12 -------- d-----w- c:\windows\system32\wbem\repository\FS 2011-05-04 16:21:12 -------- d-----w- c:\windows\system32\wbem\Repository 2011-05-04 10:25:02 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Help 2011-05-04 09:25:53 -------- d-----w- C:\ATI 2011-04-14 17:26:40 25216 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys 2011-04-14 17:26:39 20864 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys 2011-04-14 17:26:39 20096 ----a-w- c:\windows\system32\drivers\lgusbgps.sys 2011-04-14 17:26:39 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys 2011-04-14 17:26:33 -------- d-----w- c:\program files\LG Electronics 2011-04-14 17:25:05 -------- d-----w- C:\LGMN240 2011-04-14 16:48:28 53248 ----a-w- c:\windows\system32\CommonDL.dll 2011-04-14 16:48:28 44544 ----a-w- c:\windows\system32\msxml4a.dll 2011-04-14 16:48:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\LGMOBILEAX 2011-04-14 02:47:38 -------- d-----w- c:\program files\MSXML 4.0 2011-04-14 02:47:27 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll 2011-04-14 02:46:37 -------- d-----w- c:\windows\Logs 2011-04-14 02:45:30 -------- d-----w- c:\program files\Sony 2011-04-14 02:45:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation . ==================== Find3M ==================== . 2011-03-10 10:40:44 737280 ----a-w- c:\windows\iun6002.exe 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-22 01:12:56 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll . ============= FINISH: 21:52:14.53 =============== Again thanks for your consideration.attach.zip
  11. CallOfBooty
    Hi, I mistakenly downloaded device driver updates from an untrusted source and most rootkit removal tools say the following: +---------------------------------------------------- | Trend Micro RootkitBuster | Module version: 3.60.0.1016 | Computer Name: 700GR | User Name: Owner +---------------------------------------------------- --== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==-- [HIDDEN_FILE]: FullPath : Master Boot Record (MBR) Sector FullPathLength: 0 DesiredAccess : 0x0 Options : 0x0 Attributes : 0x0 ShareAccess : 0x0 Type : 0x0 1 hidden files found. --== Dump Hidden Registry Value on HKLM ==-- No hidden registry entries found. --== Dump Hidden Process ==-- No hidden processes found. --== Dump Hidden Driver ==-- No hidden drivers found. --== Service Win32 API Hook List ==-- No hidden operating system service hooks found. --== Dump Hidden Port ==-- No hidden ports found. --== Dump Kernel Code Patching ==-- [KERNEL_CODE][PATCHED]: Service API : ZwCreateKey Address : 80578AB4 CurrentCode : E92BB6EE76 ExpectedCode : 68C8000000 ServiceNumber : 0x29 SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwDeleteKey Address : 8059A5C9 CurrentCode : E92A9BEC76 ExpectedCode : 6A3868D040 ServiceNumber : 0x3f SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwDeleteValueKey Address : 805991E8 CurrentCode : E937AFEC76 ExpectedCode : 6A48688040 ServiceNumber : 0x41 SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwOpenKey Address : 80572BDF CurrentCode : E9EC14EF76 ExpectedCode : 68BC000000 ServiceNumber : 0x77 SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwOpenProcess Address : 8057F93A CurrentCode : E96947EE76 ExpectedCode : 68C4000000 ServiceNumber : 0x7a SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwOpenThread Address : 80596743 CurrentCode : E974D9EC76 ExpectedCode : 68C0000000 ServiceNumber : 0x80 SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwRenameKey Address : 8065684C CurrentCode : E9BDD8E076 ExpectedCode : 6A3468D0F4 ServiceNumber : 0xc0 SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwSetSecurityObject Address : 805E8694 CurrentCode : E9B7BAE776 ExpectedCode : 8BFF558BEC ServiceNumber : 0xed SDTType : 0x0 [KERNEL_CODE][PATCHED]: Service API : ZwSetValueKey Address : 80580088 CurrentCode : E9AD40EE76 ExpectedCode : 6A5C683842 ServiceNumber : 0xf7 SDTType : 0x0 9 Kernel code patching found. --== Dump Hidden Services ==-- No hidden services found. HiJackThis log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:24:17 AM, on 5/5/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\a-squared Free\a2service.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Athan\Athan.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110301200535.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled O4 - Global Startup: McAfee Security Scan Plus.lnk = ? O4 - Global Startup: Microsoft Office.lnk.disabled O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GFI Backup 2009 - Home Edition Attendant Service (GFIBckHAtt) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe O23 - Service: GFI Backup 2009 - Home Edition Scheduler Service (GFIBckHSched) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe -- End of file - 13773 bytes Any comment would be appreciated. The computer is very slow to respond to clicks and starting programs.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.