Jump to content

Recommended Posts

Help! My computer has gotten infected with malware.

Each time the infection hit, I would run malwarebytes, delete the infections, and it would be gone for a day or so. However, last week, malware bytes stopped effectively killing the infection so I wiped the C: drive. Now, just a few days after doing that, it has returned.

I ran the malwarebytes free version and got the following log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8377

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

12/15/2011 10:53:19 PM

mbam-log-2011-12-15 (22-53-19).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 288458

Time elapsed: 23 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

I came here and ran the DDS.

The DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by Kate at 22:52:04 on 2011-12-15

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3957.1831 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\system32\rundll32.exe

C:\windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\system32\LogonUI.exe

C:\windows\system32\nvvsvc.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\system32\SearchIndexer.exe

c:\PROGRA~2\mcafee\msc\mcupdmgr.exe

C:\windows\system32\mfevtps.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\system32\taskeng.exe

C:\windows\Explorer.EXE

C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe

C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

c:\PROGRA~2\mcafee\msc\mcupdui.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe

c:\PROGRA~2\mcafee\SITEAD~1\saoemmgr.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Users\Kate\AppData\Local\dns.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Users\Kate\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\SysWOW64\rundll32.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kate\AppData\Local\Google\Chrome\Application\chrome.exe

C:\windows\system32\taskhost.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\iTunes\iTunes.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\windows\system32\conhost.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe

C:\windows\system32\conhost.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe

C:\windows\SysWOW64\ping.exe

C:\windows\system32\conhost.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~2\mcafee\msk\mskapbho.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111215040715.dll

BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [Google Update] "C:\Users\Kate\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun: [updatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"

mRun: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"

mRun: [updatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"

mRun: [updatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"

mRun: [uCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

StartupFolder: C:\Users\Kate\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\BESTBU~1.LNK - C:\Program Files (x86)\Best Buy Software Installer\Best Buy Software Installer.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{086461B8-159C-4B0F-BDB4-7BBE8957751E} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{C2E12C05-8FEF-414E-9D5B-CEE9DA4C5954} : DhcpNameServer = 192.168.0.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~2\mcafee\msk\mskapbho.dll

BHO-X64: McAfee Phishing Filter - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111215040715.dll

BHO-X64: scriptproxy - No File

BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll

BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"

mRun-x64: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun-x64: [updatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"

mRun-x64: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"

mRun-x64: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"

mRun-x64: [updatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"

mRun-x64: [updatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"

mRun-x64: [uCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Kate\AppData\Roaming\Mozilla\Firefox\Profiles\oifow9be.default\

FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Kate\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Users\Kate\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\Kate\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;C:\windows\system32\drivers\mfehidk.sys --> C:\windows\system32\drivers\mfehidk.sys [?]

R1 mfenlfk;McAfee NDIS Light Filter;C:\windows\system32\DRIVERS\mfenlfk.sys --> C:\windows\system32\DRIVERS\mfenlfk.sys [?]

R1 mfewfpk;McAfee Inc. mfewfpk;C:\windows\system32\drivers\mfewfpk.sys --> C:\windows\system32\drivers\mfewfpk.sys [?]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-15 366152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2011-12-13 101048]

R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-12-15 208536]

R2 mfevtp;McAfee Validation Trust Protection Service;"C:\windows\system32\mfevtps.exe" --> C:\windows\system32\mfevtps.exe [?]

R2 TurboB;Turbo Boost UI Monitor driver;C:\windows\system32\DRIVERS\TurboB.sys --> C:\windows\system32\DRIVERS\TurboB.sys [?]

R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\system32\drivers\mfeavfk.sys --> C:\windows\system32\drivers\mfeavfk.sys [?]

R3 mfefirek;McAfee Inc. mfefirek;C:\windows\system32\drivers\mfefirek.sys --> C:\windows\system32\drivers\mfefirek.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]

S2 0102751323806246mcinstcleanup;McAfee Application Installer Cleanup (0102751323806246);C:\windows\TEMP\010275~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> C:\windows\TEMP\010275~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 135664]

S2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-15 249936]

S2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-15 249936]

S2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-12-15 249936]

S3 cfwids;McAfee Inc. cfwids;C:\windows\system32\drivers\cfwids.sys --> C:\windows\system32\drivers\cfwids.sys [?]

S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-4-28 704872]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-13 135664]

S3 mferkdet;McAfee Inc. mferkdet;C:\windows\system32\drivers\mferkdet.sys --> C:\windows\system32\drivers\mferkdet.sys [?]

S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2010-5-17 332272]

S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

S4 McShield;McAfee Real-time Scanner;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-12-15 199272]

.

=============== File Associations ===============

.

.exe=3p

.

=============== Created Last 30 ================

.

2011-12-15 19:53:34 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-12-15 19:53:29 -------- d-----w- C:\Users\Kate\AppData\Roaming\Malwarebytes

2011-12-15 19:53:23 -------- d-----w- C:\ProgramData\Malwarebytes

2011-12-15 19:53:20 25416 ----a-w- C:\windows\System32\drivers\mbam.sys

2011-12-15 19:53:20 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-15 19:47:36 -------- d-----we C:\windows\system64

2011-12-15 19:47:24 314880 ----a-w- C:\Users\Kate\AppData\Local\dns.exe

2011-12-15 09:07:26 -------- d-----w- C:\Program Files\McAfee.com

2011-12-15 09:07:16 28760 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ScriptFF.dll

2011-12-15 09:07:14 10248 ----a-w- C:\windows\System32\drivers\mfeclnk.sys

2011-12-15 09:07:09 161168 ----a-w- C:\windows\System32\mfevtps.exe

2011-12-15 09:07:07 75808 ----a-w- C:\windows\System32\drivers\mfenlfk.sys

2011-12-15 09:07:07 65264 ----a-w- C:\windows\System32\drivers\cfwids.sys

2011-12-15 09:07:07 647080 ----a-w- C:\windows\System32\drivers\mfehidk.sys

2011-12-15 09:07:07 481768 ----a-w- C:\windows\System32\drivers\mfefirek.sys

2011-12-15 09:07:07 284648 ----a-w- C:\windows\System32\drivers\mfewfpk.sys

2011-12-15 09:07:07 229528 ----a-w- C:\windows\System32\drivers\mfeavfk.sys

2011-12-15 09:07:07 160280 ----a-w- C:\windows\System32\drivers\mfeapfk.sys

2011-12-15 09:07:07 100912 ----a-w- C:\windows\System32\drivers\mferkdet.sys

2011-12-15 08:08:57 99176 ----a-w- C:\windows\SysWow64\PresentationHostProxy.dll

2011-12-15 08:08:57 49472 ----a-w- C:\windows\SysWow64\netfxperf.dll

2011-12-15 08:08:57 48960 ----a-w- C:\windows\System32\netfxperf.dll

2011-12-15 08:08:57 444752 ----a-w- C:\windows\System32\mscoree.dll

2011-12-15 08:08:57 320352 ----a-w- C:\windows\System32\PresentationHost.exe

2011-12-15 08:08:57 297808 ----a-w- C:\windows\SysWow64\mscoree.dll

2011-12-15 08:08:57 295264 ----a-w- C:\windows\SysWow64\PresentationHost.exe

2011-12-15 08:08:57 1942856 ----a-w- C:\windows\System32\dfshim.dll

2011-12-15 08:08:57 1130824 ----a-w- C:\windows\SysWow64\dfshim.dll

2011-12-15 08:08:57 109912 ----a-w- C:\windows\System32\PresentationHostProxy.dll

2011-12-14 08:15:58 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll

2011-12-14 08:14:59 75776 ----a-w- C:\windows\SysWow64\psisrndr.ax

2011-12-14 08:13:58 404992 ----a-w- C:\windows\System32\umpnpmgr.dll

2011-12-14 08:12:58 720896 ----a-w- C:\windows\System32\odbc32.dll

2011-12-14 07:00:00 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-14 04:27:54 -------- d-----w- C:\Users\Kate\AppData\Local\Adobe

2011-12-13 21:31:33 230400 ----a-w- C:\windows\System32\Spool\prtprocs\x64\hpzppw71.dll

2011-12-13 20:52:16 -------- d-----w- C:\Users\Kate\AppData\Local\Apple Computer

2011-12-13 20:52:11 34152 ----a-w- C:\windows\System32\drivers\GEARAspiWDM.sys

2011-12-13 20:52:11 126312 ----a-w- C:\windows\System32\GEARAspi64.dll

2011-12-13 20:52:11 107368 ----a-w- C:\windows\SysWow64\GEARAspi.dll

2011-12-13 20:51:29 -------- d-----w- C:\Program Files\iPod

2011-12-13 20:51:28 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}

2011-12-13 20:51:28 -------- d-----w- C:\Program Files (x86)\iTunes

2011-12-13 20:51:27 -------- d-----w- C:\Program Files\iTunes

2011-12-13 20:51:01 -------- d-----w- C:\Users\Kate\AppData\Local\Apple

2011-12-13 20:50:33 -------- d-----w- C:\Program Files\Bonjour

2011-12-13 20:50:33 -------- d-----w- C:\Program Files (x86)\Bonjour

2011-12-13 20:36:49 4398360 ----a-w- C:\windows\System32\d3dx9_32.dll

2011-12-13 20:36:49 3426072 ----a-w- C:\windows\SysWow64\d3dx9_32.dll

2011-12-13 20:33:58 83249512 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc9F1E.tmp

2011-12-13 20:32:14 14744 ----a-w- C:\Users\Kate\AppData\Roaming\Microsoft\IdentityCRL\Production\ppcrlconfig.dll

2011-12-13 20:31:58 -------- d-----w- C:\Users\Kate\Tracing

2011-12-13 20:31:30 -------- d-----w- C:\Users\Kate\AppData\Local\{80C7C428-E568-4152-B6F9-C0FAD8361B20}

2011-12-13 20:22:55 -------- d-----w- C:\Users\Kate\AppData\Local\{A2BC5384-025A-4C71-BCAC-4329744EA224}

2011-12-13 20:17:27 -------- d-----w- C:\Users\Kate\AppData\Local\{1859A292-B4E7-4354-85C0-E3A90A3AA0A4}

2011-12-13 20:12:50 -------- d-----r- C:\Program Files (x86)\Skype

2011-12-13 19:26:56 -------- d-----w- C:\Program Files (x86)\PhanTim3

2011-12-13 19:19:40 -------- d-----w- C:\Users\Kate\AppData\Local\Deployment

2011-12-13 19:19:40 -------- d-----w- C:\Users\Kate\AppData\Local\Apps

2011-12-13 19:18:23 -------- d-----w- C:\Users\Kate\AppData\Local\Google

2011-12-13 19:17:26 -------- d-----w- C:\Users\Kate\AppData\Local\Power2Go

2011-12-13 19:17:04 220672 ----a-w- C:\windows\System32\wintrust.dll

2011-12-13 19:17:04 172032 ----a-w- C:\windows\SysWow64\wintrust.dll

2011-12-13 19:17:00 139264 ----a-w- C:\windows\System32\cabview.dll

2011-12-13 19:17:00 132608 ----a-w- C:\windows\SysWow64\cabview.dll

2011-12-13 19:16:10 -------- d-----w- C:\Users\Kate\AppData\Local\VirtualStore

.

==================== Find3M ====================

.

2011-11-24 05:00:47 3141632 ----a-w- C:\windows\System32\win32k.sys

2011-11-05 05:26:29 1197568 ----a-w- C:\windows\System32\wininet.dll

2011-11-05 05:23:10 57856 ----a-w- C:\windows\System32\licmgr10.dll

2011-11-05 05:17:42 2048 ----a-w- C:\windows\System32\tzres.dll

2011-11-05 04:35:50 981504 ----a-w- C:\windows\SysWow64\wininet.dll

2011-11-05 04:34:15 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll

2011-11-05 04:30:11 2048 ----a-w- C:\windows\SysWow64\tzres.dll

2011-11-05 04:07:32 482816 ----a-w- C:\windows\System32\html.iec

2011-11-05 03:28:41 386048 ----a-w- C:\windows\SysWow64\html.iec

2011-11-05 03:25:44 1638912 ----a-w- C:\windows\System32\mshtml.tlb

2011-11-05 02:55:38 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

2011-10-26 05:19:07 43520 ----a-w- C:\windows\System32\csrsrv.dll

2011-10-15 06:25:12 723456 ----a-w- C:\windows\System32\EncDec.dll

2011-10-15 05:48:52 534528 ----a-w- C:\windows\SysWow64\EncDec.dll

2011-09-29 16:24:44 1897328 ----a-w- C:\windows\System32\drivers\tcpip.sys

.

============= FINISH: 22:52:34.17 ===============

And the other "Attach" log from the DDS:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 12/13/2011 2:13:17 PM

System Uptime: 12/15/2011 3:38:53 AM (19 hours ago)

.

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | Q430/Q530

Processor: Intel® Core i5 CPU M 450 @ 2.40GHz | CPU 1 | 2400/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 100 GiB total, 69.508 GiB free.

D: is FIXED (NTFS) - 351 GiB total, 135.026 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP20: 12/13/2011 2:14:09 PM - Installed YouCam

RP21: 12/13/2011 2:17:37 PM - Windows Update

RP22: 12/13/2011 2:48:54 PM - Installed Intel® Turbo Boost Technology Monitor

RP23: 12/13/2011 3:17:19 PM - CheckIfInstallerIsBusy

RP24: 12/13/2011 3:22:47 PM - CheckIfInstallerIsBusy

RP25: 12/13/2011 3:31:21 PM - CheckIfInstallerIsBusy

RP26: 12/13/2011 3:36:40 PM - Installed DirectX

RP27: 12/13/2011 3:51:01 PM - Installed iTunes

RP28: 12/15/2011 3:00:13 AM - Windows Update

RP29: 12/15/2011 7:34:00 AM - Installed Intel® Turbo Boost Technology Monitor

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.1

Apple Application Support

Apple Software Update

Atheros Client Installation Program

BatteryLifeExtender

Best Buy Software Installer

ChargeableUSB

CyberLink DVD Suite

CyberLink LabelPrint

CyberLink Power2Go

CyberLink PowerDirector

CyberLink PowerDVD 8

CyberLink PowerProducer

CyberLink YouCam

Easy Content Share

Easy Display Manager

Easy Network Manager

Easy SpeedUp Manager

EasyBatteryManager

EasyFileShare

Google Chrome

Google Talk Plugin

Google Toolbar for Internet Explorer

Google Update Helper

Intel® Rapid Storage Technology

Intel® Turbo Boost Technology Driver

Junk Mail filter update

Malwarebytes' Anti-Malware version 1.51.2.1300

Marvell Miniport Driver

McAfee SecurityCenter

Microsoft Choice Guard

Microsoft Office 2010

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 8.0.1 (x86 en-US)

MSVCRT

MultimediaPOP

PhanTim3

Realtek High Definition Audio Driver

Samsung Recovery Solution 4

Samsung Support Center

Samsung Update Plus

Skype™ 5.5

User Guide

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

.

==== Event Viewer Messages From Past Week ========

.

12/15/2011 8:10:36 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.

12/15/2011 3:40:56 AM, Error: Service Control Manager [7023] -

12/15/2011 3:38:18 AM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

12/15/2011 3:38:07 AM, Error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).

12/15/2011 3:37:53 AM, Error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).

12/15/2011 3:37:47 AM, Error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.

12/15/2011 3:37:44 AM, Error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

12/14/2011 2:56:59 PM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.

.

==== End Of File ===========================

Thank you for your help!

-Kate

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Hi and welcome to Malwarebytes.

Don't use quote or code tags please.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.