Jump to content

browser redirect problem

Rhiana

By Rhiana
in Resolved Malware Removal Logs

 Share

Recommended Posts

Rhiana

Rhiana

Posted
Posted

I used Malware Bytes to remove a virus, which it did, but I am still having a problem with browser redirects.

DDS log file:

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP_Owner at 7:58:47.73 on 2010/02/25

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.387 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wuauclt.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hphmon06.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Micro Innovations Internet Access Pro\PS2USBKbdDrv.exe

C:\Program Files\Browser Mouse\MOffice.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

J:\steam\steam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\Browser Mouse\MOUSE32A.EXE

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - No File

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program

files\yahoo!\common\yiesrvc.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common

files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {35065594-9169-4A34-B167-FC4865038E53} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [steam] "j:\steam\steam.exe" -silent

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [WindowsLivePhone] "c:\program files\windows live\device manager\msgrdvmn.exe" /AutoRun

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe

mRun: [HPHmon06] c:\windows\system32\hphmon06.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [WireLessKeyboard] c:\program files\micro innovations internet access pro\PS2USBKbdDrv.exe

mRun: [FLMOFFICE4DMOUSE] c:\program files\browser mouse\MOffice.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [WindowsLivePhone] c:\program files\windows live\device manager\msgrdvmn.exe /AutoRun

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from

hp\309731\program\Updates from HP.exe

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program

files\yahoo!\common\yiesrvc.dll

IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61}

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

Trusted Zone: addictinggames.com\www

Trusted Zone: af.mil\guest.my

Trusted Zone: hotmail.com

Trusted Zone: internet

Trusted Zone: live.com

Trusted Zone: live.com\*.mail

Trusted Zone: live.com\account

Trusted Zone: mcafee.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: yahoo.com\mail

DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.c

ab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -

hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131850425687

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.15.44/ttinst.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {9449D774-7A5F-455B-BC2A-E32EB90D8C4B} = 68.94.156.1,68.94.157.1

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\gt3xjy5e.default\

FF - prefs.js: browser.startup.homepage -

hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\hp_owner\application data\real\rhapsodyplayerengine\nprhapengine.dll

FF - plugin: c:\documents and settings\hp_owner\local settings\application

data\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: j:\itunes\mozilla plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval",

600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual",

"http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-9-25 4064]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-17 214664]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-3-1 72672]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe

[2009-7-29 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-17 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-17 144704]

R2 tmpreflt;tmpreflt;c:\progra~1\vcom\fix-it\tmpreflt.sys [2006-9-7 31248]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2006-11-26 113896]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-17 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-17 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-17 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-17 40552]

S2 mrtRate;mrtRate; [x]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-17 34248]

=============== Created Last 30 ================

2010-02-25 12:50:36 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable

2010-02-25 12:44:14 1374 ----a-w- c:\windows\imsins.BAK

2010-02-24 21:27:33 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes

2010-02-24 21:27:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-24 21:27:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-24 21:27:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 21:27:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-15 19:51:01 28 ----a-w- c:\windows\pdf995.ini

2010-02-11 03:16:10 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-02-09 03:40:14 58516 ----a-w- c:\documents and settings\hp_owner\.recently-used.xbel

2010-02-02 01:50:51 0 d-----w- c:\program files\LEGO Media

2010-01-26 21:48:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Knowledge Adventure

2010-01-26 21:46:34 75 ----a-w- c:\windows\ka.ini

2010-01-26 21:46:11 0 d-----w- c:\program files\common files\Knowledge Adventure

2010-01-26 21:45:24 0 d-----w- c:\program files\Unity

2010-01-26 13:09:58 0 d-----w- c:\program files\JRE

2010-01-26 13:09:12 0 d-----w- c:\program files\OpenOffice.org 3

==================== Find3M ====================

2010-02-25 06:04:19 69 ----a-w- c:\documents and settings\hp_owner\jagex_runescape_preferences.dat

2010-02-25 05:51:32 69 ----a-w- c:\documents and settings\hp_owner\jagex_runescape_preferences2.dat

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

2005-07-25 19:13:23 32 --sha-w- c:\windows\{0309650E-08EA-4D5B-8401-DF876D54B70C}.dat

2005-07-25 19:13:55 32 --sha-w- c:\windows\{AEA72173-69E5-43DA-AE45-087143DE4F05}.dat

2005-07-25 19:14:18 32 --sha-w- c:\windows\{F6CB59D7-6D67-46C2-9175-DE347E6BD838}.dat

2006-08-10 16:06:35 80 --sh--r- c:\windows\system32\8652B6C478.dll

2008-09-14 12:35:24 872506 --sha-w- c:\windows\system32\fPVCJRqr.ini2

2008-12-10 12:52:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008121020081211\index.dat

============= FINISH: 8:01:48.51 ===============

Thank you for your help.

attach.zip

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

Thank you for helping me.

I downloaded combo fix, disabled the firewall etc and ran it.

The first time I was bluescreened: Bad_Pool_Caller.

Tried again and here is the log:

ComboFix 10-02-25.02 - HP_Owner 2010/02/26 8:54.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.500 [GMT -5:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\mspaint.exe

C:\Thumbs.db

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\dat.txt

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\srchasst\nls302en.lex

c:\windows\system32\12245200.dll

c:\windows\system32\1347323.dll

c:\windows\system32\17473000.dll

c:\windows\system32\18768232.dll

c:\windows\system32\26230872.dll

c:\windows\system32\308007.dll

c:\windows\system32\31666386.dll

c:\windows\system32\3187332.dll

c:\windows\system32\32664135.dll

c:\windows\system32\37722.dll

c:\windows\system32\3925409.dll

c:\windows\system32\4401450.dll

c:\windows\system32\7184900.dll

c:\windows\system32\7469280.dll

c:\windows\system32\8111400.dll

c:\windows\system32\8276754.dll

c:\windows\system32\927160.dll

c:\windows\system32\fPVCJRqr.ini2

c:\windows\system32\ps2.bat

c:\windows\system32\reg.dll

c:\windows\system32\sys.dll

c:\windows\viassary-hp.reg

D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))

.

2010-02-24 21:27 . 2010-02-24 21:27 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2010-02-24 21:27 . 2010-02-24 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-15 19:51 . 2010-02-15 19:51 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\pdf995

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-26 06:00 . 2009-09-03 00:33 69 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat

2010-02-26 05:08 . 2008-09-13 04:09 69 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

2010-02-25 06:05 . 2007-10-02 00:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire

2010-02-25 05:49 . 2005-12-02 22:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-25 04:04 . 2009-09-05 05:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\uTorrent

2010-02-25 02:58 . 2007-10-02 00:55 -------- d-s---w- c:\program files\Xfire

2010-02-25 02:31 . 2010-01-26 21:45 -------- d-----w- c:\program files\Unity

2010-02-25 02:20 . 2010-02-24 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-24 14:16 . 2009-10-03 01:11 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-20 15:37 . 2008-12-18 02:24 -------- d-----w- c:\program files\McAfee

2010-02-15 19:51 . 2007-02-02 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2010-02-15 15:38 . 2008-02-11 17:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\TaxCut

2010-02-15 15:22 . 2008-02-11 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut

2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-02-09 03:40 . 2009-10-13 17:34 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\gtk-2.0

2010-02-02 16:28 . 2010-02-02 01:50 -------- d-----w- c:\program files\LEGO Media

2010-02-02 04:29 . 2005-06-07 07:18 46632 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-02 01:50 . 2004-08-07 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-26 21:48 . 2010-01-26 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure

2010-01-26 21:46 . 2010-01-26 21:46 -------- d-----w- c:\program files\Common Files\Knowledge Adventure

2010-01-26 21:45 . 2010-01-26 21:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\InstallShield

2010-01-26 13:09 . 2010-01-26 13:09 -------- d-----w- c:\program files\JRE

2010-01-26 13:09 . 2010-01-26 13:09 -------- d-----w- c:\program files\OpenOffice.org 3

2010-01-26 13:07 . 2004-08-07 19:36 -------- d-----w- c:\program files\Java

2010-01-07 21:07 . 2010-02-24 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2010-02-24 21:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 01:17 . 2010-01-06 01:17 -------- d-----w- c:\program files\SMART Technologies Inc

2010-01-02 23:13 . 2005-08-07 22:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer

2010-01-02 22:32 . 2010-01-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-02 22:31 . 2010-01-02 22:31 -------- d-----w- c:\program files\iPod

2010-01-02 22:31 . 2010-01-02 22:24 -------- d-----w- c:\program files\Common Files\Apple

2010-01-02 22:30 . 2006-04-12 14:38 -------- d-----w- c:\program files\QuickTime

2010-01-02 22:28 . 2004-08-07 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-01-02 22:26 . 2010-01-02 22:26 -------- d-----w- c:\program files\Apple Software Update

2009-12-31 16:50 . 2004-08-07 18:47 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 20:55 . 2008-06-18 17:14 -------- d-----w- c:\program files\Electronic Arts

2009-12-21 19:14 . 2004-08-07 18:47 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-17 21:46 . 2009-12-17 21:46 106016 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-14 07:08 . 2004-08-07 18:46 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2004-08-07 18:47 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 05:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-07 18:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2005-07-25 19:13 . 2005-07-25 19:13 32 --sha-w- c:\windows\{0309650E-08EA-4D5B-8401-DF876D54B70C}.dat

2005-07-25 19:13 . 2005-07-25 19:13 32 --sha-w- c:\windows\{AEA72173-69E5-43DA-AE45-087143DE4F05}.dat

2005-07-25 19:14 . 2005-07-25 19:14 32 --sha-w- c:\windows\{F6CB59D7-6D67-46C2-9175-DE347E6BD838}.dat

2006-08-10 16:06 . 2006-08-10 15:25 80 --sh--r- c:\windows\system32\8652B6C478.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Steam"="j:\steam\steam.exe" [2010-02-20 1217872]

"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"WireLessKeyboard"="c:\program files\Micro Innovations Internet Access Pro\PS2USBKbdDrv.exe" [2005-09-12 528384]

"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\MOffice.exe" [2007-06-24 958464]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"nwiz"="nwiz.exe" [2007-12-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-8-7 16423]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-09-13 09:09 133104 ----atw- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- j:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]

2008-08-21 15:16 267296 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]

2008-01-04 21:39 87328 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScannerPro]

2006-09-07 23:28 57344 ----a-w- c:\progra~1\VCOM\Fix-It\MemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]

2008-12-22 18:59 787816 ----a-w- c:\program files\Windows Live\Device Manager\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"usnjsvc"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"MDM"=2 (0x2)

"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Blockland\\Blockland.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Infogrames\\Robot Arena 2\\Robot Arena 2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"j:\\Steam\\Steam.exe"=

"j:\\Steam\\steamapps\\common\\oblivion\\OblivionLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"j:\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005/09/25 10:42 PM 4064]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007/03/01 2:27 PM 72672]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009/07/29 8:14 AM 93320]

R2 tmpreflt;tmpreflt;c:\progra~1\VCOM\Fix-It\tmpreflt.sys [2006/09/07 6:06 PM 31248]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006/11/03 6:19 PM 13592]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2006/11/26 9:49 PM 113896]

S2 mrtRate;mrtRate; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904473242-2361271913-296778801-501Core.job

- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-11 06:41]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904473242-2361271913-296778801-501UA.job

- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-11 06:41]

2010-02-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-18 16:22]

2010-02-22 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-18 16:22]

2010-02-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: addictinggames.com\www

Trusted Zone: af.mil\guest.my

Trusted Zone: hotmail.com

Trusted Zone: internet

Trusted Zone: live.com

Trusted Zone: live.com\*.mail

Trusted Zone: live.com\account

Trusted Zone: mcafee.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: yahoo.com\mail

TCP: {9449D774-7A5F-455B-BC2A-E32EB90D8C4B} = 68.94.156.1,68.94.157.1

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gt3xjy5e.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\HP_Owner\Application Data\Real\RhapsodyPlayerEngine\nprhapengine.dll

FF - plugin: c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: j:\itunes\Mozilla Plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-GSC - c:\program files\GSC 2.00\GSClient.exe

MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe

AddRemove-LEGO Racers - c:\program files\LEGO Media\Games\LEGO Racers\Uninst.isu

AddRemove-LEGO Rock Raiders - c:\program files\LEGO Media\Games\Rock Raiders\Uninst.isu

AddRemove-LEGO Stunt Rally - c:\program files\LEGO Media\LEGO Stunt Rally\Uninst.isu

AddRemove-LegoChessDeInstKey - c:\program files\LEGO Media\Games\LEGO Chess\DeIsL1.isu

AddRemove-SimTunesv1.0 - c:\maxis\SimTunes\DeIsL3.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-26 09:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-904473242-2361271913-296778801-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7384B4F-B6B5-96EE-7F73-99D99A9A8E7F}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"ialimhekbefhekjclh"=hex:69,61,63,6d,6c,67,6b,65,67,61,63,6e,64,6a,6a,69,6a,69,

00,00

"habjkjbhglfehdcb"=hex:69,61,63,6d,6c,67,6b,65,67,61,63,6e,64,6a,6a,69,6a,69,

00,00

[HKEY_USERS\S-1-5-21-904473242-2361271913-296778801-1009\Software\SecuROM\License information*]

"datasecu"=hex:80,39,34,fb,1f,84,b3,f7,17,32,82,3e,62,2e,5b,50,f4,ff,85,1a,02,

5b,e7,4a,24,5b,1c,0f,76,e3,bb,1a,e7,55,c0,b5,b5,bc,d2,a5,f8,48,73,bd,a1,82,\

"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3076)

c:\windows\system32\WININET.dll

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\Browser Mouse\MOUDL32A.DLL

c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Creative\Shared Files\CTDevSrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\LxrSII1s.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\AGRSMMSG.exe

c:\windows\ALCXMNTR.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Browser Mouse\MOUSE32A.EXE

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-02-26 09:22:40 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-26 14:22

Pre-Run: 18,115,997,696 bytes free

Post-Run: 24,863,395,840 bytes free

- - End Of File - - CC7B0BCF70CE618FAE823ED77E54D028

Wow the bytes free size changed a lot!

What's next?

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.

All versions numbered lower than 9.3 are vulnerable.

  • Go HERE , UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version

Now please run another Malwarebytes scan then a DDS scan and post the Malwarebytes log and dds.txt (not attach.txt) into your next reply. Please let me know if the browser redirects have now stopped.

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

Adobe and Java updated.

scans:

Malwarebytes' Anti-Malware 1.44

Database version: 3786

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2010/02/26 4:21:37 PM

mbam-log-2010-02-26 (16-21-37).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 356218

Time elapsed: 2 hour(s), 48 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_09-12-01.01) - NTFSx86

Run by HP_Owner at 16:22:55.20 on 2010/02/26

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.503 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hphmon06.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Micro Innovations Internet Access Pro\PS2USBKbdDrv.exe

C:\Program Files\Browser Mouse\MOffice.exe

C:\Program Files\Browser Mouse\MOUSE32A.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe

C:\Program Files\QuickTime\QTTask.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

J:\steam\steam.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

J:\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\HP_Owner\Desktop\-virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - No File

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - j:\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - j:\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {35065594-9169-4A34-B167-FC4865038E53} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [steam] "j:\steam\steam.exe" -silent

uRun: [WindowsLivePhone] "c:\program files\windows live\device manager\msgrdvmn.exe" /AutoRun

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe

mRun: [HPHmon06] c:\windows\system32\hphmon06.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [WireLessKeyboard] c:\program files\micro innovations internet access pro\PS2USBKbdDrv.exe

mRun: [FLMOFFICE4DMOUSE] c:\program files\browser mouse\MOffice.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [WindowsLivePhone] c:\program files\windows live\device manager\msgrdvmn.exe /AutoRun

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61}

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

Trusted Zone: addictinggames.com\www

Trusted Zone: af.mil\guest.my

Trusted Zone: hotmail.com

Trusted Zone: internet

Trusted Zone: live.com

Trusted Zone: live.com\*.mail

Trusted Zone: live.com\account

Trusted Zone: mcafee.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: yahoo.com\mail

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131850425687

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.15.44/ttinst.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {9449D774-7A5F-455B-BC2A-E32EB90D8C4B} = 68.94.156.1,68.94.157.1

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\gt3xjy5e.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\hp_owner\application data\real\rhapsodyplayerengine\nprhapengine.dll

FF - plugin: c:\documents and settings\hp_owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: j:\itunes\mozilla plugins\npitunes.dll

FF - plugin: j:\java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: j:\java\jre6\bin\new_plugin\npjp2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-9-25 4064]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-17 214664]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-3-1 72672]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-29 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-17 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-17 144704]

R2 tmpreflt;tmpreflt;c:\progra~1\vcom\fix-it\tmpreflt.sys [2006-9-7 31248]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2006-11-26 113896]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-17 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-17 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-17 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-17 40552]

S2 mrtRate;mrtRate; [x]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-17 34248]

=============== Created Last 30 ================

2010-02-26 16:17:04 0 d-----w- c:\program files\Sun

2010-02-26 16:16:50 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-02-26 14:24:17 10240 --sha-w- C:\Thumbs.db

2010-02-26 13:44:32 98816 ----a-w- c:\windows\sed.exe

2010-02-26 13:44:32 77312 ----a-w- c:\windows\MBR.exe

2010-02-26 13:44:32 261632 ----a-w- c:\windows\PEV.exe

2010-02-26 13:44:32 161792 ----a-w- c:\windows\SWREG.exe

2010-02-25 12:50:36 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable

2010-02-25 12:44:14 1374 ----a-w- c:\windows\imsins.BAK

2010-02-24 21:27:33 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes

2010-02-24 21:27:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-24 21:27:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-24 21:27:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 21:27:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-15 19:51:01 28 ----a-w- c:\windows\pdf995.ini

2010-02-11 03:16:10 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-02-09 03:40:14 58516 ----a-w- c:\documents and settings\hp_owner\.recently-used.xbel

2010-02-02 01:50:51 0 d-----w- c:\program files\LEGO Media

==================== Find3M ====================

2010-02-26 16:16:29 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-26 06:00:20 69 ----a-w- c:\documents and settings\hp_owner\jagex_runescape_preferences2.dat

2010-02-26 05:08:18 69 ----a-w- c:\documents and settings\hp_owner\jagex_runescape_preferences.dat

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2005-07-25 19:13:23 32 --sha-w- c:\windows\{0309650E-08EA-4D5B-8401-DF876D54B70C}.dat

2005-07-25 19:13:55 32 --sha-w- c:\windows\{AEA72173-69E5-43DA-AE45-087143DE4F05}.dat

2005-07-25 19:14:18 32 --sha-w- c:\windows\{F6CB59D7-6D67-46C2-9175-DE347E6BD838}.dat

2006-08-10 16:06:35 80 --sh--r- c:\windows\system32\8652B6C478.dll

2008-12-10 12:52:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121020081211\index.dat

============= FINISH: 16:24:16.68 ===============

I haven't done much online, so I am not sure on if the redirects are still occurring. I will post back on that after I go hop around a bit.

Are there any other changes I should make? I'm not sure I am happy that these things happened while my mcafee was supposedly up and running fine. And that it didn't find any of this. It came free from my ISP, I think I should probably switch to something else. 2 of our other computers use AVAST. Recommendations for any anti-virus/malware/firewall programs would be greatly appreciated.

You have been great, and I am grateful for the help.

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

Are there any other changes I should make?

I will give some recommendations once everything is clean.

I'm not sure I am happy that these things happened while my mcafee was supposedly up and running fine.

No antivirus software can be perfect, new viruses are being created all the time and the antivirus software cannot detect the new infections until it has been updated to do so.

2 of our other computers use AVAST.

Avast is a very popular choice.

ComboFix - CFScript

WARNING !

This script is for THIS user and computer ONLY!

Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please open Notepad and copy/paste all the text below... into the window:
    DDS::
    BHO: {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File


  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    ComboFixScriptDrag.gif
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  5. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply along with the contents of log.txt and also let me know how your computer is running now.

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

I ran the combofix again.

I am trying to run the kaspersky, it had do download some update, and that took an hour. (Im not sure why it was so slow, I supposedly have a fast connection. Or at least that is what AT&T claims.) Then It finally started scanning, but 1300 files in and it had a script error. It seems to be back scanning now.

Here is the Combofix log.

ComboFix 10-02-25.02 - HP_Owner 2010/02/26 17:49:56.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -5:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Owner\Desktop\cfscript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))

.

2010-02-26 16:17 . 2010-02-26 16:17 -------- d-----w- c:\program files\Sun

2010-02-26 15:27 . 2010-02-26 15:20 38784 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-02-26 15:21 . 2010-02-26 15:21 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-02-26 15:19 . 2010-02-26 15:19 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-02-25 05:50 . 2010-02-25 05:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-24 21:27 . 2010-02-24 21:27 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-24 21:27 . 2010-02-24 21:27 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2010-02-24 21:27 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-24 21:27 . 2010-02-24 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-24 21:27 . 2010-02-25 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-24 21:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 02:52 . 2010-02-24 02:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-02-15 19:51 . 2010-02-15 19:51 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\pdf995

2010-02-15 19:09 . 2010-02-15 19:09 3087272 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockMI.exe

2010-02-15 15:40 . 2010-02-15 15:40 18205544 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026401xupd.exe

2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-02-02 01:50 . 2010-02-02 16:28 -------- d-----w- c:\program files\LEGO Media

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-26 22:44 . 2007-10-02 00:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire

2010-02-26 16:19 . 2004-08-07 19:36 -------- d-----w- c:\program files\Common Files\Java

2010-02-26 16:16 . 2009-02-03 01:36 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-26 16:12 . 2004-08-07 19:36 -------- d-----w- c:\program files\Java

2010-02-26 16:05 . 2009-07-17 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-02-26 15:25 . 2005-06-08 20:49 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-26 06:00 . 2009-09-03 00:33 69 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat

2010-02-26 05:08 . 2008-09-13 04:09 69 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

2010-02-25 05:49 . 2005-12-02 22:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-25 04:04 . 2009-09-05 05:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\uTorrent

2010-02-25 02:58 . 2007-10-02 00:55 -------- d-s---w- c:\program files\Xfire

2010-02-25 02:31 . 2010-01-26 21:45 -------- d-----w- c:\program files\Unity

2010-02-24 14:16 . 2009-10-03 01:11 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-20 15:37 . 2008-12-18 02:24 -------- d-----w- c:\program files\McAfee

2010-02-15 19:51 . 2007-02-02 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2010-02-15 15:38 . 2008-02-11 17:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\TaxCut

2010-02-15 15:22 . 2008-02-11 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut

2010-02-09 03:40 . 2009-10-13 17:34 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\gtk-2.0

2010-02-02 04:29 . 2005-06-07 07:18 46632 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-02 01:50 . 2004-08-07 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-26 21:48 . 2010-01-26 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure

2010-01-26 21:46 . 2010-01-26 21:46 -------- d-----w- c:\program files\Common Files\Knowledge Adventure

2010-01-26 21:45 . 2010-01-26 21:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\InstallShield

2010-01-26 13:09 . 2010-01-26 13:09 -------- d-----w- c:\program files\JRE

2010-01-26 13:09 . 2010-01-26 13:09 -------- d-----w- c:\program files\OpenOffice.org 3

2010-01-06 01:17 . 2010-01-06 01:17 409600 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}\NewShortcut3_6D20AC6FF7844F04BE4C6D94A1805157.exe

2010-01-06 01:17 . 2010-01-06 01:17 409600 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}\NewShortcut2_6D20AC6FF7844F04BE4C6D94A1805157.exe

2010-01-06 01:17 . 2010-01-06 01:17 409600 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}\ARPPRODUCTICON.exe

2010-01-06 01:17 . 2010-01-06 01:17 -------- d-----w- c:\program files\SMART Technologies Inc

2010-01-02 23:13 . 2005-08-07 22:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer

2010-01-02 22:32 . 2010-01-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-02 22:31 . 2010-01-02 22:31 -------- d-----w- c:\program files\iPod

2010-01-02 22:31 . 2010-01-02 22:24 -------- d-----w- c:\program files\Common Files\Apple

2010-01-02 22:30 . 2006-04-12 14:38 -------- d-----w- c:\program files\QuickTime

2010-01-02 22:28 . 2004-08-07 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-01-02 22:26 . 2010-01-02 22:26 -------- d-----w- c:\program files\Apple Software Update

2009-12-31 16:50 . 2004-08-07 18:47 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 20:55 . 2008-06-18 17:14 -------- d-----w- c:\program files\Electronic Arts

2009-12-21 19:14 . 2004-08-07 18:47 916480 ------w- c:\windows\system32\wininet.dll

2009-12-17 21:46 . 2009-12-17 21:46 106016 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-14 17:37 . 2009-12-14 17:37 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-14 17:37 . 2009-12-14 17:37 79488 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-14 07:08 . 2004-08-07 18:46 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2004-08-07 18:47 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 05:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-07 18:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2005-07-25 19:13 . 2005-07-25 19:13 32 --sha-w- c:\windows\{0309650E-08EA-4D5B-8401-DF876D54B70C}.dat

2005-07-25 19:13 . 2005-07-25 19:13 32 --sha-w- c:\windows\{AEA72173-69E5-43DA-AE45-087143DE4F05}.dat

2005-07-25 19:14 . 2005-07-25 19:14 32 --sha-w- c:\windows\{F6CB59D7-6D67-46C2-9175-DE347E6BD838}.dat

2006-08-10 16:06 . 2006-08-10 15:25 80 --sh--r- c:\windows\system32\8652B6C478.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Steam"="j:\steam\steam.exe" [2010-02-20 1217872]

"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"WireLessKeyboard"="c:\program files\Micro Innovations Internet Access Pro\PS2USBKbdDrv.exe" [2005-09-12 528384]

"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\MOffice.exe" [2007-06-24 958464]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"nwiz"="nwiz.exe" [2007-12-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-8-7 16423]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-09-13 09:09 133104 ----atw- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- j:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]

2008-08-21 15:16 267296 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]

2008-01-04 21:39 87328 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScannerPro]

2006-09-07 23:28 57344 ----a-w- c:\progra~1\VCOM\Fix-It\MemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]

2008-12-22 18:59 787816 ----a-w- c:\program files\Windows Live\Device Manager\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"usnjsvc"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"MDM"=2 (0x2)

"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Blockland\\Blockland.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Infogrames\\Robot Arena 2\\Robot Arena 2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"j:\\Steam\\Steam.exe"=

"j:\\Steam\\steamapps\\common\\oblivion\\OblivionLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"j:\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005/09/25 10:42 PM 4064]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007/03/01 2:27 PM 72672]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009/07/29 8:14 AM 93320]

R2 tmpreflt;tmpreflt;c:\progra~1\VCOM\Fix-It\tmpreflt.sys [2006/09/07 6:06 PM 31248]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006/11/03 6:19 PM 13592]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2006/11/26 9:49 PM 113896]

S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

.

Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904473242-2361271913-296778801-501Core.job

- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-11 06:41]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904473242-2361271913-296778801-501UA.job

- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-11 06:41]

2010-02-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-18 16:22]

2010-02-22 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-18 16:22]

2010-02-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: addictinggames.com\www

Trusted Zone: af.mil\guest.my

Trusted Zone: hotmail.com

Trusted Zone: internet

Trusted Zone: live.com

Trusted Zone: live.com\*.mail

Trusted Zone: live.com\account

Trusted Zone: mcafee.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: yahoo.com\mail

TCP: {9449D774-7A5F-455B-BC2A-E32EB90D8C4B} = 68.94.156.1,68.94.157.1

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gt3xjy5e.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\HP_Owner\Application Data\Real\RhapsodyPlayerEngine\nprhapengine.dll

FF - plugin: c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: j:\itunes\Mozilla Plugins\npitunes.dll

FF - plugin: j:\java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: j:\java\jre6\bin\new_plugin\npjp2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-26 17:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-904473242-2361271913-296778801-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7384B4F-B6B5-96EE-7F73-99D99A9A8E7F}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"ialimhekbefhekjclh"=hex:69,61,63,6d,6c,67,6b,65,67,61,63,6e,64,6a,6a,69,6a,69,

00,00

"habjkjbhglfehdcb"=hex:69,61,63,6d,6c,67,6b,65,67,61,63,6e,64,6a,6a,69,6a,69,

00,00

[HKEY_USERS\S-1-5-21-904473242-2361271913-296778801-1009\Software\SecuROM\License information*]

"datasecu"=hex:80,39,34,fb,1f,84,b3,f7,17,32,82,3e,62,2e,5b,50,f4,ff,85,1a,02,

5b,e7,4a,24,5b,1c,0f,76,e3,bb,1a,e7,55,c0,b5,b5,bc,d2,a5,f8,48,73,bd,a1,82,\

"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23

.

Completion time: 2010-02-26 18:03:31

ComboFix-quarantined-files.txt 2010-02-26 23:03

ComboFix2.txt 2010-02-26 14:22

Pre-Run: 25,084,334,080 bytes free

Post-Run: 25,046,024,192 bytes free

- - End Of File - - 354C05DF9CEA5F26BC45457F74005F95

Ill post the Kasperky when that finishes.

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

I tried running the Kaspersky overnight, but after 3 1/2 hours it hit another script error and locked up. At that point it said it had found 1 bad file.

I started it again this morning. It has been running for 40 minutes and says it is 1% done, 20k files scanned.

Should I just let this keep running?

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

At just over an hour running it hit another script error

OK, let's try another scan.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go Here then click on: EOLS1.gif
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

Sometime last night, Mcafee was turned off. This has happened before where it just turns itself off, or something turns it off.

I ran the ESET scan (it took almost 8 hours)

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{222CB5CF-99AF-4C22-8C88-B99EE7AE7FE5} Win32/Qhost trojan

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{325A4894-F495-4063-A211-01A4754ACA81} Win32/Qhost trojan

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3F327AE4-D7AF-4BD9-ABD9-A8AC911D0283} Win32/Qhost trojan

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{59C64D3C-2C36-4150-A167-908E4A94D2A0} Win32/Qhost trojan

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6D63A93A-455B-47D7-B20A-FCC3879C2C15} Win32/Qhost trojan

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B6DE8F81-7CA1-4E62-AA00-FA9B8A8702D1} Win32/Qhost trojan

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FAACB0CE-8568-43CC-A31C-6D3C7CCBEF40} Win32/Qhost trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\fPVCJRqr.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.UI trojan

J:\Downloads\bigvine.exe probably a variant of Win32/TrojanDropper.Agent trojan

J:\downloads2\bigvine.exe probably a variant of Win32/TrojanDropper.Agent trojan

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

ComboFix - CFScript

WARNING !

This script is for THIS user and computer ONLY!

Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please open Notepad and copy/paste all the text below... into the window:
    File::
    J:\Downloads\bigvine.exe
    J:\downloads2\bigvine.exe


  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    ComboFixScriptDrag.gif
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  5. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

Well, I ran the combo-fix. During the scan I got a popup to update my adobe flash player.

After the scan I restarted my antivirus and firewall, and now I can't get online. Using firefox, it says server not found for Google. I am using another computer to post here.

here is the combofix log:

ComboFix 10-02-27.04 - HP_Owner 2010/02/28 11:03:15.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.610 [GMT -5:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"j:\downloads\bigvine.exe"

"j:\downloads2\bigvine.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

j:\downloads\bigvine.exe

j:\downloads2\bigvine.exe

.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))

.

2010-02-28 00:05 . 2010-02-28 00:05 -------- d-----w- c:\program files\ESET

2010-02-26 16:17 . 2010-02-26 16:17 -------- d-----w- c:\program files\Sun

2010-02-26 15:27 . 2010-02-26 15:20 38784 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-02-26 15:21 . 2010-02-26 15:21 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-02-26 15:19 . 2010-02-26 15:19 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-02-25 05:50 . 2010-02-25 05:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-24 21:27 . 2010-02-24 21:27 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-24 21:27 . 2010-02-24 21:27 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2010-02-24 21:27 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-24 21:27 . 2010-02-24 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-24 21:27 . 2010-02-25 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-24 21:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 02:52 . 2010-02-24 02:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-02-15 19:51 . 2010-02-15 19:51 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\pdf995

2010-02-15 19:09 . 2010-02-15 19:09 3087272 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockMI.exe

2010-02-15 15:40 . 2010-02-15 15:40 18205544 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026401xupd.exe

2010-02-11 03:16 . 2010-02-11 03:16 41872 ----a-w- c:\windows\system32\xfcodec.dll

2010-02-02 01:50 . 2010-02-02 16:28 -------- d-----w- c:\program files\LEGO Media

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-28 16:00 . 2008-09-13 04:09 69 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

2010-02-27 22:50 . 2009-09-03 00:33 69 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat

2010-02-26 22:44 . 2007-10-02 00:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire

2010-02-26 16:19 . 2004-08-07 19:36 -------- d-----w- c:\program files\Common Files\Java

2010-02-26 16:16 . 2009-02-03 01:36 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-26 16:12 . 2004-08-07 19:36 -------- d-----w- c:\program files\Java

2010-02-26 16:05 . 2009-07-17 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-02-26 15:25 . 2005-06-08 20:49 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-25 05:49 . 2005-12-02 22:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-25 04:04 . 2009-09-05 05:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\uTorrent

2010-02-25 02:58 . 2007-10-02 00:55 -------- d-s---w- c:\program files\Xfire

2010-02-25 02:31 . 2010-01-26 21:45 -------- d-----w- c:\program files\Unity

2010-02-24 14:16 . 2009-10-03 01:11 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-20 15:37 . 2008-12-18 02:24 -------- d-----w- c:\program files\McAfee

2010-02-15 19:51 . 2007-02-02 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2010-02-15 15:38 . 2008-02-11 17:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\TaxCut

2010-02-15 15:22 . 2008-02-11 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut

2010-02-09 03:40 . 2009-10-13 17:34 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\gtk-2.0

2010-02-02 04:29 . 2005-06-07 07:18 46632 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-02 01:50 . 2004-08-07 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-26 21:48 . 2010-01-26 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure

2010-01-26 21:46 . 2010-01-26 21:46 -------- d-----w- c:\program files\Common Files\Knowledge Adventure

2010-01-26 21:45 . 2010-01-26 21:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\InstallShield

2010-01-26 13:09 . 2010-01-26 13:09 -------- d-----w- c:\program files\JRE

2010-01-26 13:09 . 2010-01-26 13:09 -------- d-----w- c:\program files\OpenOffice.org 3

2010-01-06 01:17 . 2010-01-06 01:17 409600 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}\NewShortcut3_6D20AC6FF7844F04BE4C6D94A1805157.exe

2010-01-06 01:17 . 2010-01-06 01:17 409600 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}\NewShortcut2_6D20AC6FF7844F04BE4C6D94A1805157.exe

2010-01-06 01:17 . 2010-01-06 01:17 409600 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{24BA79B5-53F9-475C-9D49-EC4BDE8B09CF}\ARPPRODUCTICON.exe

2010-01-06 01:17 . 2010-01-06 01:17 -------- d-----w- c:\program files\SMART Technologies Inc

2010-01-02 23:13 . 2005-08-07 22:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer

2010-01-02 22:32 . 2010-01-02 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2010-01-02 22:31 . 2010-01-02 22:31 -------- d-----w- c:\program files\iPod

2010-01-02 22:31 . 2010-01-02 22:24 -------- d-----w- c:\program files\Common Files\Apple

2010-01-02 22:30 . 2006-04-12 14:38 -------- d-----w- c:\program files\QuickTime

2010-01-02 22:28 . 2004-08-07 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-01-02 22:26 . 2010-01-02 22:26 -------- d-----w- c:\program files\Apple Software Update

2009-12-31 16:50 . 2004-08-07 18:47 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 20:55 . 2008-06-18 17:14 -------- d-----w- c:\program files\Electronic Arts

2009-12-21 19:14 . 2004-08-07 18:47 916480 ------w- c:\windows\system32\wininet.dll

2009-12-17 21:46 . 2009-12-17 21:46 106016 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-14 17:37 . 2009-12-14 17:37 152576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-14 17:37 . 2009-12-14 17:37 79488 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-14 07:08 . 2004-08-07 18:46 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2004-08-07 18:47 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 05:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2004-08-07 18:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2005-07-25 19:13 . 2005-07-25 19:13 32 --sha-w- c:\windows\{0309650E-08EA-4D5B-8401-DF876D54B70C}.dat

2005-07-25 19:13 . 2005-07-25 19:13 32 --sha-w- c:\windows\{AEA72173-69E5-43DA-AE45-087143DE4F05}.dat

2005-07-25 19:14 . 2005-07-25 19:14 32 --sha-w- c:\windows\{F6CB59D7-6D67-46C2-9175-DE347E6BD838}.dat

2006-08-10 16:06 . 2006-08-10 15:25 80 --sh--r- c:\windows\system32\8652B6C478.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-02-26_22.59.33 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-08-07 19:05 . 2010-02-26 20:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2004-08-07 19:05 . 2010-02-28 13:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2004-08-07 19:05 . 2010-02-26 20:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2004-08-07 19:05 . 2010-02-28 13:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-07-29 13:49 . 2010-02-26 20:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-07-29 13:49 . 2010-02-28 13:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2010-02-26 16:01 . 2010-02-26 20:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-02-27 00:13 . 2010-02-28 13:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-06-20 20:23 . 2010-02-28 16:00 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

- 2009-06-20 20:23 . 2010-02-26 05:07 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

+ 2009-06-20 20:23 . 2010-02-28 16:00 94208 c:\windows\.jagex_cache_32\runescape\jaggl.dll

- 2009-06-20 20:23 . 2010-02-26 05:07 94208 c:\windows\.jagex_cache_32\runescape\jaggl.dll

+ 2010-02-09 05:29 . 2010-02-28 16:00 824832 c:\windows\.jagex_cache_32\runescape\sw3d.dll

- 2010-02-09 05:29 . 2010-02-26 05:07 824832 c:\windows\.jagex_cache_32\runescape\sw3d.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Steam"="j:\steam\steam.exe" [2010-02-20 1217872]

"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]

"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"WireLessKeyboard"="c:\program files\Micro Innovations Internet Access Pro\PS2USBKbdDrv.exe" [2005-09-12 528384]

"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\MOffice.exe" [2007-06-24 958464]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"nwiz"="nwiz.exe" [2007-12-05 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-8-7 16423]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-09-13 09:09 133104 ----atw- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- j:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]

2008-08-21 15:16 267296 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]

2008-01-04 21:39 87328 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScannerPro]

2006-09-07 23:28 57344 ----a-w- c:\progra~1\VCOM\Fix-It\MemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]

2008-12-22 18:59 787816 ----a-w- c:\program files\Windows Live\Device Manager\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"usnjsvc"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"MDM"=2 (0x2)

"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Blockland\\Blockland.exe"=

"c:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Infogrames\\Robot Arena 2\\Robot Arena 2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"j:\\Steam\\Steam.exe"=

"j:\\Steam\\steamapps\\common\\oblivion\\OblivionLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"j:\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005/09/25 10:42 PM 4064]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007/03/01 2:27 PM 72672]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009/07/29 8:14 AM 93320]

R2 tmpreflt;tmpreflt;c:\progra~1\VCOM\Fix-It\tmpreflt.sys [2006/09/07 6:06 PM 31248]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006/11/03 6:19 PM 13592]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2006/11/26 9:49 PM 113896]

S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

.

Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904473242-2361271913-296778801-501Core.job

- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-11 06:41]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904473242-2361271913-296778801-501UA.job

- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-11 06:41]

2010-02-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-18 16:22]

2010-02-22 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-18 16:22]

2010-02-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: addictinggames.com\www

Trusted Zone: af.mil\guest.my

Trusted Zone: hotmail.com

Trusted Zone: internet

Trusted Zone: live.com

Trusted Zone: live.com\*.mail

Trusted Zone: live.com\account

Trusted Zone: mcafee.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: yahoo.com\mail

TCP: {9449D774-7A5F-455B-BC2A-E32EB90D8C4B} = 68.94.156.1,68.94.157.1

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\gt3xjy5e.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\HP_Owner\Application Data\Real\RhapsodyPlayerEngine\nprhapengine.dll

FF - plugin: c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: j:\itunes\Mozilla Plugins\npitunes.dll

FF - plugin: j:\java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: j:\java\jre6\bin\new_plugin\npjp2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-28 11:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-904473242-2361271913-296778801-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7384B4F-B6B5-96EE-7F73-99D99A9A8E7F}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"ialimhekbefhekjclh"=hex:69,61,63,6d,6c,67,6b,65,67,61,63,6e,64,6a,6a,69,6a,69,

00,00

"habjkjbhglfehdcb"=hex:69,61,63,6d,6c,67,6b,65,67,61,63,6e,64,6a,6a,69,6a,69,

00,00

[HKEY_USERS\S-1-5-21-904473242-2361271913-296778801-1009\Software\SecuROM\License information*]

"datasecu"=hex:80,39,34,fb,1f,84,b3,f7,17,32,82,3e,62,2e,5b,50,f4,ff,85,1a,02,

5b,e7,4a,24,5b,1c,0f,76,e3,bb,1a,e7,55,c0,b5,b5,bc,d2,a5,f8,48,73,bd,a1,82,\

"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23

.

Completion time: 2010-02-28 11:20:39

ComboFix-quarantined-files.txt 2010-02-28 16:20

ComboFix2.txt 2010-02-26 23:03

ComboFix3.txt 2010-02-26 14:22

Pre-Run: 24,812,576,768 bytes free

Post-Run: 24,895,709,184 bytes free

- - End Of File - - 8AD62A97D527CABA5DAB2728404B90B6

Thanks

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Remove all used tools

Please download OTC and save it to desktop.

  • Double-click OTC.exe..
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Create a new, clean System Restore point which you can use in case of future system problems:

  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office

Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Link to post
Share on other sites
Rhiana

Rhiana

Posted
  • Author
Posted

Thanks!

I am doing the steps in your last post. In the meantime, I do have a couple of questions.

I am not happy with the mcaffee. Comcast gave it to me, but it keeps turning itself off, or being turned off (long before this problem). I want a new better anti-virus. Can you make recommendations?

Also, all of these scans seemed to take a really really long time, over 8 hours for many of them, is this normal? Besides cleaning up files I don't really need, is there anyway to speed this up? The mcaffee had been set to scan overnight, and sometimes would still be running well into the next day.

You have been a great help.

Link to post
Share on other sites
deltalima

deltalima

Posted
Posted

Hi Rhiana,

I am not happy with the mcaffee. Comcast gave it to me, but it keeps turning itself off, or being turned off (long before this problem). I want a new better anti-virus. Can you make recommendations?

You mentioned that you use Avast on other computers in an earlier post, I would say that this is as good as any other and so I would use that on this computer. Ensure that you fully remove McAffe and reboot before you install any other antivirus program.

Also, all of these scans seemed to take a really really long time, over 8 hours for many of them, is this normal? Besides cleaning up files I don't really need, is there anyway to speed this up? The mcaffee had been set to scan overnight, and sometimes would still be running well into the next day.

That is quite normal, you have 2 main disks with approx 50G and 100G of data, to check each file for one of many hundreds of thousands of viruses takes a very long time. The tools are very thorough.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept