Jump to content

jclaytona

Members
 View Profile  See their activity

  • Posts

    17

  • Joined

  • Last visited

 Content Type 

Everything posted by jclaytona

  1. jclaytona
    Hi, Earlier post (link below) helped me clean off my hard drive which had gone bad. At this point I would appreciate some help installing a new hard drive. I have only cleaned off the old hard drive, I have not removed it or purchased a new one. Thank you for all your help. James http://forums.malwarebytes.org/index.php?showtopic=114315&hl=&fromsearch=1
  2. jclaytona
    i'm still here. I started the removal process ran out of space and got busy with work. Waiting to get my wifes things off next, she has some stuff saved already, then decide to get a hard drive or new computer. Thanks for your help so far. I will get back just as soon as I finish removing the goods off the hard drive. Thanks, Jame
  3. jclaytona
    I can't get to the command prompt, it just keeps rebooting and going back to the safe mode page. What do you suppose, the hard drive is bad? Thanks James
  4. jclaytona
    Hi and thanks but it didn't work. I did everything as you wrote it with minor variations on how to select the options, maybe it was the updated version. The only other thing was clicking on the red k in the lower left and selecting "logout" . It didn't exist, the red k was there but when I left clicked it, it just opened up the scan box again, so I selected exit and then hit the button all the way to the left and selected shutdown. When I rebooted it went straight to the selecting safe mode page. I selected each option, one at a time and every time it started to boot up and just returned to the safe mode selection page. Do you possibly, hopefully have another suggestion? Thank you.
  5. jclaytona
    Windows on screen started blinking. Shut down computer and started up. Ent immediately to start up selection page, usually seen only after pushing f8. Make a selection and it acts as if it is starting up and goes back to start up selection. Screen. Can't o any further. Using iPad for this. Please help.
  6. jclaytona
    Hi, Here is the URL from the pitstop results. Bottom 26%. http://www.pcpitstop.com/betapit/sec.asp?conid=24466017 Thanks, James
  7. jclaytona
    Hi Chris, Deleted security check, uninsalled combofix and adobe flash player and reinstalled adobe flash player. Everything seems to be running fine, just a little slow right now. Thanks alot, James
  8. jclaytona
    Hey Chris, Sorry for the delay, I was out of town for a while. Just so you know, the computer seems to be running great. Here are the logs you have requested: ESET log; ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=dab6add005a5584684675b6999d33aa5 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=false # utc_time=2011-06-28 03:09:16 # local_time=2011-06-27 11:09:16 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=5121 16777177 100 75 12162964 21794927 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=111582 # found=0 # cleaned=0 SECURITY CHECK log; Results of screen317's Security Check version 0.99.17 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 McAfee SecurityCenter Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 26 Adobe Flash Player ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log```````````` Thanks again, you were absolutely an enormous help. James
  9. jclaytona
    Hey Chris, Thanks again. Since I last sent a reply eveything seems to be running great. Here is the combofix log you asked for. ComboFix 11-06-13.01 - james 06/14/2011 19:52:55.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1560 [GMT -4:00] Running from: c:\documents and settings\james\Desktop\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\james\Desktop\Windows XP Recovery.lnk c:\documents and settings\james\Start Menu\Programs\Windows XP Recovery c:\documents and settings\james\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk c:\documents and settings\james\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk . . ((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 ))))))))))))))))))))))))))))))) . . 2011-06-14 00:32 . 2011-06-14 00:32 -------- d-----w- c:\documents and settings\Lara\Local Settings\Application Data\Temp 2011-06-10 22:44 . 2011-06-10 22:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-10 22:19 . 2011-06-10 22:19 -------- d-----w- c:\program files\Common Files\Java 2011-06-10 22:19 . 2011-06-10 22:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-05-24 20:07 . 2011-05-24 20:08 -------- d-----w- c:\documents and settings\james\Application Data\GetRightToGo 2011-05-23 20:50 . 2011-05-23 20:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-06-10 22:18 . 2010-08-30 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-14 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Mouse Suite 98 Daemon"="ICO.EXE" [2007-04-26 49152] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-11-25 1085440] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] 2007-12-21 22:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-11-06 17:33 41264 ----a-w- c:\program files\Common Files\aol\1237842951\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] 2001-07-25 14:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\aol\\1237842951\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.5\\waol.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"= "c:\\Documents and Settings\\james\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= . R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [3/16/2008 3:18 PM 8736] R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [3/16/2008 3:19 PM 62359] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/24/2011 9:23 AM 84072] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 6:40 AM 88176] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/24/2011 9:23 AM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/24/2011 9:23 AM 141792] R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [3/16/2008 3:19 PM 4538] R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [3/16/2008 3:19 PM 9085] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/24/2011 9:23 AM 55840] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/24/2011 9:23 AM 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664] S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560] S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [3/16/2008 3:19 PM 5493] S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [3/16/2008 3:19 PM 19670] S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [3/16/2008 3:19 PM 96768] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/24/2011 9:23 AM 84264] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 8:00 AM 14336] S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [1/10/2008 10:48 PM 18048] . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . 2011-06-14 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-09 19:51] . 2011-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc27bd564e79ac.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 03:00] . 2011-06-14 c:\windows\Tasks\SDMsgUpdate (TE).job - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-09-17 11:29] . 2011-06-14 c:\windows\Tasks\User_Feed_Synchronization-{FF9790FC-6E0C-49C7-9CF5-B50702C94121}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msnbc.com/ mStart Page = about:blank TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . . ------- File Associations ------- . .scr=DWGTrueViewScriptFile . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-14 20:07 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1076) c:\windows\system32\igfxdev.dll . Completion time: 2011-06-14 20:12:15 ComboFix-quarantined-files.txt 2011-06-15 00:12 ComboFix2.txt 2011-05-30 16:15 . Pre-Run: 22,043,348,992 bytes free Post-Run: 22,214,537,216 bytes free . Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 37C55E2095D0F8AEDEA0E22843CAE8DB
  10. jclaytona
    screen317, glad to hear from you. I got through everything you had instructed. Just for your information though, when I first ran the uninstall of the combofix the computer shut down on its own. I tried it again, it asked me to shut off mcafee, which I did. It then found a rootkit and attempted to disinfect it. The computer then asked to be rebooted and when it did it said that combofix was uninstalled. I left it at that, not sure what the hubbub about the rootkit was. I did see this txt file on my desktop though, not sure when it got there but I'm pretty positive it came up after the combofix uninstall and the reboot. I remember when it was booting up that there was a window with 'C:' and a flashing cursor in it just like when combofix was getting ready to show its log after the original scan. It is named "catchme" File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully File list cleared There are a few PTN files and a windows recovery- executable file in my desktop now as well. Not sure what they mean either. I then uninstalled the java, adobe reader and adobe flash player and the ESET. And reinstalled without an issue. I also, upated my mcafee. I went on to the internet and tried a google search and clicked on a link about 10 seperate times and had no issues with the redirect. The computer seems to be running well. I don't see any mcafee pop ups and the real time scanning is running. Thanks, James
  11. jclaytona
    Hi, I understand about the use of illegal downloading. We had limewire and once we found out it was wrong, my wife and I stopped using it and it is no longer on our system. It hasn't been for years. I guess some of the music may still be on here somewhere, but limewire itself has been gone for a long time. Nothing illegal is done with this computer and I really need your assistance here. I would really appreciate it if you would continue to help me out. Thank you. Nothing illlegal is done with this computer.
  12. jclaytona
    Thanks again for your help. It's really not any better. Still getting redirected, in fact previously when I did a search using Bing(I switched to after google) I could just copy and paste the search result address into the web address bar and go to a site that way. This time I typed in 'malawarebytes.org' 8 times before it finally went to your site. The main address bar was getting redirected, thats never happened before. Also,I have McAfee and 'real time scanning will not stay on. I have an exclamation point over the 'M' shield in the task bar on the bottom right of the screen and when I click on it to see why, it pops open and tells me that real time scanning is off, so I click to turn it on and almost immediately it switches off. I am unplugging the internet connection whenever I shut the computer down and I always am running in safe mode to do this work. After the scan today using ESET it said that 12(I think) trojans were found and removed. I'm starting to think it is producing offspring in my computer. Anyway, thanks for your help and I hope we can get this figured out. Here are the logs you asked for. ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6522 # api_version=3.0.2 # EOSSerial=dab6add005a5584684675b6999d33aa5 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=false # utc_time=2011-06-01 04:08:09 # local_time=2011-06-01 12:08:09 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=5121 16777190 100 75 9881859 19513822 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=114733 # found=13 # cleaned=13 # scan_time=7401 C:\Documents and Settings\james\James' Documents\My Music\black label\black label society (unplugged version).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 65EA4F7A32C856603F60F29F2B80CFEC C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\Gloria Estefan - You'll be mine (party time) - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 5B8091DF80CB38D956BC1D2723E5FFF0 C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\hairspray [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 0C6DCEA8A74AB98D9FF36882ED310CAD C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\hard to handle (new remix).au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 198AEF88256790CF18445C43CFFED274 C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\NSync and Gloria Estafan - Music of My Heart.wma WMA/TrojanDownloader.Wimad.NAA trojan (cleaned by deleting - quarantined) F8240ECF37C3F1D3A15AA0EFD31323C7 C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\party time gloria estefan extended version.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) CD37F1580BE3A9BE561A2D3712D19464 C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\party time gloria estefan greatest hit 2009.wma WMA/TrojanDownloader.Wimad.NAD trojan (cleaned by deleting - quarantined) AEFF0ABAF96D4336264BB0C586E6319E C C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\party time gloria estefan.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) F08D1D989C49C0608EB16EF1475A3027 C C:\Documents and Settings\Lara\My Documents\My Music\LARA SANSA\2.15.09\hairspray [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 0C6DCEA8A74AB98D9FF36882ED310CAD C C:\Documents and Settings\Lara\My Documents\My Music\LARA SANSA\New Folder\NSync and Gloria Estafan - Music of My Heart.wma WMA/TrojanDownloader.Wimad.NAA trojan (cleaned by deleting - quarantined) F8240ECF37C3F1D3A15AA0EFD31323C7 C C:\System Volume Information\_restore{4D9994AD-508E-49F8-BEEC-9CC8F4AAEE0B}\RP102\A0024098.exe a variant of Win32/Kryptik.OCM trojan (cleaned by deleting - quarantined) 19115892716267925682C8FFE0B0AC3F C C:\System Volume Information\_restore{4D9994AD-508E-49F8-BEEC-9CC8F4AAEE0B}\RP102\A0024164.exe a variant of Win32/Kryptik.OCM trojan (cleaned by deleting - quarantined) 61E4D572709A29B27D1FA174B827C99D C C:\System Volume Information\_restore{4D9994AD-508E-49F8-BEEC-9CC8F4AAEE0B}\RP102\A0024186.exe a variant of Win32/Kryptik.OCM trojan (cleaned by deleting - quarantined) 19115892716267925682C8FFE0B0AC3F C Security check log: Results of screen317's Security Check version 0.99.12 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! ESET Online Scanner v3 McAfee SecurityCenter Antivirus out of date! (On Access scanning disabled!) ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 21 Java 6 Update 4 Java 6 Update 5 Out of date Java installed! Adobe Flash Player 9 (Out of date Flash Player installed!) Adobe Flash Player Adobe Reader 9.1.1 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log````````````
  13. jclaytona
    Thank you again. Generally, how bad of an info stealing virus is it? Anyway, here are the logs you had requested. ComboFix log: ComboFix 11-05-29.01 - james 05/30/2011 11:28:52.1.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1623 [GMT -4:00] Running from: c:\documents and settings\james\Desktop\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Jame\System c:\documents and settings\Jame\System\win_qs8.jqx c:\documents and settings\Jame\WINDOWS c:\documents and settings\james\Application Data\Adobe\plugs c:\documents and settings\james\Application Data\Adobe\shed c:\documents and settings\james\Application Data\Adobe\shed\thr1.chm c:\documents and settings\Max\WINDOWS . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_SSHNAS . . ((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 ))))))))))))))))))))))))))))))) . . 2011-05-24 20:07 . 2011-05-24 20:08 -------- d-----w- c:\documents and settings\james\Application Data\GetRightToGo 2011-05-23 20:50 . 2011-05-23 20:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools 2011-05-14 21:34 . 2011-05-15 12:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla! 2011-05-14 01:47 . 2011-05-14 01:47 -------- d-----w- c:\documents and settings\james\Application Data\MSN6 2011-05-14 01:47 . 2011-05-14 01:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MSN6 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2008-01-10 23:27 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2001-08-23 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-14 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Mouse Suite 98 Daemon"="ICO.EXE" [2007-04-26 49152] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-11-25 1085440] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Taskman"="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] 2007-12-21 22:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2008-11-06 17:33 41264 ----a-w- c:\program files\Common Files\aol\1237842951\ee\aolsoftware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0] 2001-07-25 14:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\aol\\1237842951\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.5\\waol.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"= "c:\\Documents and Settings\\james\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= . R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [3/16/2008 3:18 PM 8736] R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [3/16/2008 3:19 PM 62359] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/24/2011 9:23 AM 84072] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 6:40 AM 88176] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/24/2011 9:23 AM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/24/2011 9:23 AM 141792] R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [3/16/2008 3:19 PM 4538] R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [3/16/2008 3:19 PM 9085] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/24/2011 9:23 AM 55840] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/24/2011 9:23 AM 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664] S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560] S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [3/16/2008 3:19 PM 5493] S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [3/16/2008 3:19 PM 19670] S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [3/16/2008 3:19 PM 96768] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/24/2011 9:23 AM 84264] S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [1/10/2008 10:48 PM 18048] . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder . 2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . 2011-05-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-09 19:51] . 2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc051a6ee9b3c0.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 03:00] . 2011-05-30 c:\windows\Tasks\SDMsgUpdate (TE).job - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-09-17 11:29] . 2011-05-30 c:\windows\Tasks\User_Feed_Synchronization-{FF9790FC-6E0C-49C7-9CF5-B50702C94121}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msnbc.com/ mStart Page = about:blank TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 . . ------- File Associations ------- . .scr=DWGTrueViewScriptFile . - - - - ORPHANS REMOVED - - - - . Notify-TPSvc - TPSvc.dll MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-30 11:54 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(912) c:\windows\system32\WININET.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\system32\AcSignIcon.dll c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\AOL\ACS\AOLAcsd.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\crypserv.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Microsoft\BingBar\SeaPort.EXE c:\windows\system32\UAService7.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\rundll32.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\system32\ICO.EXE c:\program files\Brother\Brmfcmon\BrMfcmon.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Java\Java Update\jucheck.exe c:\progra~1\mcafee\msc\mcupdmgr.exe c:\program files\Internet Explorer\IEXPLORE.EXE c:\program files\Internet Explorer\IEXPLORE.EXE . ************************************************************************** . Completion time: 2011-05-30 12:15:36 - machine was rebooted ComboFix-quarantined-files.txt 2011-05-30 16:15 . Pre-Run: 17,413,599,232 bytes free Post-Run: 18,673,577,984 bytes free . Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - F2F7F60C6DAAE774606FB1E615347278 And here is the DDS log: . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by james at 13:45:13 on 2011-05-30 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1378 [GMT -4:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Microsoft\BingBar\SeaPort.EXE C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\UAService7.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Documents and Settings\james\Desktop\1st try\dds.com C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.msnbc.com/ mStart Page = about:blank uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uURLSearchHooks: H - No File mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110124082348.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE Thanks.
  14. jclaytona
    Thank you very much for your help. unhide was successful, i have my icons back. At first I couldn't update malawarebytes so re-downloaded it and it seemed to be OK. Found 3 issues and deleted them. Here is the MBAM log file: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6688 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 5/26/2011 7:32:38 PM mbam-log-2011-05-26 (19-32-38).txt Scan type: Quick scan Objects scanned: 207962 Time elapsed: 12 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Protection (Trojan.Agent) -> Value: Malware Protection -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users.windows\application data\defender.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\james\local settings\Temp\5A.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. Here is the DDS file: . DDS (Ver_11-05-19.01) - NTFSx86 NETWORK Internet Explorer: 8.0.6001.18702 Run by james at 19:37:35 on 2011-05-26 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1598 [GMT -4:00] . AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9} AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\james\Desktop\1st try\dds.com C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.msnbc.com/ mStart Page = about:blank uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uURLSearchHooks: H - No File mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110124082348.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe" mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\mb\mbam.exe" /runcleanupscript mRunOnce: [Malwarebytes' Anti-Malware] c:\mb\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: igfxcui - igfxdev.dll Notify: TPSvc - TPSvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-24 386840] R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [2008-3-16 8736] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-24 84072] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-24 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-24 141792] R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2008-3-16 4538] R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2008-3-16 9085] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-24 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88544] S1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2008-3-16 62359] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-1 88176] S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480] S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480] S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-24 171168] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2008-3-16 5493] S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2008-3-16 19670] S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2008-3-16 96768] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-24 55840] S3 cpuz132;cpuz132;\??\c:\docume~1\james\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\james\locals~1\temp\cpuz132\cpuz132_x32.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664] S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-24 152960] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-24 52104] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-24 84264] S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2008-1-10 18048] . =============== File Associations =============== . .scr=DWGTrueViewScriptFile . =============== Created Last 30 ================ . 2011-05-26 23:32:59 54016 ----a-w- c:\windows\system32\drivers\vmqv.sys 2011-05-26 23:17:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-05-24 20:07:28 -------- d-----w- c:\documents and settings\james\application data\GetRightToGo 2011-05-23 20:50:21 -------- d-----w- c:\documents and settings\all users.windows\application data\PC Tools 2011-05-14 21:34:41 -------- d-----w- c:\documents and settings\all users.windows\application data\STOPzilla! . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 19:38:46.35 =============== Thanks again.
  15. jclaytona
    Hello and thank you for your time. I started out with windows xp security virus. I ran a full scan with malawarebytes and mcafee. I then thought it was gone but soon realized that my start menu programs were missing as well as my desktop icons. I then experience the redirecting from google. At this point I came into the forum and printed the instructions from "I'm infected - What do I do now?" I had already run the malawarebytes scan so I proceeded with the defogger, the DDS and the GMER scan. I posted earlier and it being my first time I did not attach the logs correctly, hope this second one is OK. Here are the (3) files requested in the directions. MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6616 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 5/19/2011 9:53:46 AM mbam-log-2011-05-19 (09-53-46).txt Scan type: Quick scan Objects scanned: 201013 Time elapsed: 9 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 4 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQMiuyMNARayQk (Trojan.FakeMS.Gen) -> Value: DQMiuyMNARayQk -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users.windows\application data\dqmiuymnarayqk.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully. c:\documents and settings\james\2gweorjqjutp92vjy9gake (Malware.Trace) -> Quarantined and deleted successfully. DDS file: . DDS (Ver_11-05-19.01) - NTFSx86 NETWORK Internet Explorer: 8.0.6001.18702 Run by james at 14:09:58 on 2011-05-26 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1543 [GMT -4:00] . AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9} AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\james\Desktop\dds.com C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.msnbc.com/ mStart Page = about:blank uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uURLSearchHooks: H - No File mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110124082348.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Malware Protection] c:\documents and settings\all users.windows\application data\defender.exe mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe" mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: igfxcui - igfxdev.dll Notify: TPSvc - TPSvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-24 386840] R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [2008-3-16 8736] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-24 84072] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-24 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-24 141792] R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2008-3-16 4538] R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2008-3-16 9085] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-24 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88544] S1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2008-3-16 62359] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-1 88176] S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480] S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480] S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-24 171168] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2008-3-16 5493] S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2008-3-16 19670] S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2008-3-16 96768] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-24 55840] S3 cpuz132;cpuz132;\??\c:\docume~1\james\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\james\locals~1\temp\cpuz132\cpuz132_x32.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664] S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-24 152960] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-24 52104] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-24 84264] S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2008-1-10 18048] . =============== File Associations =============== . .scr=DWGTrueViewScriptFile . =============== Created Last 30 ================ . 2011-05-25 02:55:36 879616 ----a-w- c:\documents and settings\all users.windows\application data\defender.exe 2011-05-24 20:07:28 -------- d-----w- c:\documents and settings\james\application data\GetRightToGo 2011-05-23 20:50:21 -------- d-----w- c:\documents and settings\all users.windows\application data\PC Tools 2011-05-14 21:34:41 -------- d-----w- c:\documents and settings\all users.windows\application data\STOPzilla! . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 14:11:52.45 =============== GMER file: GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-26 02:12:55 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380020A rev.3.35 Running: wzkfvmzy.exe; Driver: C:\DOCUME~1\james\LOCALS~1\Temp\pxtdipow.sys ---- System - GMER 1.0.15 ---- Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF743E0A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF743E0B8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread ---- Kernel code sections - GMER 1.0.15 ---- INITc VolSnap.sys F7622BD0 4 Bytes [82, AA, 4D, 80] INITc VolSnap.sys F7622BF8 4 Bytes [E6, 7D, 4E, 80] INITc VolSnap.sys F7622C21 3 Bytes [C4, 4D, 80] {LES ECX, DWORD [EBP-0x80]} INITc VolSnap.sys F7622C48 4 Bytes [96, 34, 4E, 80] INITc VolSnap.sys F7622C70 4 Bytes [F6, 14, 4E, 80] INITc ... .text C:\WINDOWS\System32\Drivers\BpCdrVsd.SYS section is writeable [0xF794B2A0, 0x119C, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00DD64C0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00DD66C0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 015E000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014B000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 014A000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014C000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 015D000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[508] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0149000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00DD64C0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00DD66C0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D0000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0059000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CE000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00CF000A .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0058000A .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00DD64C0 .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00DD66C0 .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D3000A .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D0000A .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00CF000A .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D1000A .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D2000A .text C:\Program Files\Internet Explorer\iexplore.exe[2064] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0059000A .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00DD64C0 .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00DD66C0 .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D2000A .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CF000A .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00CE000A .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D0000A .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D1000A .text C:\Program Files\Internet Explorer\iexplore.exe[2672] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CD000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:132] 8A80CE7A Thread System [4:136] 8A80F008 ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\XER9LMDU\index.4db30204c922cf9bad98e4b9ce5adc24[1].htm 6523 bytes File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\XTK61E2U\menu_sprite_design[1].gif 3875 bytes File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\XTK61E2U\images-5_8[1].jpg 20472 bytes ---- EOF - GMER 1.0.15 ---- Again, thank you for your time and any guidance is much apprciated.
  16. jclaytona
    printed the instructins from the forum topic "i'm infected-what do i do now" I had the windows XP security virus, ran malawarebytes quick and full scan and it seemed to go away. at that point realized that i had no menu of programs at start up and all my desktop icons were gone. got on the internet and kept getting redirected. i used it for a few days like this because i was tired of dealing with it, just copied and pasted the web addresses, still doing all of this. wanted to clean it up so i printed the instructions and started the process of defogging. i got through disabling the emulation drivers and moved on to downloading DDS, only one log came up. moved on to the GMER rootkit scanner and started to scan. the first time the it scanned for a little over an hour then stopped and the computer restarted on it's own. when it booted back up i received a pop up saying windows recovered from a serios problem. at that point i tried the scan again, walked away came back 2 hours later and was still scanning, walked away and retuerned to find that it had stopped and there was a problem with R66v.exe file. I shut it down and came here this morning, can you please help me. what do i do next? I have attached the 3 items i have on my desktop from starting this procedure, hope they help.
  17. jclaytona
    printed the instructins from the forum topic "i'm infected-what do i do now" I had the windows XP security virus, ran malawarebytes quick and full scan and it seemed to go away. at that point realized that i had no menu of programs at start up and all my desktop icons were gone. got on the internet and kept getting redirected. i used it for a few days like this because i was tired of dealing with it, just copied and pasted the web addresses, still doing all of this. wanted to clean it up so i printed the instructions and started the process of defogging. i got through disabling the emulation drivers and moved on to downloading DDS, only one log came up. moved on to the GMER rootkit scanner and started to scan. the first time the it scanned for a little over an hour then stopped and the computer restarted on it's own. when it booted back up i received a pop up saying windows recovered from a serios problem. at that point i tried the scan again, walked away came back 2 hours later and was still scanning, walked away and retuerned to find that it had stopped and there was a problem with R66v.exe file. I shut it down and came here this morning, can you please help me. what do i do next? I have attached the 3 items i have on my desktop from starting this procedure, hope they help.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.