Browser hijack + repeated atapi.sys file infection

[nickyr]

My IE has been hijacked, as search links go off to various places.

Also, McAfee keeps cleaning up a "PatchedSYSFile.a" trojan in atapi.sys.

I've followed the directions in other topics, results below and attached.

Please note that GMER crashes eventually while scanning files. It's crashed twice, both of the horrible "blue screen of death" variety. One was:

STOP: d0000144 Unknown Hard Error

The other, I did not fully write down, but was of the windows is shutting down to protect the hardware, and had a Driver_irql_not_less_or_equal error.

I obtained the attached ark.txt file by stopping GMER part way through the scan of Program Files.

Thanks,

Nicky Robinson

-----------------

DDS (Ver_09-12-01.01) - NTFSx86

Run by Nicky at 0:59:30.17 on Thu 01/21/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2142 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\QTTask.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe

C:\Documents and Settings\Nicky\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\HPZinw12.exe

C:\Documents and Settings\Nicky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/nhl/scoreboard

uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080414

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mWinlogon: Shell=Explorer.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File

uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Google Update] "c:\documents and settings\nicky\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe

mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim95\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB

DPF: Microsoft XML Parser for Java

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {4C226336-4032-489F-9674-67E74225979B} - hxxp://otx.ifilm.com/OTXMedia/OTXMedia.dll

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab

DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.limelife.com/dana-cached/setup/JuniperSetupSP1.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli scecli

Hosts: 192.168.1.101 HP00163552F5FE

Hosts: 66.121.140.76 stage.sanovaden.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nicky\applic~1\mozilla\firefox\profiles\1jog43ts.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.new.facebook.com/home.php

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\components\FFHook.dll

FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll

FF - plugin: c:\documents and settings\nicky\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll

FF - plugin: c:\program files\opera\program\plugins\np_gp.dll

FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664]

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-24 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-24 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-24 144704]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-24 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-24 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-24 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-24 40552]

S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\cppwdsvc.exe --> c:\program files\laplink\pcmover\cppwdsvc.exe [?]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-8-3 4736]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-24 34248]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-8-3 8960]

=============== Created Last 30 ================

2010-01-21 08:38:29 0 ----a-w- c:\documents and settings\nicky\defogger_reenable

2010-01-18 22:38:53 0 d-----w- c:\docume~1\nicky\applic~1\Malwarebytes

2010-01-18 22:38:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-18 22:38:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-18 22:38:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-18 22:38:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-17 08:56:16 0 d-----w- c:\program files\Wizards of the Coast

2010-01-12 23:59:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-04 00:39:26 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-29 08:05:21 0 d-----w- c:\docume~1\nicky\applic~1\Virtual Prophecy

2009-12-29 08:04:38 0 d-----w- c:\docume~1\nicky\applic~1\Namco

2009-12-29 08:04:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Namco

2009-12-29 07:32:58 0 d-----w- c:\program files\Namco

==================== Find3M ====================

2010-01-20 18:42:49 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-20 18:42:49 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2008-06-19 07:17:05 0 ----a-w- c:\program files\temp01

============= FINISH: 1:01:25.78 ===============

Attach.zip

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[nickyr]

When I try to download ComboFix, McAfee blocks a Trojan (or so it says):

Detected: Artemis!3609DB2735BD (Trojan), Artemis!3609DB2735BD (Trojan)

Location: C:\Documents and Settings\Nicky\Local Settings\Temporary Internet Files\Content.IE5\UQRXQMZS\ComboFix[1].exe

== Nicky

[nickyr]

Figured out that this was a false positive and have done a ComboFix scan.

You asked for a new HijackThis scan... I didn't run HijackThis or provide logs from it before, since that wasn't int he instructions, although I do have it and certainly can.

Do you want logs from HijackThis, MBAM, DDS or GMER?

== Nicky

ComboFix.txt

[screen317]

Hi,

Run DDS please and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[nickyr]

MBAM cleaned up some issues when I ran it post-ComboFix, log data below.

DDS, F-Secure and Security Check log data below.

Hijacking of google results is repaired for the moment. I also haven't seen the atapi.sys infection lately. Since both of these keep coming back, I am not 100% certain I am clean, but I am hopeful.

Oh, and THANK YOU!!!

== Nicky

----------------

Results:

MBAM:

Files Infected:

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP644\A0101861.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP644\A0102658.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP644\A0102802.sys (Malware.Trace) -> Quarantined and deleted successfully.

DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Nicky at 3:32:24.25 on Tue 01/26/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2303 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\QTTask.exe

D:\Program Files\iTunes\iTunesHelper.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe

C:\Documents and Settings\Nicky\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\HPZinw12.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Nicky\Desktop\Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sports.yahoo.com/nhl/scoreboard

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Google Update] "c:\documents and settings\nicky\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe

mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim95\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB

DPF: Microsoft XML Parser for Java

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab

DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.limelife.com/dana-cached/setup/JuniperSetupSP1.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nicky\applic~1\mozilla\firefox\profiles\1jog43ts.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.new.facebook.com/home.php

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\components\FFHook.dll

FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll

FF - plugin: c:\documents and settings\nicky\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll

FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664]

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-24 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-24 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-24 144704]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-24 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-24 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-24 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-24 40552]

S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\cppwdsvc.exe --> c:\program files\laplink\pcmover\cppwdsvc.exe [?]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-8-3 4736]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-24 34248]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-8-3 8960]

=============== Created Last 30 ================

2010-01-26 06:28:10 0 d-sha-r- C:\cmdcons

2010-01-26 06:26:20 98816 ----a-w- c:\windows\sed.exe

2010-01-26 06:26:20 77312 ----a-w- c:\windows\MBR.exe

2010-01-26 06:26:20 261632 ----a-w- c:\windows\PEV.exe

2010-01-26 06:26:20 161792 ----a-w- c:\windows\SWREG.exe

2010-01-21 10:53:11 0 d-----w- c:\program files\Uniblue

2010-01-21 08:38:29 0 ----a-w- c:\documents and settings\nicky\defogger_reenable

2010-01-18 22:38:53 0 d-----w- c:\docume~1\nicky\applic~1\Malwarebytes

2010-01-18 22:38:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-18 22:38:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-18 22:38:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-18 22:38:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-17 08:56:16 0 d-----w- c:\program files\Wizards of the Coast

2010-01-12 23:59:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-04 00:39:26 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-29 08:05:21 0 d-----w- c:\docume~1\nicky\applic~1\Virtual Prophecy

2009-12-29 08:04:38 0 d-----w- c:\docume~1\nicky\applic~1\Namco

2009-12-29 08:04:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Namco

2009-12-29 07:32:58 0 d-----w- c:\program files\Namco

==================== Find3M ====================

2010-01-25 19:17:04 96512 ----a-w- c:\windows\system32\drivers\atapi.svs

2010-01-25 19:17:04 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2010-01-25 19:17:04 96512 ------w- c:\windows\system32\drivers\atapi.sys

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2008-06-19 07:17:05 0 ----a-w- c:\program files\temp01

============= FINISH: 3:33:02.87 ===============

F-Secure:

Scanning Report

Tuesday, January 26, 2010 13:43:36 - 15:41:53

Computer name: NICKY2

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

1 malware found

DeepScan:Generic.Zlob.5C2B25B7 (virus)

* C:\MY DOWNLOAD FILES\INSTALLTRADEWINDS.EXE (Renamed & Submitted)

Statistics

Scanned:

* Files: 100259

* System: 5266

* Not scanned: 8

Actions:

* Disinfected: 0

* Renamed: 1

* Deleted: 0

* Not cleaned: 0

* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS

* C:\PAGEFILE.SYS

* C:\WINDOWS\TEMP\MCMSC_QXXFOHTWKRTQ7Y4

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

Copyright

[screen317]

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterwards. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!