Jimcat
-
Posts
109 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Jimcat
-
-
This ESET scan must be very thorough. Running for over an hour and just under 50% complete. But it has reported about 20 threats so far.
-
I used Revo Uninstaller to uninstall all of the programs that you listed except for the last one. The Revo program did not show anything named "Yontoo". I did a search using the start menu, and the only files it found containing that string were the log files from the scan programs that I've already run.
So far everything is performing beautifully - able to run programs and connect to the Internet without any annoying add-ons or redirects. The MBAM scan reported no malicious items. I am attaching the outputs from MBAM and HijackThis.
-
Since you bring up Java, and that we should see if there is anything else to be addressed, here is a question.
I keep getting a pop-up from "jucheck.exe" saying that there is an upgrade of Java that needs to be run. I have heard that Java carries some security risks these days, so I have just been cancelling and declining to run it. What is the best choice for me? Should I disable Java completely? If so, can you point me to good instructions for doing so? Or is it safe to just let the upgrade go through?
I also wanted to come back to the question I asked at the beginning of the thread. If I have the MBAM PRO version on one of my computers, does that license apply to any computers in my house? Or do I have to buy a separate license for each computer?
Also find below the output from the latest combofix run.
Also, in case I haven't mentioned it, thanks for being available this morning and for your quick and helpful instructions.
-
Combofix ran to completion, and I rebooted and reactivated Windows Firewall and Defender.
So far things seem to be behaving properly. Combofix log is attached.
-
Looks like we are getting good results.
When I downloaded AdwCleaner, I got a system error and had to reboot, so I restarted in safe mode. I was able to run AdwCleaner without any issues in safe mode, then rebooted. At that point Google Chrome was behaving better - no Miniclip toolbar and it didn't direct me to a Conduit default page.
RogueKiller found a couple of registry items and I deleted them as per instructions.
Attached are the output files from both.
-
Thank you for the quick response. I ran the programs you listed and here are the three report files. No troubles with downloading or running them.
-
I have an older machine in my house that I primarily use to let my kids play games, and it's worked well until just recently. It looks like they managed to get some adware from Miniclip on there, and now it redirects the home pages of the browsers (IE and Google Chrome) and there's a toolbar on both browsers that I can't get rid of.
I have the free download of MBAM on the infected machine, and I updated the database and ran a full scan, but it reported no infections. Maybe this isn't considered malware, but it certainly is something that I want to remove, and I hope that the experts here have reliable tools and instructions.
On a related issue: I have the Pro version of MBAM on my main home machine. Does that cover any machine in my house? If so, how can I upgrade the program on the infected computer?
-
Back online, will resume troubleshooting in the morning.
-
Sorry that I haven't replied in a few days but my home is still without power or Internet access due to Snowtoberfest 2011.
I will get back to this as soon as I can.
-
Willing to give it a try but I need a little more clarity on the instructions.
Do I need to boot from the CD before running this? Or do I boot normally and run the command? If the latter, at what point does the OS CD come into the picture?
-
Same issue as I reported in post #114:
Computer Browser : Started, Automatic
DHCP Client : not started, Automatic
DNS Client : not started, Automatic
Network Connections : Started, Manual
Network Location Awareness : Started, Automatic
Remote Procedure Call (RPC) : Started, Automatic
Server : Started, Automatic
TCP/IP Netbios helper : Started, Automatic
WLAN AutoConfig (Vista wireless configurations only) : not applicable, no wireless card
Workstation : Started, Automatic
So it looks as though the DHCP and DNS clients are stopped.
Dependencies for DHCP client:
Ancillary Function Driver for Winsock
Network Store Interface Service
Dependencies for DNS client:
No dependencies listed.
I tried clicking "Start" for the DNS client and got the following message:
Windows could not start the DNS Client service on Local Computer.
Error 1075: The dependency service does not exist or has been marked for deletion.
That is baffling: the error message mentions a dependency but the dependencies tab says "no dependencies"!
I got the same message trying to start the DHCP client, but at least some dependencies are listed.
-
No. The same thing happens when the computer boots up: it has local access only, and continually says "identifying" for the network connection.
-
I got a copy of ipsec.sys into the C:\Windows\System32\drivers\ directory, rebooted and confirmed that it is there. What's the next step?
-
I'll check on microsoft.com for guidance - one way or another I'll restore the driver and let you know when it's accomplished.
-
I do have the Windows DVD and would prefer to load it from there than from another computer.
-
SystemLook 30.07.11 by jpshortstuff
Log created at 13:38 on 29/10/2011 by Jim Kasprzak 4
Administrator - Elevation successful
========== filefind ==========
Searching for "ipsec.sys"
No files found.
-= EOF =-
-
Gotta love this:
SystemLook 30.07.11 by jpshortstuff
Log created at 10:38 on 29/10/2011 by Jim Kasprzak 4
Administrator - Elevation successful
========== filefind ==========
Searching for "ipsec.sy_"
No files found.
-= EOF =-
-
Computer Browser : Started, Automatic
DHCP Client : not started, Automatic
DNS Client : not started, Automatic
Network Connections : Started, Manual
Network Location Awareness : Started, Automatic
Remote Procedure Call (RPC) : Started, Automatic
Server : Started, Automatic
TCP/IP Netbios helper : Started, Automatic
WLAN AutoConfig (Vista wireless configurations only) : not applicable, no wireless card
Workstation : Started, Automatic
So it looks as though the DHCP and DNS clients are stopped.
Dependencies for DHCP client:
Ancillary Function Driver for Winsock
Network Store Interface Service
Dependencies for DNS client:
No dependencies listed.
I tried clicking "Start" for the DNS client and got the following message:
Windows could not start the DNS Client service on Local Computer.
Error 1075: The dependency service does not exist or has been marked for deletion.
That is baffling: the error message mentions a dependency but the dependencies tab says "no dependencies"!
I got the same message trying to start the DHCP client, but at least some dependencies are listed.
-
Oh, never mind, I am a bozo... checking under Services... stand by
-
Well, there is my problem. None of those services are even listed under System and Maintenance>Administrative Tools.
What I see in that menu is the following:
Computer Management
Data Sources (ODBC)
Event Viewer
iSCSI Initiator
Memory Diagnostics Tool
Reliability and Performance Monitor
Services
System Configuration
Task Scheduler
Windows Firewall with Advanced Security
Windows PowerShell Modules
That is all I see.
-
Hm. The command ran successfully, and I exited and rebooted, but I can't find a file c:\resetlog.txt.
-
When I entered the netsh command, I got the following messages:
Resetting Echo Request, failed.
The requested operation requires elevation.
Resetting Global, failed.
The requested operation requires elevation.
Resetting Interface, failed.
The requested operation requires elevation.
There's no user specified settings to be reset.
-
After reboot, I don't get the error message and the system seems stable, but I still don't have network connectivity.
-
Combofix ran, rebooted a couple of times, and produced a log. After the log was generated, I noticed an error message onscreen saying the following:
c:\windows\sminst\dslauncher.exe
Illegal operation attempted on a registry key that has been marked for deletion.
I clicked "OK" to this and am now rebooting to be safe.
Below are the Combofix log contents:
ComboFix 11-10-28.04 - Jim Kasprzak 4 10/28/2011 20:58:30.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.1289 [GMT -4:00]
Running from: c:\users\Jim Kasprzak 4\Desktop\ComboFix.exe
Command switches used :: c:\users\Jim Kasprzak 4\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\c_15244.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB36618$
c:\windows\$NtUninstallKB36618$\194543853
c:\windows\$NtUninstallKB36618$\3945307101\@
c:\windows\$NtUninstallKB36618$\3945307101\L\qnbwvoto
c:\windows\system32\c_15244.nl_
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))
.
.
2011-10-29 01:16 . 2011-10-29 01:16 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2011-10-29 01:16 . 2011-10-29 01:16 -------- d-----w- c:\users\Jim\AppData\Local\temp
2011-10-29 01:16 . 2011-10-29 01:16 -------- d-----w- c:\users\Jim Kasprzak\AppData\Local\temp
2011-10-29 01:16 . 2011-10-29 01:16 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Local\temp
2011-10-29 01:16 . 2011-10-29 01:16 -------- d-----w- c:\users\Jim Kasprzak 2\AppData\Local\temp
2011-10-29 01:16 . 2011-10-29 01:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-21 14:44 . 2011-10-21 14:44 -------- d-----w- c:\windows\system32\vmm32
2011-10-20 01:20 . 2007-12-05 11:17 77824 ----a-w- c:\windows\system32\AERTSrv.exe
2011-10-15 11:08 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 10:28 . 2011-10-15 10:28 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-14 10:24 . 2011-10-14 10:24 -------- d-----w- c:\programdata\Malwarebytes
2011-10-12 23:08 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 23:08 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 23:08 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 23:08 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 23:08 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 23:08 . 2011-09-14 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-10-12 23:08 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-12 23:08 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 23:08 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 23:08 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-11 09:59 . 2011-10-24 09:34 -------- d-----w- c:\users\Jim Kasprzak 4
2011-10-11 09:34 . 2011-10-11 09:34 -------- d--h--w- c:\users\Jim Kasprzak 3\Tracing
2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Unity
2011-10-11 09:34 . 2010-10-20 23:36 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Windows Live Writer
2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\TaxCut
2011-10-11 09:34 . 2011-10-11 09:34 -------- d--h--w- c:\users\Jim Kasprzak 3\AppData\Roaming\Oberon Media
2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\PCDr
2011-10-11 09:34 . 2011-10-11 09:34 -------- d-----r- c:\users\Jim Kasprzak 3\AppData\Roaming\SecuROM
2011-10-11 09:31 . 2011-10-11 09:31 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Merscom
2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\IGN_DLM
2011-10-11 09:30 . 2011-10-11 09:30 -------- d--h--w- c:\users\Jim Kasprzak 3\AppData\Roaming\funkitron
2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Facebook
2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\eMusic
2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\CyberLink
2011-10-11 09:30 . 2011-10-11 09:30 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Amazon
2011-10-11 09:30 . 2009-12-01 02:33 8653312 ----a-w- c:\users\Jim Kasprzak 3\AppData\Roaming\DataSafeDotNet.exe
2011-10-09 17:52 . 2011-10-09 17:52 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\Malwarebytes
2011-10-09 09:35 . 2011-10-09 09:35 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\McAfee
2011-10-08 19:29 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-05 00:06 . 2011-10-05 00:06 -------- d-----w- c:\users\Jim Kasprzak 3\AppData\Roaming\PlayFirst
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-29 01:17 . 2011-10-29 01:17 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BA0802C-633C-40DC-B3AA-103B3FE4444C}\offreg.dll
2011-10-28 09:23 . 2009-09-11 10:59 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2011-10-19 02:35 . 2009-09-11 10:59 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-19 01:34 . 2011-06-15 19:07 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-28 01:59 . 2011-05-14 09:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-23 11:08 . 2011-09-23 11:08 161792 ----a-w- c:\windows\system32\msls31.dll
2011-09-23 11:07 . 2011-09-23 11:07 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-23 11:07 . 2011-09-23 11:07 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-09-23 11:07 . 2011-09-23 11:07 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-09-23 11:07 . 2011-09-23 11:07 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-09-23 11:07 . 2011-09-23 11:07 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-09-23 11:07 . 2011-09-23 11:07 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-09-23 11:07 . 2011-09-23 11:07 367104 ----a-w- c:\windows\system32\html.iec
2011-09-23 11:07 . 2011-09-23 11:07 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-23 11:07 . 2011-09-23 11:07 152064 ----a-w- c:\windows\system32\wextract.exe
2011-09-23 11:07 . 2011-09-23 11:07 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-09-23 11:07 . 2011-09-23 11:07 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-23 11:07 . 2011-09-23 11:07 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-09-23 11:07 . 2011-09-23 11:07 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-23 11:07 . 2011-09-23 11:07 11776 ----a-w- c:\windows\system32\mshta.exe
2011-09-23 11:07 . 2011-09-23 11:07 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-09-23 11:07 . 2011-09-23 11:07 101888 ----a-w- c:\windows\system32\admparse.dll
2011-09-23 11:07 . 2011-09-23 11:07 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-09-21 13:00 . 2011-10-19 01:42 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BA0802C-633C-40DC-B3AA-103B3FE4444C}\mpengine.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 10:40 . 2011-08-22 10:40 0 ---ha-w- c:\users\Jim Kasprzak 2\AppData\Local\Spituj.bin
2011-08-15 14:00 . 2010-08-25 07:51 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 14:00 . 2010-08-25 07:50 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 14:00 . 2010-08-25 07:50 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 14:00 . 2010-08-25 07:50 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 14:00 . 2010-08-25 07:50 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 14:00 . 2010-08-25 07:50 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 14:00 . 2010-08-25 07:50 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 14:00 . 2010-08-25 07:50 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 14:00 . 2010-08-25 07:50 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-08-15 14:00 . 2010-08-25 07:50 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-07-08 07:16 . 2011-08-14 18:18 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-08-14 19:44 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-10 1317016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\Components\scheduler\Launcher.exe" [2009-02-23 165104]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe" [2011-09-28 243360]
.
c:\users\Jim Kasprzak 4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2009-5-13 53248]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-13 07:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2009-03-30 66368]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [x]
R2 dsl-db;Remote Access DB;c:\program files\Common Files\Dell\MySQL\bin\mysqld.exe [x]
R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe [2009-01-05 173296]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 Apache2.2;Remote Access Media Server;c:\program files\Common Files\Dell\apache\bin\httpd.exe [2007-09-21 15872]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-08-19 148520]
S2 SftService;SoftThinks Agent Service;c:\windows\sminst\sftservice.EXE [2009-02-23 632048]
S2 uvnc_service;UltraVNC Server;c:\programdata\UltraVNC\winvnc.exe [2008-08-31 1519168]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-29 c:\windows\Tasks\Norton Security Scan for Jim Kasprzak.job
- c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-03-13 07:25]
.
2011-10-29 c:\windows\Tasks\User_Feed_Synchronization-{E31C1D6B-950E-489A-A927-F01A5C3A2B23}.job
- c:\windows\system32\msfeedssync.exe [2011-09-23 11:07]
.
2011-10-28 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-10-09 18:25]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
FF - ProfilePath -
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:a6,91,65,95,bf,8c,cc,01
.
[HKEY_USERS\S-1-5-21-1864603776-3726979079-2286760248-1004\Software\SecuROM\License information*]
"datasecu"=hex:4e,d0,83,87,bd,d3,ac,d5,96,65,00,ed,3c,f2,c2,3f,4b,bb,d2,4d,f3,
11,0a,d3,1f,f1,b7,c3,4b,bd,93,e7,79,80,7e,ec,4a,98,9b,0a,6f,d6,69,99,51,3d,\
"rkeysecu"=hex:93,1e,31,ce,a9,72,b7,fb,23,42,ca,73,e8,ac,a8,cb
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\SMINST\Components\scheduler\STService.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2011-10-28 21:29:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-29 01:29
ComboFix2.txt 2011-10-28 09:40
ComboFix3.txt 2011-10-21 22:05
ComboFix4.txt 2011-10-21 01:48
ComboFix5.txt 2011-10-29 00:43
.
Pre-Run: 57,442,185,216 bytes free
Post-Run: 57,317,199,872 bytes free
.
- - End Of File - - 264EADDC5460F860547F4EEB59A3D0CE
Miniclip Adware infection
in Resolved Malware Removal Logs
Posted
Holy moly. Two hours and still at 49%.