EdOr

Members

View Profile See their activity

Posts
9
Joined
July 1, 2011
Last visited
August 29, 2011

Reputation

0 Neutral

Still messed up

EdOr posted a topic in Resolved Malware Removal Logs

Hi, I was in the mix to recover this PC and had to drop it for about 4 weeks ago for other priorities. I've lost the thread and so I'm starting a new one. The difficulty is removing MacAfee and AVG to progress beyond where we left off. The progress to date has recovered some programs, file and folders, yet there are several programs in the "All Programs" list that show "empty", e.g., Quickbooks. I have the disk for QB, you recommend to try loading it again? Last ComboFix Log: ComboFix 11-08-01.02 - TracieN 08/01/2011 10:58:04.7.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2470 [GMT -7:00] Running from: c:\documents and settings\TracieN\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\TracieN\Desktop\CFScript.txt AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . --------------- FCopy --------------- . c:\windows\ServicePackFiles\i386\imm32.dll --> c:\windows\system32\imm32.dll . ((((((((((((((((((((((((( Files Created from 2011-07-01 to 2011-08-01 ))))))))))))))))))))))))))))))) . . 2011-08-01 17:29 . 2011-08-01 17:29 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-07-19 15:05 . 2011-07-19 15:05 -------- d-----w- C:\02e068d404290831023535 2011-07-18 18:38 . 2011-07-18 18:38 -------- d-----w- C:\aa034c97014b6ae55c708d 2011-07-15 22:46 . 2011-07-15 22:46 -------- d-----w- C:\a32b7b54ccd144f5ef4f3e10 2011-07-14 15:04 . 2011-07-15 21:48 -------- d-----w- C:\514dabeb394370549631 2011-07-13 15:04 . 2011-07-13 15:04 -------- d-----w- C:\16bd3373b7daba1cb67e09ec130953 2011-07-11 22:37 . 2011-08-01 17:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 22:06 . 2011-07-11 22:06 -------- d-sh--w- c:\documents and settings\Administrator.HOMEWATCH\IECompatCache 2011-07-11 20:59 . 2011-07-11 20:59 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-05 19:06 . 2011-07-05 19:06 -------- d-----w- c:\documents and settings\TracieN\Application Data\Malwarebytes . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-01 17:29 . 2010-05-19 19:21 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-06-27 19:25 . 2006-02-28 02:00 18944 ----a-w- c:\windows\system32\version.dll 2011-06-02 14:02 . 2006-02-28 02:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2003-06-20 22:05 . 2007-07-19 17:45 2368613 ----a-w- c:\program files\Common Files\QBFC2.1Installer.exe 2010-01-29 18:37 . 2010-01-29 18:37 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2011-04-14 21:01 . 2011-03-01 22:16 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-06-27 . C7307DF49D6C9A9C6E1A995F515A419A . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll [7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll [7] 2006-02-28 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\version.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] . c:\documents and settings\tnelson\Start Menu\Programs\Startup\ Yammer.lnk - c:\program files\Yammer\Yammer.exe [2010-4-1 95232] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2010-10-05 15:36 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bria] 2009-06-26 23:07 17907712 ----a-w- c:\program files\CounterPath\Bria\bria.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IMFservice"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CounterPath\\Bria\\bria.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] R2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\TELEVI~2\bar\1.bin\64barsvc.exe [2011-06-27 42504] R2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\Local Settings\Application Data\Zimbra\zdesktop\zdesktop.exe [2010-01-27 139264] R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x] R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488] R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe [2009-08-18 678912] R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys [2008-08-04 54016] S0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2006-09-13 3840] S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-04-14 84200] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320] S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480] S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-04-14 141792] S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2006-07-14 534040] S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088] S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder . 2011-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] . 2011-07-01 c:\windows\Tasks\diff.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-07-23 c:\windows\Tasks\Full.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-08-01 c:\windows\Tasks\User_Feed_Synchronization-{F2DD748F-06C7-49A3-898B-EE25583F45AF}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = ftp://ftp.homewatchcaregivers.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 FF - ProfilePath - . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-01 11:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . Completion time: 2011-08-01 11:13:57 ComboFix-quarantined-files.txt 2011-08-01 18:13 ComboFix2.txt 2011-07-23 23:57 ComboFix3.txt 2011-07-19 22:33 ComboFix4.txt 2011-07-19 21:21 ComboFix5.txt 2011-08-01 17:51 . Pre-Run: 22,859,255,808 bytes free Post-Run: 23,904,595,968 bytes free . - - End Of File - - 6F4E616DBFE212F9B60809C4A60D996E Last dss log: DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26 Run by TracieN at 11:22:36 on 2011-08-01 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2265 [GMT -7:00] . AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\PDF Complete\pdfsvc.exe c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Microsoft\BingBar\SeaPort.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\SearchProtocolHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = ftp://ftp.homewatchcaregivers.com/ uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510115829.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://hwcserver/connectcomputer/nshelp.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199410328133 DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://reports2.paychoiceonline.com/pcoreports/arview2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://homewatchcaregivers.webex.com/client/T27L/nbr/ieatgpc.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{1310A1C8-B84C-4950-8AF2-D34B47D7F11C} : DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{C0BF6E7B-4FA8-47FB-BD90-1BFBE01C189D} : DhcpNameServer = 192.168.1.15 24.205.192.61 24.205.224.36 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-9-13 3840] R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-1 387480] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84200] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 93320] R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792] R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-2 534040] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-1 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-1 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?] S2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\televi~2\bar\1.bin\64barsvc.exe [2011-6-27 42504] S2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\local settings\application data\zimbra\zdesktop\zdesktop.exe [2010-7-6 139264] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 56064] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84488] S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?] S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2009-4-13 54016] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-08-01 17:48:42 -------- d-----w- C:\ComboFix 2011-08-01 17:38:20 -------- d-----w- C:\ComboFix124530C 2011-08-01 17:29:22 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-07-24 00:22:17 -------- d-----w- C:\ComboFix18028C 2011-07-23 23:39:15 208896 ----a-w- c:\windows\MBR.exe 2011-07-23 23:39:11 98816 ----a-w- c:\windows\sed.exe 2011-07-23 23:39:11 518144 ----a-w- c:\windows\SWREG.exe 2011-07-23 23:39:11 256000 ----a-w- c:\windows\PEV.exe 2011-07-23 23:38:53 -------- d-----w- C:\ComboFix1 2011-07-19 15:05:48 -------- d-----w- C:\02e068d404290831023535 2011-07-18 18:38:10 -------- d-----w- C:\aa034c97014b6ae55c708d 2011-07-18 17:56:03 -------- d-sha-r- C:\cmdcons 2011-07-15 22:46:25 -------- d-----w- C:\a32b7b54ccd144f5ef4f3e10 2011-07-14 15:04:28 -------- d-----w- C:\514dabeb394370549631 2011-07-13 15:04:29 -------- d-----w- C:\16bd3373b7daba1cb67e09ec130953 2011-07-11 22:37:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 20:59:35 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-05 19:06:55 -------- d-----w- c:\documents and settings\tracien\application data\Malwarebytes . ==================== Find3M ==================== . 2011-08-01 17:29:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-06-27 19:25:20 18944 ----a-w- c:\windows\system32\version.dll 2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys 2003-06-20 22:05:44 2368613 ----a-w- c:\program files\common files\QBFC2.1Installer.exe . ============= FINISH: 11:23:44.03 =============== last attempt log to unistall MacAfee: MCAFEE CLEANUP August 01, 2011 10:36:51 INFO Silent mode activated. INFO Cleanup will be scheduled and run. INFO Product Auth to be removed from system. INFO Product EMproxy to be removed from system. INFO Product FWdiver to be removed from system. INFO Product McSvcHost to be removed from system. INFO Product HW to be removed from system. INFO Product MAS to be removed from system. INFO Product MAT to be removed from system. INFO Product MBK to be removed from system. INFO Product MCPR to be removed from system. INFO Product McProxy to be removed from system. INFO Product MHN to be removed from system. INFO Product MNA to be removed from system. INFO Product MOBK to be removed from system. INFO Product MPFP to be removed from system. INFO Product MPFPCU to be removed from system. INFO Product MPS to be removed from system. INFO Product SHRED to be removed from system. INFO Product MPSCU to be removed from system. INFO Product MQC to be removed from system. INFO Product MQCCU to be removed from system. INFO Product MSAD to be removed from system. INFO Product MSHR to be removed from system. INFO Product MSK to be removed from system. INFO Product MSKCU to be removed from system. INFO Product MWL to be removed from system. INFO Product NMC to be removed from system. INFO Product RedirSvc to be removed from system. INFO Product VS to be removed from system. INFO Product MSC to be removed from system. INFO Start trust. INFO MfeApTrustLegacyProcessStart return FALSE. INFO Disable AP and wait for 5 seconds. INFO Task Scheduler service started. WINERR IPersistFile::Save() failed. Error: 0x8007007a FAIL Error while running cleanup using Task Scheduler. INFO End trust. Hope we can get this fixed soon! Tahnks.
- August 29, 2011
- 3 replies
Virus hit; lost programs and files

EdOr replied to EdOr's topic in Resolved Malware Removal Logs

Ok, finally got it to produce a log file after the added in Windows utility you instructe to add to Combofix. If it helps; In "Add and Remove Programs" I was able to remove AVG, and it no longer shows up in the list of programs after reboot, but I see in the log it says it is still installed and active. I tried to remove MacAfee too, but it pops up a window that says:"Navigation to webpage was canceled" and does nothing else but allow to "x" out of the window. What next? Here it is the combofix log: ComboFix 11-07-18.01 - TracieN 07/19/2011 13:23:20.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2382 [GMT -7:00] Running from: c:\documents and settings\TracieN\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\TracieN\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . . . ((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 ))))))))))))))))))))))))))))))) . . 2011-07-19 15:05 . 2011-07-19 15:05 -------- d-----w- C:\02e068d404290831023535 2011-07-18 18:38 . 2011-07-18 18:38 -------- d-----w- C:\aa034c97014b6ae55c708d 2011-07-15 22:46 . 2011-07-15 22:46 -------- d-----w- C:\a32b7b54ccd144f5ef4f3e10 2011-07-14 15:04 . 2011-07-15 21:48 -------- d-----w- C:\514dabeb394370549631 2011-07-13 15:04 . 2011-07-13 15:04 -------- d-----w- C:\16bd3373b7daba1cb67e09ec130953 2011-07-11 22:37 . 2011-07-12 15:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 20:59 . 2011-07-11 20:59 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-05 19:06 . 2011-07-05 19:06 -------- d-----w- c:\documents and settings\TracieN\Application Data\Malwarebytes 2011-07-01 05:03 . 2011-07-01 05:03 -------- d-----w- c:\program files\7-Zip 2011-07-01 04:03 . 2011-07-01 04:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Intuit 2011-07-01 02:39 . 2011-07-01 02:39 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:49 . 2011-06-30 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-06-30 22:49 . 2011-07-18 18:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 22:00 . 2011-07-11 22:06 -------- d-----w- c:\documents and settings\Administrator.HOMEWATCH 2011-06-30 19:37 . 2011-07-11 22:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37 . 2011-07-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-06-30 16:25 . 2011-06-30 16:26 -------- d-----w- c:\documents and settings\TracieN\Application Data\IObit 2011-06-30 16:25 . 2011-06-30 16:26 -------- d-----w- c:\program files\IObit 2011-06-30 15:49 . 2011-06-30 15:49 -------- d-----w- c:\documents and settings\TracieN\Application Data\AVG10 2011-06-30 15:42 . 2011-07-11 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2011-06-30 15:42 . 2011-06-30 15:42 -------- d-----w- c:\program files\AVG 2011-06-30 15:37 . 2011-07-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-06-27 19:16 . 2011-06-27 19:16 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:14 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14 . 2011-06-27 19:14 -------- d-----w- c:\program files\Xvid 2011-06-21 19:01 . 2011-06-21 19:07 -------- d-----w- c:\documents and settings\coordinator 2011-06-21 18:49 . 2011-07-01 15:11 -------- d-----w- c:\documents and settings\scheduler . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-06-27 19:25 . 2006-02-28 02:00 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25 . 2006-02-28 02:00 110080 ----a-w- c:\windows\system32\imm32.dll 2011-06-02 14:02 . 2006-02-28 02:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-05-02 15:31 . 2006-02-28 02:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25 . 2006-02-28 02:00 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19 . 2006-02-28 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-26 11:07 . 2006-02-28 02:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-04-26 11:07 . 2006-02-28 02:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-04-25 16:11 . 2006-02-28 02:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11 . 2006-02-28 02:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11 . 2006-02-28 02:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01 . 2006-02-28 02:00 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2006-02-28 02:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2003-06-20 22:05 . 2007-07-19 17:45 2368613 ----a-w- c:\program files\Common Files\QBFC2.1Installer.exe 2010-01-29 18:37 . 2010-01-29 18:37 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2011-04-14 21:01 . 2011-03-01 22:16 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-06-27 . 06F64F27A3D4E24D7152F8515CF635EC . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll [7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll [7] 2006-02-28 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll . [-] 2011-06-27 . C7307DF49D6C9A9C6E1A995F515A419A . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll [7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll [7] 2006-02-28 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\version.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . c:\documents and settings\tnelson\Start Menu\Programs\Startup\ Yammer.lnk - c:\program files\Yammer\Yammer.exe [2010-4-1 95232] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2010-10-05 15:36 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IMFservice"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CounterPath\\Bria\\bria.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320] R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\TELEVI~2\bar\1.bin\64barsvc.exe [2011-06-27 42504] R2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\Local Settings\Application Data\Zimbra\zdesktop\zdesktop.exe [2010-01-27 139264] R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x] R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488] R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe [2009-08-18 678912] R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys [2008-08-04 54016] S0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2006-09-13 3840] S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-04-14 84200] S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-04-14 141792] S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2006-07-14 534040] S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088] S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder . 2011-07-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] . 2011-07-01 c:\windows\Tasks\diff.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-07-16 c:\windows\Tasks\Full.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-19 c:\windows\Tasks\User_Feed_Synchronization-{F2DD748F-06C7-49A3-898B-EE25583F45AF}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=XPxdm002YYus&ptb=86F8072E-3F6B-4371-98E9-DBEC706A17DB uInternet Connection Wizard,ShellNext = ftp://ftp.homewatchcaregivers.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll FF - ProfilePath - . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-19 14:12 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . ************************************************************************** . Completion time: 2011-07-19 14:21:16 ComboFix-quarantined-files.txt 2011-07-19 21:21 ComboFix2.txt 2011-07-13 17:18 ComboFix3.txt 2011-07-12 01:21 . Pre-Run: 24,801,918,976 bytes free Post-Run: 25,410,613,248 bytes free . - - End Of File - - 7A69F60153800248E71C03AB4381F44D
- July 19, 2011
- 7 replies
Virus hit; lost programs and files

EdOr replied to EdOr's topic in Resolved Malware Removal Logs

Ok, Here is the new logs created today 7/13/11. I did remove AVG antivirus and only have MaCafee on the PC. However MaCafe is one of several apps not working, or at least not accessible via the icon, start menu or All Programs. CombFix: ComboFix 11-07-11.02 - administrator 07/13/2011 10:03:03.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2269 [GMT -7:00] Running from: c:\documents and settings\Administrator.HOMEWATCH\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((( Files Created from 2011-06-13 to 2011-07-13 ))))))))))))))))))))))))))))))) . . 2011-07-13 15:13 . 2011-07-13 15:13 -------- d-----w- c:\windows\LastGood 2011-07-13 15:04 . 2011-07-13 15:04 -------- d-----w- C:\16bd3373b7daba1cb67e09ec130953 2011-07-12 15:50 . 2011-07-12 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2011-07-12 15:50 . 2011-07-12 15:50 -------- d-----w- c:\program files\McAfee Security Scan 2011-07-11 22:37 . 2011-07-12 15:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 20:59 . 2011-07-11 20:59 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-05 19:06 . 2011-07-05 19:06 -------- d-----w- c:\documents and settings\TracieN\Application Data\Malwarebytes 2011-07-01 05:03 . 2011-07-01 05:03 -------- d-----w- c:\program files\7-Zip 2011-07-01 04:03 . 2011-07-01 04:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Intuit 2011-07-01 02:39 . 2011-07-01 02:39 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:49 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-30 22:49 . 2011-06-30 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-06-30 22:49 . 2011-06-30 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 22:49 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 22:00 . 2011-07-11 22:06 -------- d-----w- c:\documents and settings\Administrator.HOMEWATCH 2011-06-30 19:37 . 2011-07-11 22:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37 . 2011-07-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-06-30 16:25 . 2011-06-30 16:26 -------- d-----w- c:\documents and settings\TracieN\Application Data\IObit 2011-06-30 16:25 . 2011-06-30 16:26 -------- d-----w- c:\program files\IObit 2011-06-30 15:49 . 2011-06-30 15:49 -------- d-----w- c:\documents and settings\TracieN\Application Data\AVG10 2011-06-30 15:42 . 2011-07-11 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2011-06-30 15:42 . 2011-06-30 15:42 -------- d-----w- c:\program files\AVG 2011-06-30 15:37 . 2011-07-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-06-27 19:16 . 2011-06-27 19:16 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:14 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14 . 2011-06-27 19:14 -------- d-----w- c:\program files\Xvid 2011-06-21 19:01 . 2011-06-21 19:07 -------- d-----w- c:\documents and settings\coordinator 2011-06-21 18:49 . 2011-07-01 15:11 -------- d-----w- c:\documents and settings\scheduler 2011-06-17 10:02 . 2011-06-17 10:25 -------- d-----w- c:\windows\SxsCaPendDel 2011-06-16 14:20 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-06-27 19:25 . 2006-02-28 02:00 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25 . 2006-02-28 02:00 110080 ----a-w- c:\windows\system32\imm32.dll 2011-05-02 15:31 . 2006-02-28 02:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25 . 2006-02-28 02:00 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19 . 2006-02-28 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11 . 2006-02-28 02:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11 . 2006-02-28 02:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11 . 2006-02-28 02:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01 . 2006-02-28 02:00 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2006-02-28 02:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-14 21:01 . 2011-03-01 22:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01 . 2011-03-01 22:16 141792 ----a-w- c:\windows\system32\mfevtps.exe 2011-04-14 21:01 . 2011-03-01 22:16 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01 . 2011-03-01 22:16 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01 . 2011-03-01 22:16 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01 . 2011-03-01 22:16 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01 . 2011-03-01 22:16 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01 . 2011-03-01 22:16 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01 . 2011-03-01 22:16 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01 . 2011-03-01 22:16 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01 . 2011-03-01 22:16 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2003-06-20 22:05 . 2007-07-19 17:45 2368613 ----a-w- c:\program files\Common Files\QBFC2.1Installer.exe 2010-01-29 18:37 . 2010-01-29 18:37 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2011-04-14 21:01 . 2011-03-01 22:16 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-06-27 . 06F64F27A3D4E24D7152F8515CF635EC . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll [7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll [7] 2006-02-28 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll . [-] 2011-06-27 . C7307DF49D6C9A9C6E1A995F515A419A . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll [7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll [7] 2006-02-28 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\version.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d79f641-c168-40df-a32f-bacea7509e75}] 2011-06-27 19:16 62864 ----a-w- c:\program files\TelevisionFanatic\bar\1.bin\64SrcAs.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb41fc95-f1b3-4797-8bb6-1012ff62abba}] 2011-06-27 19:16 669072 ----a-w- c:\progra~1\TELEVI~2\bar\1.bin\64bar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{c98d5b61-b0ea-4d48-9839-1079d352d880}"= "c:\program files\TelevisionFanatic\bar\1.bin\64bar.dll" [2011-06-27 669072] . [HKEY_CLASSES_ROOT\clsid\{c98d5b61-b0ea-4d48-9839-1079d352d880}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856] "Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192] "Bria"="c:\program files\CounterPath\Bria\bria.exe" [2009-06-26 17907712] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . c:\documents and settings\tnelson\Start Menu\Programs\Startup\ Yammer.lnk - c:\program files\Yammer\Yammer.exe [2010-4-1 95232] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2010-10-05 15:36 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IMFservice"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CounterPath\\Bria\\bria.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320] R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\TELEVI~2\bar\1.bin\64barsvc.exe [2011-06-27 42504] R2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\Local Settings\Application Data\Zimbra\zdesktop\zdesktop.exe [2010-01-27 139264] R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984] R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488] R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe [2009-08-18 678912] R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys [2008-08-04 54016] S0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2006-09-13 3840] S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-04-14 84200] S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-04-14 141792] S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2006-07-14 534040] S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088] S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder . 2011-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] . 2011-07-01 c:\windows\Tasks\diff.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-05-28 c:\windows\Tasks\Full.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-07-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-06-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-06-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-13 c:\windows\Tasks\User_Feed_Synchronization-{F2DD748F-06C7-49A3-898B-EE25583F45AF}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hp.com IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll FF - ProfilePath - . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-13 10:15 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . ************************************************************************** . Completion time: 2011-07-13 10:18:46 ComboFix-quarantined-files.txt 2011-07-13 17:18 ComboFix2.txt 2011-07-12 01:21 . Pre-Run: 26,173,247,488 bytes free Post-Run: 26,360,266,752 bytes free . - - End Of File - - 02839834C23976749F670AB6C5184F09 DDS . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by administrator at 10:19:14 on 2011-07-13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2309 [GMT -7:00] . AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\PDF Complete\pdfsvc.exe c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Microsoft\BingBar\SeaPort.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Google\Google Toolbar\Component\SearchWithGoogleUpdate_86D23231A3A85F4A.exe C:\Program Files\Google\Google Toolbar\Component\SearchWithGoogleUpdate_86D23231A3A85F4A.exe C:\WINDOWS\SoftwareDistribution\Download\Install\vcredist_x86.exe c:\16bd3373b7daba1cb67e09ec130953\install.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.hp.com BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Search Assistant BHO: {5d79f641-c168-40df-a32f-bacea7509e75} - c:\program files\televisionfanatic\bar\1.bin\64SrcAs.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510115829.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Toolbar BHO: {cb41fc95-f1b3-4797-8bb6-1012ff62abba} - c:\progra~1\televi~2\bar\1.bin\64bar.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: TelevisionFanatic: {c98d5b61-b0ea-4d48-9839-1079d352d880} - c:\program files\televisionfanatic\bar\1.bin\64bar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe uRun: [bria] "c:\program files\counterpath\bria\bria.exe" mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://hwcserver/connectcomputer/nshelp.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199410328133 DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://reports2.paychoiceonline.com/pcoreports/arview2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://homewatchcaregivers.webex.com/client/T27L/nbr/ieatgpc.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{1310A1C8-B84C-4950-8AF2-D34B47D7F11C} : DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{C0BF6E7B-4FA8-47FB-BD90-1BFBE01C189D} : DhcpNameServer = 192.168.1.15 24.205.192.61 24.205.224.36 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-9-13 3840] R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-1 387480] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84200] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792] R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-2 534040] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-1 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-1 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 93320] S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\televi~2\bar\1.bin\64barsvc.exe [2011-6-27 42504] S2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\local settings\application data\zimbra\zdesktop\zdesktop.exe [2010-7-6 139264] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 56064] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-30 39984] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84488] S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?] S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2009-4-13 54016] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-07-13 16:59:24 -------- d-----w- C:\ComboFix 2011-07-13 15:04:29 -------- d-----w- C:\16bd3373b7daba1cb67e09ec130953 2011-07-12 15:50:37 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan 2011-07-12 15:50:35 -------- d-----w- c:\program files\McAfee Security Scan 2011-07-11 23:00:21 208896 ----a-w- c:\windows\MBR.exe 2011-07-11 23:00:18 256000 ----a-w- c:\windows\PEV.exe 2011-07-11 23:00:17 98816 ----a-w- c:\windows\sed.exe 2011-07-11 23:00:17 518144 ----a-w- c:\windows\SWREG.exe 2011-07-11 22:37:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 22:06:16 -------- d-sh--w- c:\documents and settings\administrator.homewatch\IECompatCache 2011-07-11 22:02:53 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\AVG10 2011-07-11 20:59:35 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-01 04:09:37 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\Skinux 2011-07-01 04:09:35 -------- d-----w- c:\documents and settings\administrator.homewatch\local settings\application data\CounterPath Corporation 2011-07-01 04:09:35 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\CounterPath Corporation 2011-07-01 02:39:25 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:50:29 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\IObit 2011-06-30 22:49:46 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\Malwarebytes 2011-06-30 22:49:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-30 22:49:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-06-30 22:49:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 22:49:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 22:06:43 -------- d-sh--w- c:\documents and settings\administrator.homewatch\PrivacIE 2011-06-30 19:37:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy 2011-06-30 16:25:20 -------- d-----w- c:\program files\IObit 2011-06-30 15:42:46 -------- d-----w- c:\documents and settings\all users\application data\AVG10 2011-06-30 15:42:08 -------- d-----w- c:\program files\AVG 2011-06-30 15:37:42 -------- d-----w- c:\documents and settings\all users\application data\MFAData 2011-06-27 19:16:38 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:16:26 -------- d-----w- c:\program files\TelevisionFanaticEI 2011-06-27 19:14:44 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14:44 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14:44 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14:41 -------- d-----w- c:\program files\Xvid 2011-06-17 10:02:52 -------- d-----w- c:\windows\SxsCaPendDel 2011-06-16 14:20:23 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-27 19:25:20 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25:19 110080 ----a-w- c:\windows\system32\imm32.dll 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-04-14 21:01:38 141792 ----a-w- c:\windows\system32\mfevtps.exe 2003-06-20 22:05:44 2368613 ----a-w- c:\program files\common files\QBFC2.1Installer.exe . ============= FINISH: 10:20:21.46 ===============
- July 13, 2011
- 7 replies
Virus hit; lost programs and files

EdOr replied to EdOr's topic in Resolved Malware Removal Logs

Hi, Thanks for getting back. But, something went wrong Monday (7/11) when I completed your instructions and attempted to send the logs. I don't see my reply here with the attached logs. I will repeat the combofix and DDS scans and again attach the logs by endo of day (7/13). Sorr, my time demands make it tough to get on thjis daily. Thanks for your patients and help.
- July 13, 2011
- 7 replies
all programs in Start Menu and "All Programs" are missing

EdOr replied to EdOr's topic in Resolved Malware Removal Logs

OK, here are the logs requested. FYI -- I had to 'nurse' thru the CombFix scan by cliking off a repeating error message; "The System cannot find the file NIRCMD". this one came up at every stage of the scan. There were other error messages too, but this was the dominate meeage in frequency. Still seeing the LOADER ERROR: previously mentioned. ComboFix 11-07-11.02 - administrator 07/11/2011 17:44:45.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2360 [GMT -7:00] Running from: c:\documents and settings\Administrator.HOMEWATCH\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\tnelson\WINDOWS . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MYWEBSEARCHSERVICE . . ((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 ))))))))))))))))))))))))))))))) . . 2011-07-11 22:37 . 2011-07-11 22:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 20:59 . 2011-07-11 20:59 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-05 19:06 . 2011-07-05 19:06 -------- d-----w- c:\documents and settings\TracieN\Application Data\Malwarebytes 2011-07-01 05:03 . 2011-07-01 05:03 -------- d-----w- c:\program files\7-Zip 2011-07-01 04:03 . 2011-07-01 04:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Intuit 2011-07-01 02:39 . 2011-07-01 02:39 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:49 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-30 22:49 . 2011-06-30 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-06-30 22:49 . 2011-06-30 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 22:49 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 22:00 . 2011-07-11 22:06 -------- d-----w- c:\documents and settings\Administrator.HOMEWATCH 2011-06-30 19:37 . 2011-07-11 22:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37 . 2011-07-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-06-30 16:25 . 2011-06-30 16:26 -------- d-----w- c:\documents and settings\TracieN\Application Data\IObit 2011-06-30 16:25 . 2011-06-30 16:26 -------- d-----w- c:\program files\IObit 2011-06-30 15:49 . 2011-06-30 15:49 -------- d-----w- c:\documents and settings\TracieN\Application Data\AVG10 2011-06-30 15:42 . 2011-07-11 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2011-06-30 15:42 . 2011-06-30 15:42 -------- d-----w- c:\program files\AVG 2011-06-30 15:37 . 2011-07-11 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-06-27 19:16 . 2011-06-27 19:16 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:14 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14 . 2011-06-27 19:14 -------- d-----w- c:\program files\Xvid 2011-06-21 19:01 . 2011-06-21 19:07 -------- d--h--w- c:\documents and settings\coordinator 2011-06-21 18:49 . 2011-07-01 15:11 -------- d--h--w- c:\documents and settings\scheduler 2011-06-17 10:02 . 2011-06-17 10:25 -------- d-----w- c:\windows\SxsCaPendDel 2011-06-16 14:20 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-06-27 19:25 . 2006-02-28 02:00 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25 . 2006-02-28 02:00 110080 ----a-w- c:\windows\system32\imm32.dll 2011-05-02 15:31 . 2006-02-28 02:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25 . 2006-02-28 02:00 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19 . 2006-02-28 02:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11 . 2006-02-28 02:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11 . 2006-02-28 02:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11 . 2006-02-28 02:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01 . 2006-02-28 02:00 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2006-02-28 02:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-14 21:01 . 2011-03-01 22:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01 . 2011-03-01 22:16 141792 ----a-w- c:\windows\system32\mfevtps.exe 2011-04-14 21:01 . 2011-03-01 22:16 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01 . 2011-03-01 22:16 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01 . 2011-03-01 22:16 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01 . 2011-03-01 22:16 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01 . 2011-03-01 22:16 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01 . 2011-03-01 22:16 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01 . 2011-03-01 22:16 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01 . 2011-03-01 22:16 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01 . 2011-03-01 22:16 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2003-06-20 22:05 . 2007-07-19 17:45 2368613 ---ha-w- c:\program files\Common Files\QBFC2.1Installer.exe 2010-01-29 18:37 . 2010-01-29 18:37 135680 ---ha-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2011-04-14 21:01 . 2011-03-01 22:16 24376 ---ha-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-06-27 . 06F64F27A3D4E24D7152F8515CF635EC . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll [7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll [7] 2006-02-28 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll . [-] 2011-06-27 . C7307DF49D6C9A9C6E1A995F515A419A . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll [7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll [7] 2006-02-28 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\version.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d79f641-c168-40df-a32f-bacea7509e75}] 2011-06-27 19:16 62864 ----a-w- c:\program files\TelevisionFanatic\bar\1.bin\64SrcAs.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb41fc95-f1b3-4797-8bb6-1012ff62abba}] 2011-06-27 19:16 669072 ----a-w- c:\progra~1\TELEVI~2\bar\1.bin\64bar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{c98d5b61-b0ea-4d48-9839-1079d352d880}"= "c:\program files\TelevisionFanatic\bar\1.bin\64bar.dll" [2011-06-27 669072] . [HKEY_CLASSES_ROOT\clsid\{c98d5b61-b0ea-4d48-9839-1079d352d880}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856] "Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192] "Bria"="c:\program files\CounterPath\Bria\bria.exe" [2009-06-26 17907712] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] . c:\documents and settings\tnelson\Start Menu\Programs\Startup\ Yammer.lnk - c:\program files\Yammer\Yammer.exe [2010-4-1 95232] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2010-10-05 15:36 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IMFservice"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\CounterPath\\Bria\\bria.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-12-08 93320] R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480] R2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\TELEVI~2\bar\1.bin\64barsvc.exe [2011-06-27 42504] R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 133104] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984] R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-04-14 84488] R3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe [2009-08-18 678912] R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys [2008-08-04 54016] S0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2006-09-13 3840] S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-04-14 84200] S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 188136] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-04-14 141792] S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2006-07-14 534040] S2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\Local Settings\Application Data\Zimbra\zdesktop\zdesktop.exe [2010-01-27 139264] S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-04-14 314088] S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2011-04-14 88736] . . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder . 2011-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] . 2011-07-01 c:\windows\Tasks\diff.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-05-28 c:\windows\Tasks\Full.job - c:\windows\system32\ntbackup.exe [2006-02-28 00:12] . 2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-02 22:26] . 2011-07-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-06-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1089530128-397176591-3299723014-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-06-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1911278139-1797553926-3513879574-1155.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-06-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1138.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-06-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1142.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-1144.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-961117031-1944572115-1770970122-500.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09] . 2011-07-12 c:\windows\Tasks\User_Feed_Synchronization-{F2DD748F-06C7-49A3-898B-EE25583F45AF}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hp.com IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll FF - ProfilePath - . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{0696f815-a3a9-490a-bb14-9ec3350b1276} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKCU-Run-rBdBVPVSFJr - c:\documents and settings\All Users\Application Data\rBdBVPVSFJr.exe Notify-NavLogon - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-11 18:06 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Microsoft\BingBar\SeaPort.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\windows\system32\SearchIndexer.exe c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\program files\Common Files\McAfee\SystemCore\mfefire.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\system32\Ati2evxx.exe c:\program files\Microsoft\BingBar\BingBar.exe c:\program files\Microsoft\BingBar\BingApp.exe c:\windows\system32\NOTEPAD.EXE c:\program files\internet explorer\iexplore.exe c:\program files\internet explorer\iexplore.exe c:\windows\system32\SearchFilterHost.exe c:\windows\system32\SearchProtocolHost.exe . ************************************************************************** . Completion time: 2011-07-11 18:21:32 - machine was rebooted ComboFix-quarantined-files.txt 2011-07-12 01:21 . Pre-Run: 25,682,128,896 bytes free Post-Run: 26,334,752,768 bytes free . - - End Of File - - CCC26700E27EDA004D9EFEE27B5E09CD . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by administrator at 18:27:11 on 2011-07-11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2250 [GMT -7:00] . AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\PDF Complete\pdfsvc.exe c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Microsoft\BingBar\SeaPort.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\system32\SearchIndexer.exe C:\Documents and Settings\tnelson\Local Settings\Application Data\Zimbra\zdesktop\zdesktop.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft\BingBar\BingBar.exe C:\Program Files\Microsoft\BingBar\BingApp.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.hp.com BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Search Assistant BHO: {5d79f641-c168-40df-a32f-bacea7509e75} - c:\program files\televisionfanatic\bar\1.bin\64SrcAs.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510115829.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Toolbar BHO: {cb41fc95-f1b3-4797-8bb6-1012ff62abba} - c:\progra~1\televi~2\bar\1.bin\64bar.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: TelevisionFanatic: {c98d5b61-b0ea-4d48-9839-1079d352d880} - c:\program files\televisionfanatic\bar\1.bin\64bar.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe uRun: [bria] "c:\program files\counterpath\bria\bria.exe" mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://hwcserver/connectcomputer/nshelp.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199410328133 DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://reports2.paychoiceonline.com/pcoreports/arview2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://homewatchcaregivers.webex.com/client/T27L/nbr/ieatgpc.cab TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{1310A1C8-B84C-4950-8AF2-D34B47D7F11C} : DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{C0BF6E7B-4FA8-47FB-BD90-1BFBE01C189D} : DhcpNameServer = 192.168.1.15 24.205.192.61 24.205.224.36 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-9-13 3840] R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-1 387480] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84200] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792] R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-2 534040] R2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\local settings\application data\zimbra\zdesktop\zdesktop.exe [2010-7-6 139264] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-1 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-1 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 93320] S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\televi~2\bar\1.bin\64barsvc.exe [2011-6-27 42504] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 56064] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-30 39984] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84488] S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?] S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2009-4-13 54016] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-07-12 00:43:07 -------- d-----w- C:\ComboFix 2011-07-11 23:00:21 208896 ----a-w- c:\windows\MBR.exe 2011-07-11 23:00:18 256000 ----a-w- c:\windows\PEV.exe 2011-07-11 23:00:17 98816 ----a-w- c:\windows\sed.exe 2011-07-11 23:00:17 518144 ----a-w- c:\windows\SWREG.exe 2011-07-11 22:37:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-11 22:06:16 -------- d-sh--w- c:\documents and settings\administrator.homewatch\IECompatCache 2011-07-11 22:02:53 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\AVG10 2011-07-11 20:59:35 -------- d-----w- C:\bb90d90176c79febb773643a 2011-07-01 04:09:37 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\Skinux 2011-07-01 04:09:35 -------- d-----w- c:\documents and settings\administrator.homewatch\local settings\application data\CounterPath Corporation 2011-07-01 04:09:35 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\CounterPath Corporation 2011-07-01 02:39:25 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:50:29 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\IObit 2011-06-30 22:49:46 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\Malwarebytes 2011-06-30 22:49:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-30 22:49:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-06-30 22:49:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 22:49:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 22:06:43 -------- d-sh--w- c:\documents and settings\administrator.homewatch\PrivacIE 2011-06-30 19:37:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy 2011-06-30 16:25:20 -------- d-----w- c:\program files\IObit 2011-06-30 15:42:46 -------- d-----w- c:\documents and settings\all users\application data\AVG10 2011-06-30 15:42:08 -------- d-----w- c:\program files\AVG 2011-06-30 15:37:42 -------- d-----w- c:\documents and settings\all users\application data\MFAData 2011-06-27 19:16:38 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:16:26 -------- d-----w- c:\program files\TelevisionFanaticEI 2011-06-27 19:14:44 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14:44 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14:44 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14:41 -------- d-----w- c:\program files\Xvid 2011-06-17 10:02:52 -------- d-----w- c:\windows\SxsCaPendDel 2011-06-16 14:20:23 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-27 19:25:20 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25:19 110080 ----a-w- c:\windows\system32\imm32.dll 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-04-14 21:01:38 141792 ----a-w- c:\windows\system32\mfevtps.exe 2003-06-20 22:05:44 2368613 ----a-w- c:\program files\common files\QBFC2.1Installer.exe . ============= FINISH: 18:28:17.14 ===============
- July 12, 2011
- 7 replies
all programs in Start Menu and "All Programs" are missing

EdOr replied to EdOr's topic in Resolved Malware Removal Logs

Ok, Interesting and maybe worth noting: 1) I could ot get the boot up to complete. It would loop and not bring up the login dialog. I had to boot up in "Safe Mode". 2) ONce Sae Mode boot up was complete all the desktop icons were back in view and I randomly seleted a few MS Word docs and they did come up. Previously no icons appeared, nor any applications on Desktop, Start Menu and "All Programs", except for the IE icon in start menu. 3) A "Loader Error: The procedure entry point HTTPQueryInfoA could not be located in the dynamic link library WININRT.dll" keeps popping up and not going away when cliking "OK" repeatedly, unlike last week it would good away for stretches of time. Here is the MBAM log after cleaning the bad objects: Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6989 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 7/5/2011 12:21:07 PM mbam-log-2011-07-05 (12-21-07).txt Scan type: Quick scan Objects scanned: 316383 Time elapsed: 11 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 13 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Mp3Tube (Adware.Mp3Tube) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Value: {07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS.txt file: . DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by TracieN at 13:50:55 on 2011-07-05 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2370 [GMT -7:00] . AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=XPxdm002YYus&ptb=86F8072E-3F6B-4371-98E9-DBEC706A17DB uInternet Connection Wizard,ShellNext = ftp://ftp.homewatchcaregivers.com/ mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uURLSearchHooks: N/A: {0696f815-a3a9-490a-bb14-9ec3350b1276} - c:\program files\televisionfanatic\bar\1.bin\64SrcAs.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Search Assistant BHO: {5d79f641-c168-40df-a32f-bacea7509e75} - c:\program files\televisionfanatic\bar\1.bin\64SrcAs.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510115829.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Toolbar BHO: {cb41fc95-f1b3-4797-8bb6-1012ff62abba} - c:\progra~1\televi~2\bar\1.bin\64bar.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: TelevisionFanatic: {c98d5b61-b0ea-4d48-9839-1079d352d880} - c:\program files\televisionfanatic\bar\1.bin\64bar.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: &Search - ?s=100000337&p=ZUzeb0044AUS_ZLman000&si=&a=mgBoHR9KP_H3PN2UBZF.VQ&n=2010092211 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://hwcserver/connectcomputer/nshelp.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199410328133 DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://reports2.paychoiceonline.com/pcoreports/arview2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://homewatchcaregivers.webex.com/client/T27L/nbr/ieatgpc.cab TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{1310A1C8-B84C-4950-8AF2-D34B47D7F11C} : DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{C0BF6E7B-4FA8-47FB-BD90-1BFBE01C189D} : DhcpNameServer = 192.168.1.15 24.205.192.61 24.205.224.36 Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: LMIinit - LMIinit.dll AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-9-13 3840] R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592] R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-1 387480] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84200] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656] S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896] S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-30 353168] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752] S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520] S2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?] S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 93320] S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168] S2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-2 534040] S2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\televi~2\bar\1.bin\64barsvc.exe [2011-6-27 42504] S2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\local settings\application data\zimbra\zdesktop\zdesktop.exe [2010-7-6 139264] S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-30 1025352] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144] S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 56064] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-30 39984] S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-1 153280] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-1 52320] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84488] S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?] S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2009-4-13 54016] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-07-05 19:06:55 -------- d-----w- c:\documents and settings\tracien\application data\Malwarebytes 2011-07-01 02:39:25 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:49:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-30 22:49:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-06-30 22:49:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 22:49:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 19:37:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy 2011-06-30 18:37:21 -------- d-----w- c:\program files\CCleaner 2011-06-30 16:25:22 -------- d-----w- c:\documents and settings\tracien\application data\IObit 2011-06-30 16:25:20 -------- d-----w- c:\program files\IObit 2011-06-30 15:49:27 -------- d-----w- c:\documents and settings\tracien\application data\AVG10 2011-06-30 15:43:42 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar 2011-06-30 15:42:46 -------- d-----w- c:\windows\system32\drivers\AVG 2011-06-30 15:42:46 -------- d-----w- c:\documents and settings\all users\application data\AVG10 2011-06-30 15:42:08 -------- d-----w- c:\program files\AVG 2011-06-30 15:37:42 -------- d-----w- c:\documents and settings\all users\application data\MFAData 2011-06-27 19:16:38 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:16:26 -------- d-----w- c:\program files\TelevisionFanaticEI 2011-06-27 19:14:44 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14:44 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14:44 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14:41 -------- d-----w- c:\program files\Xvid 2011-06-17 10:02:52 -------- d-----w- c:\windows\SxsCaPendDel 2011-06-16 14:20:23 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-27 19:25:20 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25:19 110080 ----a-w- c:\windows\system32\imm32.dll 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-15 04:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-04-14 21:01:38 141792 ----a-w- c:\windows\system32\mfevtps.exe 2003-06-20 22:05:44 2368613 ---ha-w- c:\program files\common files\QBFC2.1Installer.exe . ============= FINISH: 13:52:05.89 ===============
- July 5, 2011
- 7 replies
all programs in Start Menu and "All Programs" are missing

EdOr replied to EdOr's topic in Resolved Malware Removal Logs

OK, but I will not be at infected computer till Tuesday afternoon. I'll update and follow your instructions then. Thx.
- July 4, 2011
- 7 replies
Virus hit; lost programs and files

EdOr posted a topic in Resolved Malware Removal Logs

attach.zipark.zipI hope someone can help me. By downloading from Cnet antivirus, antispyware and antimalware apps, I was able to get back IE only which works and a couple other icons that do not work to launch the application. only new downloaded programs show up in Start Menu and All Programs. I followed the instructions for a newbie ("I'm Infected - ...") and here are the attached files: . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Run by Administrator at 21:13:20 on 2011-06-30 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.1924 [GMT -7:00] . AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\PROGRA~1\AVG\AVG10\avgchsvx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG10\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\AVG\AVG10\avgnsx.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\PDF Complete\pdfsvc.exe c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Microsoft\BingBar\SeaPort.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\WINDOWS\system32\SearchIndexer.exe C:\Documents and Settings\tnelson\Local Settings\Application Data\Zimbra\zdesktop\zdesktop.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\PROGRA~1\AVG\AVG10\avgrsx.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\CounterPath\Bria\bria.exe C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft\BingBar\BingBar.exe C:\Program Files\Microsoft\BingBar\BingApp.exe C:\WINDOWS\system32\SearchProtocolHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.hp.com mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: H - No File mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Search Assistant BHO: {5d79f641-c168-40df-a32f-bacea7509e75} - c:\program files\televisionfanatic\bar\1.bin\64SrcAs.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510115829.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Toolbar BHO: {cb41fc95-f1b3-4797-8bb6-1012ff62abba} - c:\progra~1\televi~2\bar\1.bin\64bar.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll" TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: TelevisionFanatic: {c98d5b61-b0ea-4d48-9839-1079d352d880} - c:\program files\televisionfanatic\bar\1.bin\64bar.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [rBdBVPVSFJr] c:\documents and settings\all users\application data\rBdBVPVSFJr.exe uRun: [bria] "c:\program files\counterpath\bria\bria.exe" uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe" mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://hwcserver/connectcomputer/nshelp.dll DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199410328133 DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://reports2.paychoiceonline.com/pcoreports/arview2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://homewatchcaregivers.webex.com/client/T27L/nbr/ieatgpc.cab TCP: DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{1310A1C8-B84C-4950-8AF2-D34B47D7F11C} : DhcpNameServer = 192.168.1.250 24.205.192.61 TCP: Interfaces\{C0BF6E7B-4FA8-47FB-BD90-1BFBE01C189D} : DhcpNameServer = 192.168.1.15 24.205.192.61 24.205.224.36 Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: LMIinit - LMIinit.dll AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2006-9-13 3840] R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592] R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-1 387480] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656] R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-1 84200] R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-30 353168] R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-10 47640] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-1 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-1 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-1 141792] R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-2 534040] R2 Zimbra Desktop Service;Zimbra Desktop Service;c:\documents and settings\tnelson\local settings\application data\zimbra\zdesktop\zdesktop.exe [2010-7-6 139264] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-1 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-1 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-1 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752] S2 gupdate1c9e3d12c9c5c2d;Google Update Service (gupdate1c9e3d12c9c5c2d);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S2 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\logmein\x86\lmiguardiansvc.exe" --> c:\program files\logmein\x86\LMIGuardianSvc.exe [?] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 93320] S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-1 271480] S2 TelevisionFanaticService;TelevisionFanaticService;c:\progra~1\televi~2\bar\1.bin\64barsvc.exe [2011-6-27 42504] S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-6-30 1025352] S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-1 56064] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-30 39984] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-1 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-1 84488] S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?] S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [2009-4-13 54016] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-07-01 04:09:37 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\Skinux 2011-07-01 04:09:35 -------- d-----w- c:\documents and settings\administrator.homewatch\local settings\application data\CounterPath Corporation 2011-07-01 04:09:35 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\CounterPath Corporation 2011-07-01 02:39:25 -------- d-----w- C:\8e229b368aea56275bbfc5681ec25e 2011-06-30 22:50:29 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\IObit 2011-06-30 22:49:46 -------- d-----w- c:\documents and settings\administrator.homewatch\application data\Malwarebytes 2011-06-30 22:49:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-06-30 22:49:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-06-30 22:49:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 22:49:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-06-30 22:06:43 -------- d-sh--w- c:\documents and settings\administrator.homewatch\PrivacIE 2011-06-30 19:37:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-30 19:37:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy 2011-06-30 18:37:21 -------- d-----w- c:\program files\CCleaner 2011-06-30 16:25:20 -------- d-----w- c:\program files\IObit 2011-06-30 15:43:42 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar 2011-06-30 15:42:46 -------- d-----w- c:\windows\system32\drivers\AVG 2011-06-30 15:42:46 -------- d-----w- c:\documents and settings\all users\application data\AVG10 2011-06-30 15:42:08 -------- d-----w- c:\program files\AVG 2011-06-30 15:37:42 -------- d-----w- c:\documents and settings\all users\application data\MFAData 2011-06-27 19:16:38 -------- d-----w- c:\program files\TelevisionFanatic 2011-06-27 19:16:26 -------- d-----w- c:\program files\TelevisionFanaticEI 2011-06-27 19:14:44 650752 ----a-w- c:\windows\system32\xvidcore.dll 2011-06-27 19:14:44 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2011-06-27 19:14:44 152064 ----a-w- c:\windows\system32\xvid.ax 2011-06-27 19:14:41 -------- d-----w- c:\program files\Xvid 2011-06-17 10:02:52 -------- d-----w- c:\windows\SxsCaPendDel 2011-06-16 14:20:23 105472 ------w- c:\windows\system32\dllcache\mup.sys . ==================== Find3M ==================== . 2011-06-27 19:25:20 18944 ----a-w- c:\windows\system32\version.dll 2011-06-27 19:25:19 110080 ----a-w- c:\windows\system32\imm32.dll 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-15 04:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-04-14 21:01:38 141792 ----a-w- c:\windows\system32\mfevtps.exe 2011-04-05 07:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2003-06-20 22:05:44 2368613 ---ha-w- c:\program files\common files\QBFC2.1Installer.exe . ============= FINISH: 21:15:43.37 =============== Malware Log fiile: Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6989 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/30/2011 6:54:17 PM mbam-log-2011-06-30 (18-54-17).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 416203 Time elapsed: 3 hour(s), 2 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 3 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: c:\program files\mp3tube toolbar (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images (Adware.Mp3Tube) -> Quarantined and deleted successfully. Files Infected: c:\documents and settings\all users\application data\rbdbvpvsfjr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000204.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000205.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000206.dll (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000207.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\program files\mozilla firefox\searchplugins\Mp3Tube.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\pref.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\tbconfig.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\dailyhotdeals.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\divider.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\feeditem.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\games.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\savemp3.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\savemp3_disabled.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\screensaver.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\shopping.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\watermark.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\weatherbug.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
- July 1, 2011
- 7 replies
all programs in Start Menu and "All Programs" are missing

EdOr posted a topic in Resolved Malware Removal Logs

I tried the suggested http://download.blee...beta/unhide.exe, it starte but I got a small dialog box that said "Check Fail" and then several repeating "Loader Error" messages": " the procedure entry poin Http QUERYINFOA could not be located in the dynamic link library WININET>dll". Clicking off the repet message about a 6 times and the program stiops running and goes away leaving the little "Check Fail" dialog box. Also, after tying a third time with same reults, one new event happended; I got a notepad window that said, "Volume in drive C has no label. Volume Serial Number is 62C6-4C16". Any ideas what this is about? I should mention I'm on this forum due to this PC (XP) has been hit with a virus. In safe mode with networking I was able to get 'finagle" an IE window to go to Cnet for Malwarebytes and others to scan and fix this PC. I got this PC to the point where I have the IE icon in the Start Menu which works, and the Outlook Icon in Start Menue which does not work. Nor other programs in Start Menu and only the new downloaded applications via Cnet in "All Programs". The Malwarebytes log after scanning and fixing is: Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6989 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/30/2011 6:54:17 PM mbam-log-2011-06-30 (18-54-17).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 416203 Time elapsed: 3 hour(s), 2 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 3 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: c:\program files\mp3tube toolbar (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images (Adware.Mp3Tube) -> Quarantined and deleted successfully. Files Infected: c:\documents and settings\all users\application data\rbdbvpvsfjr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000204.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000205.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000206.dll (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\RP3\A0000207.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\program files\mozilla firefox\searchplugins\Mp3Tube.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\pref.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\tbconfig.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\dailyhotdeals.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\divider.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\feeditem.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\games.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\savemp3.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\savemp3_disabled.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\screensaver.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\shopping.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\watermark.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. c:\documents and settings\TracieN\application data\mp3tube toolbar\images\weatherbug.png (Adware.Mp3Tube) -> Quarantined and deleted successfully. I'm restarting the this PC as recommended after this log was displayed. HELP is GREATLY appreciated!
- July 1, 2011
- 7 replies

Sign In

EdOr

Posts

Joined

Last visited

Reputation

Still messed up

Virus hit; lost programs and files

Virus hit; lost programs and files

Virus hit; lost programs and files

all programs in Start Menu and "All Programs" are missing

all programs in Start Menu and "All Programs" are missing

all programs in Start Menu and "All Programs" are missing

Virus hit; lost programs and files

all programs in Start Menu and "All Programs" are missing

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information