Jump to content

H8SRT Rootkit & krl32mainweq Trojan


Recommended Posts

I've seen a few posts lately with roughly the same issue, so I can take solace in the fact that I am not the only one beating my head on the desk trying to get rid of these two items. The short and dirty:

> Fought the Malware Defense issue.. won (I think)

> Now trying to get rid of the H8SRT rootkit and the krl32mainweq.dll Trojan.DNSChanger.. after numerous attempts unable to get rid of them

> I found these two items while ridding myself of the Malware Defense pop-up virus and redirect issue

> McAfee doesn't show up in the system tray

> Firefox keeps asking me if I want it to be my default browser (I do, but never had to keep verifying this option before)

> All windows and McAfee programs are up to date

Any help would be greatly appreciated.

============================

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.43

Database version: 3486

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/3/2010 11:40:06 AM

mbam-log-2010-01-03 (11-40-06).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 193255

Time elapsed: 27 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

===========================

DDS Log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 15:10:25.60 on Sun 01/03/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.925 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Digital Media Reader\shwicon2k.exe

C:\Program Files\Common Files\AOL\1235253170\ee\AOLSoftware.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\aol toolbar\AolTbServer.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX7533

uStart Page = hxxp://www.aol.com

uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/eol_pre_falcon.asp?src=RegWiz&affid=370&langid=1&cid=54002

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX7533

uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [Power2GoExpress] NA

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERe.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [<NO NAME>]

mRun: [sunKist] c:\program files\digital media reader\shwicon2k.exe

mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [HostManager] c:\program files\common files\aol\1235253170\ee\AOLSoftware.exe

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\2urf5qar.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-21 93320]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-2-21 200192]

R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-2 38224]

S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-21 359952]

S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-21 144704]

S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\owner\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\owner\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-2-21 69692]

S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-21 606736]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-21 79816]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-21 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-21 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-21 40552]

=============== Created Last 30 ================

2010-01-03 20:09:24 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-01-03 19:06:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-01-03 19:02:52 0 d-----w- c:\windows\pss

2010-01-03 18:59:28 0 d-----w- c:\program files\SUPERAntiSpyware

2010-01-03 18:59:28 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com

2010-01-03 16:49:57 8212 ----a-w- c:\windows\mfebcdata

2010-01-03 16:43:19 860 ----a-w- c:\windows\system32\krl32mainweq.dll

2010-01-03 15:04:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-03 14:58:19 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-01-03 14:58:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-03 02:26:34 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-01-03 02:21:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-03 02:21:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-03 02:21:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-03 02:21:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-07 15:45:50 54156 ---ha-w- c:\windows\QTFont.qfn

2009-12-07 15:45:50 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2009-11-22 12:59:25 386 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-03-07 19:20:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021620090223\index.dat

2009-03-07 19:20:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030720090308\index.dat

============= FINISH: 15:10:46.62 ===============

Thanks again for your time,

-PR

Attach.zip

Link to post
Share on other sites

Hello PRyder

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites

Thank you for the quick response. The laptop which houses this problem is strictly for the wife's email and websurfing. No online banking or other online transactions are ever processed through that machine, and I have terminated the online accessibility (once the troubleshooting scripts were run) until these programs are a distant memory. The laptop was a gift from a relative, and the original OS discs were never provided. I'd like to try and disinfect the laptop first and if that is unsuccessful, then pursue the OS reinstall route.

-PR

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I was unable to completely terminate the McAfee process prior to running Combofix for some reason.. and another AV program decided to stick around (SAVS) as well.. I hope this doesn't skew the logs (if so, I'll run again, now that I've deleted SAVS. Also FYI, after running combofix I actually have the McAfee icon back in the system tray and Firefox did not ask me to confirm the default browser.

ComboFix 10-01-03.03 - Owner 01/03/2010 20:18:55.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1070 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\CFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1191394680-952741264-1035232705-1003

c:\windows\system32\drivers\H8SRTwbxxnbmuvw.sys

c:\windows\system32\H8SRTejwndpbiva.dat

c:\windows\system32\H8SRTgvpxeoascn.dll

c:\windows\system32\H8SRTqxsiuthxrb.dll

c:\windows\system32\H8SRTthelwkltbe.dll

c:\windows\system32\srcr.dat

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_H8SRTd.sys

-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))

.

2010-01-03 19:06 . 2010-01-03 19:06 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-03 19:06 . 2010-01-03 19:06 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-03 19:06 . 2010-01-03 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-01-03 18:59 . 2010-01-03 20:06 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-01-03 18:59 . 2010-01-03 18:59 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-01-03 16:43 . 2010-01-04 01:03 860 ----a-w- c:\windows\system32\krl32mainweq.dll

2010-01-03 15:04 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-03 14:58 . 2010-01-03 14:58 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-03 14:57 . 2010-01-03 14:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-01-03 14:56 . 2010-01-03 14:56 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-01-03 02:26 . 2010-01-03 02:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-01-03 02:21 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-03 02:21 . 2010-01-03 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-03 02:21 . 2010-01-03 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-03 02:21 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-03 01:26 . 2010-01-03 01:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-03 23:16 . 2009-02-21 21:59 386 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2010-01-03 15:03 . 2009-05-03 09:47 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM

2010-01-03 14:57 . 2009-02-21 20:51 -------- d-----w- c:\program files\Java

2009-12-18 10:43 . 2009-02-21 21:02 -------- d-----w- c:\program files\McAfee

2009-12-01 23:05 . 2009-12-01 23:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2009-12-01 19:22 . 2009-02-21 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-11-21 15:51 . 2009-02-21 20:21 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-16 14:05 . 2009-02-21 21:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-10-29 07:45 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2009-02-21 20:27 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2009-02-21 20:23 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2009-02-21 20:23 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2009-02-21 20:26 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2009-02-21 20:27 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2009-02-21 20:27 79872 ----a-w- c:\windows\system32\raschap.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERe.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"HostManager"="c:\program files\Common Files\AOL\1235253170\ee\AOLSoftware.exe" [2008-11-06 41264]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-03 149280]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\1235253170\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/21/2009 3:54 PM 93320]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2/21/2009 3:40 PM 200192]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2/21/2009 3:37 PM 69692]

S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

.

Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2009-02-21 00:12]

2009-02-21 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2009-02-21 00:12]

2009-02-21 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-21 16:22]

2009-02-21 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-21 16:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com

uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/eol_pre_falcon.asp?src=RegWiz&affid=370&langid=1&cid=54002

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2urf5qar.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-03 20:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2052)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2010-01-03 20:33:55 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-04 01:33

Pre-Run: 41,255,989,248 bytes free

Post-Run: 41,441,640,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 50F7AFCD9E40AC96EF87D945EBC8ACCC

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Latest MBAM scan/log:

Malwarebytes' Anti-Malware 1.43

Database version: 3494

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/4/2010 6:37:31 PM

mbam-log-2010-01-04 (18-37-31).txt

Scan type: Quick Scan

Objects scanned: 105036

Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

..............

ESET Scan/Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a805b45dc3f36c4b8bd43ae06c8731cb

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-05 12:49:40

# local_time=2010-01-04 07:49:40 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16776533 100 96 3102466 14657741 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=61368

# found=1

# cleaned=1

# scan_time=3566

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRTwbxxnbmuvw.sys.vir a variant of Win32/Rootkit.Kryptik.AG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

From what I can tell, things seem to be back to normal (knock on wood). Firefox doesn't give me the nag screen anymore, McAfee is back in the system tray where it should, etc. Here is the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 22:51:15.14 on Mon 01/04/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1051 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Digital Media Reader\shwicon2k.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\AOL\1235253170\ee\AOLSoftware.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com

uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/eol_pre_falcon.asp?src=RegWiz&affid=370&langid=1&cid=54002

uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll

uRun: [Power2GoExpress] NA

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunKist] c:\program files\digital media reader\shwicon2k.exe

mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [HostManager] c:\program files\common files\aol\1235253170\ee\AOLSoftware.exe

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\2urf5qar.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-21 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-21 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-21 144704]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-2-21 200192]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-21 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-21 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-21 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-21 40552]

S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\owner\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\owner\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-2-21 69692]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-21 34248]

=============== Created Last 30 ================

2010-01-04 23:43:34 0 d-----w- c:\program files\ESET

2010-01-04 01:10:45 0 d-sha-r- C:\cmdcons

2010-01-04 01:09:15 98816 ----a-w- c:\windows\sed.exe

2010-01-04 01:09:15 77312 ----a-w- c:\windows\MBR.exe

2010-01-04 01:09:15 261632 ----a-w- c:\windows\PEV.exe

2010-01-04 01:09:15 161792 ----a-w- c:\windows\SWREG.exe

2010-01-03 20:09:24 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-01-03 19:02:52 0 d-----w- c:\windows\pss

2010-01-03 15:04:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-01-03 14:58:19 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-01-03 14:58:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-03 02:26:34 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-01-03 02:21:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-03 02:21:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-03 02:21:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-03 02:21:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-07 15:45:50 54156 ---ha-w- c:\windows\QTFont.qfn

2009-12-07 15:45:50 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-01-03 23:16:05 386 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat

2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-03-07 19:20:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021620090223\index.dat

2009-03-07 19:20:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030720090308\index.dat

============= FINISH: 22:51:58.15 ===============

Thank you very much for your time and expertise, Kahdah. This is very much appreciated. Donation will definitely be forthcoming.

-PR

Link to post
Share on other sites

You are welcome :D

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

======Next======

  • Download OTC to your desktop and run it
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

You are welcome :D

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :P

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.