Jump to content

Search engine redirction


Recommended Posts

Have been having this problem for a while now.

1. Default search (Google) being redirected to Yahoo search results via wwwh.web-help-service.com (DNS 8.15.228.169)

2. At first my default search engine was being redirected to myway.com through my HughesNet ISP. I removed all references to HUghesNet from system then I was being redirected to above mentioned site.

3. I reset IE8 to default settings.

4. performed system search of the string "google" and deleted all items found.

5. Satrted IE8 and installed the Google search engine as my default. resulting in being redirected again.

6. Reset IE8 to default settings again and removed all instance of goolge again. This time I put the DNS 8.15.228.169 in IE8 as bannded IP.

7. Added google again as default search engine, tried to do a search and was redirected this time to page error (due to DNS being banned) so I figured I had a trojan or Google was hijacked.

8. Downloaded Malwarebytes program and ran it SAFE MODE. Found several adware and trojans and removed them.

9. next i downloaded and ran CCleaner in SAFE MODE

10. next I downloaded and ran Hijackthis and have the results but not sure what is legit or not.

11. Before I reinstall my search engine I just want to be sure that the I have attached do not show any other problems.

Thank you for your help in this matter.

Only thing not deliverd by a truck is a baby

malwaredetectlogs.zip

Link to post
Share on other sites

Hey Thundergod,

Welcome to Malwarebytes! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. ;)

  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. :rolleyes:
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Malwarebytes, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

Meanwhile, please do the following:

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Link to post
Share on other sites

Re did DDS and here are results:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Vpr Matrix User at 8:11:56.87 on Wed 03/31/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.378 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\DAP\DAP.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\MemoKit\memokit2.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\DigiPortal Software\ChoiceMail\CMServer.exe

C:\Program Files\DigiPortal Software\ChoiceMail\CMServer.exe

C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe

C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Documents and Settings\Vpr Matrix User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar =

uSearch Page =

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

mSearchAssistant =

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: AutorunsDisabled - No File

BHO: AOL Toolbar Launcher - No File

BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\DAPBHO.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100330223328.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\vprmat~1\startm~1\programs\startup\memokit.lnk - c:\program files\memokit\mk.exe

StartupFolder: c:\docume~1\vprmat~1\startm~1\programs\startup\memokit.lnk - c:\program files\memokit\mk.exe

uPolicies-explorer: <NO NAME> =

uPolicies-explorer: EditLevel = 0 (0x0)

uPolicies-explorer: NoCommonGroups = 0 (0x0)

IE: {6224f700-cba3-4071-b251-47cb894244cd}

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\vpr matrix user\start menu\programs\ultimatebet\UltimateBet.lnk

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {669695BC-A811-4A9D-8CDF-BA8C795F261C} - c:\progra~1\dap\DAP.EXE

IE: {725E77D3-B919-4eef-8EEE-D09DE618B6C1}

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe

IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: custhelp.com\linksys

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://stcooemail.swiftowner.com/iNotes6W.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-30 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-30 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-30 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-30 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-30 141792]

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2003-9-14 2368]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-30 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-30 152320]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-30 51688]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-30 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2002-4-13 217271]

R3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-8-23 36928]

R3 svcChoiceMail;Choice Mail;c:\program files\digiportal software\choicemail\CMServer.exe [2009-8-23 4640768]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [2001-4-9 24424]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-30 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-12-24 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-12-24 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-12-24 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-12-24 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [2003-9-25 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [2003-9-23 4613]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [2008-7-27 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [2002-3-6 85632]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [2003-3-19 171776]

S4 0285181250872064mcinstcleanup;0285181250872064mcinstcleanup; [x]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\drivers\dpcnet5u.sys --> c:\windows\system32\drivers\dpcnet5u.sys [?]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-17 24652]

=============== Created Last 30 ================

2010-03-31 05:33:27 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33:18 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33:17 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33:17 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33:17 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33:17 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33:17 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33:17 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33:07 0 d-----w- c:\program files\common files\Mcafee

2010-03-31 05:33:06 0 d-----w- c:\program files\McAfee.com

2010-03-31 05:32:32 0 d-----w- c:\program files\McAfee

2010-03-30 23:31:53 0 d-----w- C:\powerpanel_setup

2010-03-28 07:00:49 9216 --sha-w- c:\windows\Thumbs.db

2010-03-27 18:53:32 8192 ----a-w- C:\s-1-5-21-1484400983-681764103-101265881-1019.rrr

2010-03-27 18:53:25 3801088 ----a-w- c:\documents and settings\vpr matrix user\s-1-5-21-1484400983-681764103-101265881-1005.rrr

2010-03-27 16:52:57 0 d-----w- C:\games

2010-03-25 18:23:53 0 d-----w- c:\program files\Trend Micro

2010-03-24 20:44:28 0 d-----w- c:\program files\CCleaner

2010-03-24 07:50:37 0 d-----w- c:\docume~1\vprmat~1\applic~1\Malwarebytes

2010-03-24 07:50:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-24 07:50:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-24 07:50:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 19:55:42 849 ----a-w- C:\Microsoft Works Calendar Reminders.lnk

2010-03-15 09:01:58 0 d-----w- c:\program files\CardPlayer

2010-03-15 09:01:58 0 d-----w- c:\docume~1\alluse~1\applic~1\CardPlayer

2010-03-11 04:33:50 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-31 14:23:06 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys

2009-10-20 08:30:11 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2008-08-27 05:58:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 8:13:06.57 ===============

Attach.zip

Link to post
Share on other sites

Hey Thundergod,

I don't see much in your logs, let's run some scans. :)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)

    [*]Under custom scans copy and paste the following

    • netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT

    [*]Now click the Run Scan button on the toolbar.

    [*]Let it run unhindered until it finishes.

    [*]When the scan is complete Notepad will open with the report file loaded in it.

    [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)

ComboFix.txt

Link to post
Share on other sites

ComboFix and OTS scans completed here are the results.

ComboFix 10-03-29.04 - Vpr Matrix User 04/01/2010 8:51.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.384 [GMT -7:00]

Running from: c:\documents and settings\Vpr Matrix User\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

c:\windows\Fonts\acrsec.fon

c:\windows\system\oeminfo.ini

c:\windows\system32\Cache

c:\windows\system32\gotomon.log

c:\windows\system32\images

c:\windows\system32\images\accessinghvnoprop.jpg

c:\windows\system32\images\accessingmdesk.jpg

c:\windows\system32\images\ati_logo.jpg

c:\windows\system32\images\hvdm.jpg

c:\windows\system32\images\hvhotkeys.jpg

c:\windows\system32\images\hvsystray.jpg

c:\windows\system32\images\hvsystray2.jpg

c:\windows\system32\images\Thumbs.db

c:\windows\system32\index.html

c:\windows\system32\P2P Networking

c:\windows\system32\P2P Networking\P2P Networking.eng

c:\windows\system32\ReadMe.txt

c:\windows\system32\SHELLLNK.TLB

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FILEMON

((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))

.

2010-04-01 06:29 . 2010-04-01 06:29 103784 ----a-w- c:\documents and settings\Vpr Matrix User\GoToAssistDownloadHelper.exe

2010-04-01 00:16 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe

2010-03-31 23:37 . 2001-10-12 00:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll

2010-03-31 23:37 . 2001-10-12 00:34 77824 ----a-w- c:\windows\system32\adistres.dll

2010-03-31 23:37 . 2001-04-27 21:02 101200 ------w- c:\windows\system32\pdfshell.dll

2010-03-31 23:37 . 2010-04-01 00:17 -------- d-----w- c:\windows\system32\Adobe

2010-03-31 23:37 . 2010-04-01 00:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-31 23:33 . 2010-03-31 23:33 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\InterTrust

2010-03-31 23:28 . 2010-03-31 23:31 -------- d-----w- C:\Adobe Acrobat Installer

2010-03-31 05:33 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33 . 2010-01-06 01:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33 . 2010-01-06 01:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33 . 2010-01-06 01:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33 . 2010-03-31 05:34 -------- d-----w- c:\program files\Common Files\Mcafee

2010-03-31 05:33 . 2010-03-31 05:33 -------- d-----w- c:\program files\McAfee.com

2010-03-31 05:32 . 2010-03-31 08:31 -------- d-----w- c:\program files\McAfee

2010-03-31 00:25 . 2010-03-31 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-30 23:54 . 2010-03-30 23:54 124088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-30 23:31 . 2010-03-30 23:55 -------- d-----w- C:\powerpanel_setup

2010-03-27 16:52 . 2010-03-27 17:06 -------- d-----w- C:\games

2010-03-25 18:23 . 2010-03-25 18:23 -------- d-----w- c:\program files\Trend Micro

2010-03-25 07:13 . 2010-03-25 07:13 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\Threat Expert

2010-03-24 20:44 . 2010-03-24 20:44 -------- d-----w- c:\program files\CCleaner

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-24 07:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\program files\CardPlayer

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer

2010-03-11 04:33 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 17:46 . 2010-03-10 17:46 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\cache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-01 16:07 . 2007-08-04 08:20 1050 ----a-w- c:\windows\aclockz6.dat

2010-04-01 16:06 . 2008-11-05 00:52 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-01 06:52 . 2009-08-23 11:33 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-04-01 00:09 . 2002-02-13 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-31 19:48 . 2008-02-10 17:16 -------- d-----w- c:\program files\EmpirePokerMaster

2010-03-31 18:03 . 2007-09-21 18:02 -------- d-----w- c:\program files\PokerStars

2010-03-28 20:51 . 2007-05-09 00:36 -------- d-----w- c:\program files\Full Tilt Poker

2010-03-28 06:56 . 2010-01-20 00:26 -------- d-----w- c:\program files\CarbonPoker

2010-03-27 18:12 . 2002-04-13 19:36 -------- d-----w- c:\program files\PCFriendly

2010-03-27 06:52 . 2010-03-30 23:48 267562 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat

2010-03-24 22:04 . 2008-11-17 21:21 -------- d-----w- c:\program files\Grocery List

2010-03-24 17:32 . 2010-03-24 17:32 49152 ----a-r- c:\documents and settings\Vpr Matrix User\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe

2010-03-24 07:03 . 2009-08-20 00:06 -------- d-----w- c:\program files\Windows Defender

2010-03-23 21:12 . 2007-10-04 20:17 -------- d-----w- c:\program files\HughesNet

2010-03-23 19:55 . 2002-04-18 01:56 -------- d-----w- c:\program files\Microsoft Works

2010-03-23 19:33 . 2007-09-21 14:45 -------- d-----w- c:\program files\Common Files\Motive

2010-03-20 13:33 . 2009-04-05 09:25 -------- d-----w- c:\program files\DoylesRoom

2010-03-20 13:30 . 2006-02-13 17:00 -------- d-----w- c:\program files\UltimateBet

2010-03-17 22:46 . 2009-02-19 00:31 -------- d-----w- c:\program files\ClubWPT

2010-02-27 18:04 . 2009-08-19 16:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-02-25 06:24 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-10-03 09:18 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-21 08:41 . 2008-07-28 02:51 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Uniblue

2010-02-11 14:40 . 2008-11-16 06:33 -------- d-----w- c:\program files\Bodog Poker

2010-02-11 05:43 . 2010-02-11 05:43 55440 ----a-w- c:\documents and settings\Madison Nowinsky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-09 15:37 . 2007-08-04 08:20 -------- d-----w- c:\program files\MemoKit

2010-01-06 01:04 . 2010-01-06 01:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-19 2754048]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-04 1179952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\

MemoKit.lnk - c:\program files\MemoKit\mk.exe [2010-2-2 28672]

c:\documents and settings\Madison Nowinsky\Start Menu\Programs\Startup\

MemoKit.lnk - c:\program files\MemoKit\mk.exe [2010-2-2 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\^cabbage casaroole.tx_]

path=\cabbage casaroole.tx_

[HKLM\~\startupfolder\^ooida.tx_]

path=\ooida.tx_

[HKLM\~\startupfolder\^PUTTY.RN_]

path=\PUTTY.RN_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_

[HKLM\~\startupfolder\^winzipreg.tx_]

path=\winzipreg.tx_

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TSIRCSRV"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)

"ZipToA"=2 (0x2)

"Iomega App Services"=2 (0x2)

"usnjsvc"=3 (0x3)

"gupdate1c9dee0876276ec"=2 (0x2)

"Viewpoint Manager Service"=2 (0x2)

"AOL ACS"=2 (0x2)

"0285181250872064mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\IzyMail.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMailAdminControlPanel.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/30/2010 22:33 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/30/2010 22:34 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/30/2010 22:33 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/30/2010 22:33 141792]

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [9/14/2003 13:22 2368]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/30/2010 22:33 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/30/2010 22:33 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [4/13/2002 08:53 217271]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [4/9/2001 11:11 24424]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/30/2010 22:33 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/24/2007 22:25 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/24/2007 22:25 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [12/24/2007 22:25 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/24/2007 22:25 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [9/25/2003 13:20 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [9/23/2003 05:37 4613]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/23/2009 04:33 36928]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [7/27/2008 20:49 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [3/6/2002 17:20 85632]

S3 svcChoiceMail;Choice Mail;c:\program files\DigiPortal Software\ChoiceMail\CMServer.exe [8/23/2009 04:33 4640768]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [3/19/2003 19:01 171776]

S4 0285181250872064mcinstcleanup;0285181250872064mcinstcleanup; [x]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/17/2008 08:35 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-08-27 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2010-04-01 c:\windows\Tasks\User_Feed_Synchronization-{D809566E-DAFF-4061-ADE7-5B6A67C55BBD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

IE: &Download with &DAP - c:\program files\DAP\dapextie.htm

IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Vpr Matrix User\Start Menu\Programs\UltimateBet\UltimateBet.lnk

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: custhelp.com\linksys

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

Notify-AtiExtEvent - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\adobe\SHOCKW~1\UNWISE.EXE

AddRemove-AdobeESD - c:\program files\Common Files\Adobe\ESD\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-01 09:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1484400983-681764103-101265881-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2284)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Windows Defender\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.EXE

c:\windows\System32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\system32\devldr32.exe

c:\program files\MemoKit\memokit2.exe

c:\windows\system32\wscntfy.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

.

**************************************************************************

.

Completion time: 2010-04-01 09:14:47 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-01 16:14

Pre-Run: 52,267,819,008 bytes free

Post-Run: 52,485,763,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 8B7773169E7B5E89CE3D850E4E916B94

OTS.Txt

Link to post
Share on other sites

Hey Thundergod,

Thank you for the logs. :)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run CFScript

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
0285181250872064mcinstcleanup

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\startupfolder\^winzipreg.tx_]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt .

2) Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Filefind
    dxtmsft.dll
    dxtrans.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

3) Optional Removal

From your log, you seem to have Viewpoint Media Player installed.

Viewpoint is not malware, but it is considered froistware that is installed without your permission. While it is not harmful in itself, it can bring about unnecessary security risks to your computer as well as collecting private information about your browsing habit. Please look at the article(s) below:

en.wikipedia.org/wiki/Viewpoint_Media_Player

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

Viewpoint Media Player

Then use Windows Explorer and remove the following (if present):

c:\program files\viewpoint

Reboot your computer.

Next reply (please include in your post):

Tell me how your computer is running

ComboFix.txt

SystemLook.txt

Link to post
Share on other sites

ComboFix and SystemLook Completed.

ComboFix 10-04-02.01 - Vpr Matrix User 04/03/2010 9:26.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.733 [GMT -7:00]

Running from: c:\documents and settings\Vpr Matrix User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vpr Matrix User\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))

.

2010-04-01 06:29 . 2010-04-01 06:29 103784 ----a-w- c:\documents and settings\Vpr Matrix User\GoToAssistDownloadHelper.exe

2010-04-01 00:16 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe

2010-03-31 23:37 . 2001-10-12 00:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll

2010-03-31 23:37 . 2001-10-12 00:34 77824 ----a-w- c:\windows\system32\adistres.dll

2010-03-31 23:37 . 2001-04-27 21:02 101200 ------w- c:\windows\system32\pdfshell.dll

2010-03-31 23:37 . 2010-04-01 00:17 -------- d-----w- c:\windows\system32\Adobe

2010-03-31 23:37 . 2010-04-01 00:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-31 23:33 . 2010-03-31 23:33 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\InterTrust

2010-03-31 23:28 . 2010-03-31 23:31 -------- d-----w- C:\Adobe Acrobat Installer

2010-03-31 05:33 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33 . 2010-01-06 01:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33 . 2010-01-06 01:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33 . 2010-01-06 01:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33 . 2010-03-31 05:34 -------- d-----w- c:\program files\Common Files\Mcafee

2010-03-31 05:33 . 2010-03-31 05:33 -------- d-----w- c:\program files\McAfee.com

2010-03-31 05:32 . 2010-03-31 08:31 -------- d-----w- c:\program files\McAfee

2010-03-31 00:25 . 2010-03-31 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-30 23:54 . 2010-03-30 23:54 124088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-30 23:31 . 2010-03-30 23:55 -------- d-----w- C:\powerpanel_setup

2010-03-27 16:52 . 2010-03-27 17:06 -------- d-----w- C:\games

2010-03-25 18:23 . 2010-03-25 18:23 -------- d-----w- c:\program files\Trend Micro

2010-03-25 07:13 . 2010-03-25 07:13 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\Threat Expert

2010-03-24 20:44 . 2010-03-24 20:44 -------- d-----w- c:\program files\CCleaner

2010-03-24 17:32 . 2010-03-24 17:32 49152 ----a-r- c:\documents and settings\Vpr Matrix User\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-24 07:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\program files\CardPlayer

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer

2010-03-11 04:33 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 17:46 . 2010-03-10 17:46 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\cache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-03 16:18 . 2008-11-05 00:52 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-03 16:15 . 2009-08-23 11:33 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-04-03 16:04 . 2003-09-07 01:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-04-03 15:59 . 2007-08-04 08:20 1050 ----a-w- c:\windows\aclockz6.dat

2010-04-02 18:41 . 2007-05-09 00:36 -------- d-----w- c:\program files\Full Tilt Poker

2010-04-02 00:08 . 2007-09-21 18:02 -------- d-----w- c:\program files\PokerStars

2010-04-02 00:08 . 2006-02-13 17:00 -------- d-----w- c:\program files\UltimateBet

2010-04-02 00:01 . 2009-04-05 09:25 -------- d-----w- c:\program files\DoylesRoom

2010-04-01 22:06 . 2010-01-20 00:26 -------- d-----w- c:\program files\CarbonPoker

2010-04-01 00:09 . 2002-02-13 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-31 19:48 . 2008-02-10 17:16 -------- d-----w- c:\program files\EmpirePokerMaster

2010-03-27 18:12 . 2002-04-13 19:36 -------- d-----w- c:\program files\PCFriendly

2010-03-27 06:52 . 2010-03-30 23:48 267562 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat

2010-03-24 22:04 . 2008-11-17 21:21 -------- d-----w- c:\program files\Grocery List

2010-03-24 07:03 . 2009-08-20 00:06 -------- d-----w- c:\program files\Windows Defender

2010-03-23 21:12 . 2007-10-04 20:17 -------- d-----w- c:\program files\HughesNet

2010-03-23 19:55 . 2002-04-18 01:56 -------- d-----w- c:\program files\Microsoft Works

2010-03-23 19:33 . 2007-09-21 14:45 -------- d-----w- c:\program files\Common Files\Motive

2010-03-17 22:46 . 2009-02-19 00:31 -------- d-----w- c:\program files\ClubWPT

2010-02-27 18:04 . 2009-08-19 16:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-02-25 06:24 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-10-03 09:18 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-21 08:41 . 2008-07-28 02:51 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Uniblue

2010-02-11 14:40 . 2008-11-16 06:33 -------- d-----w- c:\program files\Bodog Poker

2010-02-11 05:43 . 2010-02-11 05:43 55440 ----a-w- c:\documents and settings\Madison Nowinsky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-09 15:37 . 2007-08-04 08:20 -------- d-----w- c:\program files\MemoKit

2010-01-06 01:04 . 2010-01-06 01:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Madison Nowinsky\Start Menu\Programs\Startup\

MemoKit.lnk - c:\program files\MemoKit\mk.exe [2010-2-2 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Vpr Matrix User^Start Menu^Programs^Startup^ChoiceMail One Single User 2.66.lnk]

path=c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\ChoiceMail One Single User 2.66.lnk

backup=c:\windows\pss\ChoiceMail One Single User 2.66.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Vpr Matrix User^Start Menu^Programs^Startup^MemoKit.lnk]

path=c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\MemoKit.lnk

backup=c:\windows\pss\MemoKit.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Vpr Matrix User^Start Menu^Programs^Start__^restartsvc.cmd]

path=c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Start__\restartsvc.cmd

backup=c:\windows\pss\restartsvc.cmdStartup

[HKLM\~\startupfolder\^cabbage casaroole.tx_]

path=\cabbage casaroole.tx_

[HKLM\~\startupfolder\^ooida.tx_]

path=\ooida.tx_

[HKLM\~\startupfolder\^PUTTY.RN_]

path=\PUTTY.RN_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_

[HKLM\~\startupfolder\^winzipreg.tx_]

path=\winzipreg.tx_

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

2009-08-19 16:25 2754048 ----a-w- c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TSIRCSRV"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)

"ZipToA"=2 (0x2)

"Iomega App Services"=2 (0x2)

"usnjsvc"=3 (0x3)

"gupdate1c9dee0876276ec"=2 (0x2)

"Viewpoint Manager Service"=2 (0x2)

"AOL ACS"=2 (0x2)

"0285181250872064mcinstcleanup"=2 (0x2)

"WinDefend"=2 (0x2)

"svcChoiceMail"=3 (0x3)

"SeaPort"=2 (0x2)

"mfevtp"=2 (0x2)

"mfefire"=2 (0x2)

"McShield"=2 (0x2)

"McProxy"=2 (0x2)

"McODS"=3 (0x3)

"McNASvc"=2 (0x2)

"McNaiAnn"=2 (0x2)

"mcmscsvc"=2 (0x2)

"McMPFSvc"=2 (0x2)

"McAfee SiteAdvisor Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\IzyMail.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMailAdminControlPanel.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/30/2010 22:33 82952]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/30/2010 22:33 141792]

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [9/14/2003 13:22 2368]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/30/2010 22:33 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [4/13/2002 08:53 217271]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [4/9/2001 11:11 24424]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/30/2010 22:33 55456]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/30/2010 22:33 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/24/2007 22:25 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/24/2007 22:25 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [12/24/2007 22:25 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/24/2007 22:25 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [9/25/2003 13:20 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [9/23/2003 05:37 4613]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/23/2009 04:33 36928]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [7/27/2008 20:49 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [3/6/2002 17:20 85632]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [3/19/2003 19:01 171776]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/30/2010 22:34 93320]

S4 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

S4 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

S4 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/30/2010 22:33 188136]

S4 svcChoiceMail;Choice Mail;c:\program files\DigiPortal Software\ChoiceMail\CMServer.exe [8/23/2009 04:33 4640768]

S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-08-27 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2010-04-03 c:\windows\Tasks\User_Feed_Synchronization-{D809566E-DAFF-4061-ADE7-5B6A67C55BBD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

IE: &Download with &DAP - c:\program files\DAP\dapextie.htm

IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Vpr Matrix User\Start Menu\Programs\UltimateBet\UltimateBet.lnk

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-03 09:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1484400983-681764103-101265881-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3772)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-04-03 09:38:50

ComboFix-quarantined-files.txt 2010-04-03 16:38

ComboFix2.txt 2010-04-03 15:50

ComboFix3.txt 2010-04-01 16:14

Pre-Run: 52,383,907,840 bytes free

Post-Run: 52,342,599,680 bytes free

- - End Of File - - 4DD1A0F17E6FFFC3862B9E314F15FD7F

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 09:41 on 03/04/2010 by Vpr Matrix User (Administrator - Elevation successful)

========== Filefind ==========

Searching for "dxtmsft.dll"

C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\dxtmsft.dll --a--- 357888 bytes [05:25 10/05/2006] [05:25 10/05/2006] 51A9D53B52DF4DC12D2A6962E6A205D5

C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\dxtmsft.dll --a--- 357888 bytes [11:25 23/06/2006] [11:25 23/06/2006] 9DE084A517FF6459E11BB27D31D5ACA7

C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\dxtmsft.dll --a--- 357888 bytes [08:31 14/09/2006] [08:31 14/09/2006] C00F162375F212109C775A3902B155E2

C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\dxtmsft.dll --a--- 357888 bytes [15:34 23/10/2006] [15:34 23/10/2006] 94E070640872DE9E482D51DCB5D03E13

C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [22:57 19/12/2007] [22:57 19/12/2007] 5AFC2FABA2F00EFB3388459CA0E6E2DE

C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [12:55 09/04/2008] [13:03 01/03/2008] DD372293DAD2AF0D504193FB299FC6BB

C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [22:39 10/06/2008] [03:35 23/04/2008] 24B5E81A4453269802DC6C8FC286F3F8

C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [19:39 23/08/2008] [16:01 23/06/2008] 25743622DA86276B0821BE2980847E89

C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [09:08 26/08/2008] [09:08 26/08/2008] 996B58E916C77B5D3CB966024505ABD1

C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [13:03 10/12/2008] [20:24 16/10/2008] 92B862304F3D3856B7367F80E3C067B4

C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\dxtmsft.dll --a--- 347136 bytes [01:31 15/02/2009] [23:55 20/12/2008] AFE6ED7B9200B75FBD6F30944110E4BD

C:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE\dxtmsft.dll --a--- 347136 bytes [18:09 20/02/2009] [18:09 20/02/2009] 5ADCC41ED3E25A2C8AB50568FFC785BB

C:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE\dxtmsft.dll --a--- 347136 bytes [04:49 29/04/2009] [04:49 29/04/2009] C15063E0B499CD88CAF0B61A8E8B5D1C

C:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\dxtmsft.dll --a--- 347136 bytes [16:23 29/06/2009] [16:23 29/06/2009] 57C1EBA1F00A30A1BD66F7F8D853B238

C:\WINDOWS\$NtServicePackUninstall$\dxtmsft.dll --a--- 357888 bytes [05:26 27/08/2008] [07:56 04/08/2004] 8472A76B73D389A04A54DBDFFECE9985

C:\WINDOWS\ie7updates\KB944533-IE7\dxtmsft.dll --a--- 346624 bytes [08:44 13/02/2008] [18:58 17/10/2006] 8F4AAABEB926A294559C8A884A88A04E

C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll --a--- 347136 bytes [22:03 09/04/2008] [23:01 19/12/2007] 8748BAA495F0EA3AFE532548CCFB04D5

C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll --a--- 347136 bytes [22:05 11/06/2008] [13:06 01/03/2008] 3ECF80DABAAB4B1DA4CC8C161FEC620C

C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll --a--- 347136 bytes [22:01 23/08/2008] [04:16 23/04/2008] E36F4FD2AF0B7B582ABCAEE8DC81C019

C:\WINDOWS\ie7updates\KB956390-IE7\dxtmsft.dll --a--- 347136 bytes [19:49 14/10/2008] [16:57 23/06/2008] 292287C746E5AB7726887426A33F9D51

C:\WINDOWS\ie7updates\KB958215-IE7\dxtmsft.dll --a--- 347136 bytes [13:18 10/12/2008] [07:24 26/08/2008] 6C20E52C6DBB0B9E917C8EC8F2AF370B

C:\WINDOWS\ie7updates\KB961260-IE7\dxtmsft.dll --a--- 347136 bytes [17:00 15/02/2009] [20:38 16/10/2008] 6F50DCD4184538F6742043D45E396C03

C:\WINDOWS\ie7updates\KB963027-IE7\dxtmsft.dll --a--- 347136 bytes [05:59 16/04/2009] [23:15 20/12/2008] 27111528EE64C396938FE614A85D3CB5

C:\WINDOWS\ie7updates\KB969897-IE7\dxtmsft.dll --a--- 347136 bytes [22:00 11/06/2009] [18:09 20/02/2009] F6B1C7C68F453D007D3D8D88A07A2DC5

C:\WINDOWS\ie7updates\KB972260-IE7\dxtmsft.dll -----c 347136 bytes [08:01 23/08/2009] [04:55 29/04/2009] ADD9CB4718CCC78DECF43A3A208BD79E

C:\WINDOWS\ie7\dxtmsft.dll --a--- 357888 bytes [15:37 26/12/2006] [15:34 23/10/2006] 94E070640872DE9E482D51DCB5D03E13

C:\WINDOWS\ie8\dxtmsft.dll --a--c 347136 bytes [04:54 27/08/2009] [16:12 29/06/2009] EF8CD27A9F61CB89213CBC775FEFE76F

C:\WINDOWS\ServicePackFiles\i386\dxtmsft.dll --a--- 357888 bytes [07:56 04/08/2004] [00:11 14/04/2008] FB8B75D3BE728E4D41C19AFBA339151E

C:\WINDOWS\system32\dllcache\dxtmsft.dll --a--- 348160 bytes [05:22 10/05/2006] [11:31 08/03/2009] 057D53F1490598D41D9D4DEE9A92B0B1

C:\WINDOWS\system32\dxtmsft.dll --a--- 348160 bytes [19:00 31/03/2003] [11:31 08/03/2009] 057D53F1490598D41D9D4DEE9A92B0B1

Searching for "dxtrans.dll"

C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\dxtrans.dll --a--- 205312 bytes [19:23 17/10/2005] [23:53 02/09/2005] C7F197BD2DDFBE9988B92EA172C9FD9D

C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\dxtrans.dll --a--- 205312 bytes [03:38 21/10/2005] [03:38 21/10/2005] 0F854D5CF917F6941E006EAAE0DAEE3D

C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\dxtrans.dll --a--- 205312 bytes [03:58 04/03/2006] [03:58 04/03/2006] 974DE2D7868787ECAEF831FC833BD5DF

C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\dxtrans.dll --a--- 205312 bytes [05:25 10/05/2006] [05:25 10/05/2006] 0E59A15830B191D3541E118EF9242BC0

C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\dxtrans.dll --a--- 205312 bytes [11:25 23/06/2006] [11:25 23/06/2006] D0F8A375A0C67DB4BBCBACB0CFDAB5A5

C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\dxtrans.dll --a--- 205312 bytes [08:31 14/09/2006] [08:31 14/09/2006] 2D9E794ABF3A41D2C98FDF61463F34EB

C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\dxtrans.dll --a--- 205312 bytes [15:34 23/10/2006] [15:34 23/10/2006] C8A25B7860ACC9144682C6CCBFB92DF0

C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [10:02 20/08/2007] [10:02 20/08/2007] EDB910877A982B05ED1C590F86BECB89

C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [23:47 10/10/2007] [23:47 10/10/2007] D48058C24909FB5F89DAD8BAA3BAA262

C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [02:01 07/12/2007] [02:01 07/12/2007] 6DFC08A2870C34855C262D98A4CD78A7

C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [12:55 09/04/2008] [13:03 01/03/2008] 78FAD5B2AD9574FD58E5905551273732

C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [22:39 10/06/2008] [03:35 23/04/2008] FEA0FD96611E7B9615FE73E4F228AF35

C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [19:39 23/08/2008] [16:01 23/06/2008] 139879F8510C7FC9DE2FEECE70264C49

C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [09:08 26/08/2008] [09:08 26/08/2008] DFCEF4BFCCFDF4CFE6B527D92724B2BC

C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [13:03 10/12/2008] [20:24 16/10/2008] 8C2148A88345BA197686C7459E714690

C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\dxtrans.dll --a--- 214528 bytes [01:31 15/02/2009] [23:55 20/12/2008] 78B4CF9E2834DF007E4A90BD47931A24

C:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE\dxtrans.dll --a--- 214528 bytes [18:09 20/02/2009] [18:09 20/02/2009] 51AADE0A9CE3C9B6671BB43471D9F007

C:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE\dxtrans.dll --a--- 214528 bytes [04:49 29/04/2009] [04:49 29/04/2009] AE64A857BDD43024E2BFE169E7993372

C:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\dxtrans.dll --a--- 214528 bytes [16:23 29/06/2009] [16:23 29/06/2009] A17085738DBBE44D43FB0038EDE1EEF4

C:\WINDOWS\$NtServicePackUninstall$\dxtrans.dll --a--- 201728 bytes [05:26 27/08/2008] [07:56 04/08/2004] 8CB78E93187EC7355912F183F1BC9DD8

C:\WINDOWS\ie7updates\KB939653-IE7\dxtrans.dll --a--- 214528 bytes [22:01 09/10/2007] [18:57 17/10/2006] EEC89D7BF84CB8C3129AE2BDF30AB5FF

C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll --a--- 214528 bytes [22:01 12/12/2007] [10:04 20/08/2007] 5D492915F1C93D7265D0CCE0D48F70DB

C:\WINDOWS\ie7updates\KB944533-IE7\dxtrans.dll --a--- 214528 bytes [08:44 13/02/2008] [23:55 10/10/2007] 02C20234164854A1F43585CCEFF7CAC0

C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll --a--- 214528 bytes [22:03 09/04/2008] [02:21 07/12/2007] 1F338D88D411E639FA1E3E962F3818DC

C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll --a--- 214528 bytes [22:05 11/06/2008] [13:06 01/03/2008] 2921CEB10BA628C9507B5AAA12F51128

C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll --a--- 214528 bytes [22:01 23/08/2008] [04:16 23/04/2008] 6A4842126CE6ADFA1B19EDC43CD119D4

C:\WINDOWS\ie7updates\KB956390-IE7\dxtrans.dll --a--- 214528 bytes [19:49 14/10/2008] [16:57 23/06/2008] BF7B4E4969920C0B2E0A7BDFD0E74BC1

C:\WINDOWS\ie7updates\KB958215-IE7\dxtrans.dll --a--- 214528 bytes [13:18 10/12/2008] [07:24 26/08/2008] 746D1A1C10385731BA3ACC34656932BC

C:\WINDOWS\ie7updates\KB961260-IE7\dxtrans.dll --a--- 214528 bytes [17:00 15/02/2009] [20:38 16/10/2008] 1D21DB64E6C815925B6A3617C9EBFA72

C:\WINDOWS\ie7updates\KB963027-IE7\dxtrans.dll --a--- 214528 bytes [05:59 16/04/2009] [23:15 20/12/2008] A5806FE29925ABEFEFC684010919FFAF

C:\WINDOWS\ie7updates\KB969897-IE7\dxtrans.dll --a--- 214528 bytes [22:00 11/06/2009] [18:09 20/02/2009] E9C58B51CEB361EA3E197038A68A71FE

C:\WINDOWS\ie7updates\KB972260-IE7\dxtrans.dll -----c 214528 bytes [08:01 23/08/2009] [04:55 29/04/2009] 2871F3E40EC0A9DF507B84950D8C913E

C:\WINDOWS\ie7\dxtrans.dll --a--- 205312 bytes [15:37 26/12/2006] [15:34 23/10/2006] C8A25B7860ACC9144682C6CCBFB92DF0

C:\WINDOWS\ie8\dxtrans.dll --a--c 214528 bytes [04:54 27/08/2009] [16:12 29/06/2009] 1262AFE0ADAA9A023A6082C4E054D409

C:\WINDOWS\ServicePackFiles\i386\dxtrans.dll --a--- 205312 bytes [07:56 04/08/2004] [00:11 14/04/2008] F3B0AC8A0C792544BF56999ABDB25F0C

C:\WINDOWS\system32\dllcache\dxtrans.dll --a--- 216064 bytes [05:22 10/05/2006] [11:31 08/03/2009] 5E1A0476E009A1930A524DFF4CA13982

C:\WINDOWS\system32\dxtrans.dll --a--- 216064 bytes [19:00 31/03/2003] [11:31 08/03/2009] 5E1A0476E009A1930A524DFF4CA13982

-=End Of File=-

Link to post
Share on other sites

system a little sluggish. havent tried to add google tool bar until I get go ahead from you. matbe there is something else in te follow apps list. System starting running sluggish since I started this clean-up.

-----------------------------------------------------------------------------------------

MemoKit, Program List-Memory Usage (04-04-2010 Sun 09:09:07)

Free Ram: 455.3 MB/1023.3 MB, Trigger: 134 MB, Free Swap file: 1020.1 MB/1693.8 MB

Freeze mode: 0, Sort Mode - 1, Filter - 1, Autoscale - 0

Program Name App Mem Virt Mem Status

ChoiceMail.exe 11324k 16332k Active

ChoiceMail.exe 11324k 5908k Active

CMServer.exe 7108k 4820k Active

CMServer.exe 7108k 40548k Active

DAP.exe 5032k 23620k Active

msnmsgr.exe 3812k 34236k Active

msmsgs.exe 1676k 1584k Active

mcagent.exe 1180k 28180k Active

explorer.exe 1020k 33864k Active

MSASCui.exe 860k 6188k Active

iexplore.exe 624k 31400k Active

iexplore.exe 624k 7760k Active

MemoKit2.exe 524k 9384k Active

winlogon.exe 516k 8072k Active

mDNSResponder.exe 352k 1320k Active

mdm.exe 308k 1048k Active

McSvHost.exe 272k 24608k Active

wmiprvse.exe 232k 2428k Active

mfefire.exe 192k 4900k Active

mcshield.exe 184k 104136k Active

mfevtps.exe 152k 5268k Active

AppleMobileDeviceService.exe 144k 2076k Active

jqs.exe 144k 2444k Active

services.exe 116k 1852k Active

McSACore.exe 100k 14212k Active

spoolsv.exe 64k 3572k Active

CTSVCCDA.exe 60k 548k Active

smss.exe 60k 168k Active

alg.exe 52k 1284k Active

System.exe 40k 0k Active

devldr32.exe 36k 2156k Active

wlcomm.exe 32k 18236k Active

ctfmon.exe 24k 1220k Active

inetinfo.exe 24k 5988k Active

lsass.exe 24k 4300k Active

svchost.exe 24k 1548k Active

svchost.exe 24k 3384k Active

svchost.exe 24k 3228k Active

svchost.exe 24k 2208k Active

svchost.exe 24k 15240k Active

svchost.exe 24k 13028k Active

svchost.exe 24k 1840k Active

svchost.exe 24k 1704k Active

csrss.exe 20k 2008k Active

MsMpEng.exe 16k 64008k Active

MemoKit, Program List-Details (04-04-2010 Sun 09:09:07)

ChoiceMail.exe App Mem: 011324k, Virt Mem: 016332k, Status: Active

FileDescription - ChoiceMail

WindowTitle - (M)

- Path: c:\program files\digiportal software\choicemail\choicemail.exe

ChoiceMail.exe App Mem: 011324k, Virt Mem: 005908k, Status: Active

FileDescription - ChoiceMail

- Path: c:\program files\digiportal software\choicemail\choicemail.exe

CMServer.exe App Mem: 007108k, Virt Mem: 004820k, Status: Active

FileDescription - ChoiceMail Server

- Path: c:\program files\digiportal software\choicemail\cmserver.exe

CMServer.exe App Mem: 007108k, Virt Mem: 040548k, Status: Active

FileDescription - ChoiceMail Server

- Path: c:\program files\digiportal software\choicemail\cmserver.exe

DAP.exe App Mem: 005032k, Virt Mem: 023620k, Status: Active

FileDescription - Download Accelerator Plus (DAP)

WindowTitle - (M)

- Path: c:\program files\dap\dap.exe

msnmsgr.exe App Mem: 003812k, Virt Mem: 034236k, Status: Active

FileDescription - Windows Live Messenger

WindowTitle - (M)

- Path: c:\program files\windows live\messenger\msnmsgr.exe

msmsgs.exe App Mem: 001676k, Virt Mem: 001584k, Status: Active

FileDescription - Windows Messenger

- Path: c:\program files\messenger\msmsgs.exe

mcagent.exe App Mem: 001180k, Virt Mem: 028180k, Status: Active

FileDescription - McAfee Security Center

WindowTitle - (M)

- Path: c:\progra~1\mcafee.com\agent\mcagent.exe

explorer.exe App Mem: 001020k, Virt Mem: 033864k, Status: Active

FileDescription - Windows Explorer

WindowTitle - (M)

- Path: c:\windows\explorer.exe

MSASCui.exe App Mem: 000860k, Virt Mem: 006188k, Status: Active

FileDescription - Windows Defender User Interface

WindowTitle - (M)

- Path: c:\program files\windows defender\msascui.exe

iexplore.exe App Mem: 000624k, Virt Mem: 031400k, Status: Active

FileDescription - Internet Explorer

WindowTitle - (M)

- Path: c:\program files\internet explorer\iexplore.exe

iexplore.exe App Mem: 000624k, Virt Mem: 007760k, Status: Active

FileDescription - Internet Explorer

WindowTitle - (M)

- Path: c:\program files\internet explorer\iexplore.exe

MemoKit2.exe App Mem: 000524k, Virt Mem: 009384k, Status: Active

FileDescription - MemoKit (Memory & Cache Optimizer, Memory & Resources Analyzer)

WindowTitle - (M)

- Path: c:\program files\memokit\memokit2.exe

winlogon.exe App Mem: 000516k, Virt Mem: 008072k, Status: Active

- Path: \??\c:\windows\system32\winlogon.exe

mDNSResponder.exe App Mem: 000352k, Virt Mem: 001320k, Status: Active

FileDescription - Bonjour Service

- Path: c:\program files\bonjour\mdnsresponder.exe

mdm.exe App Mem: 000308k, Virt Mem: 001048k, Status: Active

FileDescription - Machine Debug Manager

- Path: c:\program files\common files\microsoft shared\vs7debug\mdm.exe

McSvHost.exe App Mem: 000272k, Virt Mem: 024608k, Status: Active

FileDescription - McAfee Service Host

- Path: c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe

wmiprvse.exe App Mem: 000232k, Virt Mem: 002428k, Status: Active

FileDescription - WMI

- Path: c:\windows\system32\wbem\wmiprvse.exe

mfefire.exe App Mem: 000192k, Virt Mem: 004900k, Status: Active

FileDescription - McAfee Core Firewall Service

- Path: c:\program files\common files\mcafee\systemcore\mfefire.exe

mcshield.exe App Mem: 000184k, Virt Mem: 104136k, Status: Active

FileDescription - McAfee On-Access Scanner service

- Path: c:\program files\common files\mcafee\systemcore\mcshield.exe

mfevtps.exe App Mem: 000152k, Virt Mem: 005268k, Status: Active

FileDescription - McAfee Process Validation Service

- Path: c:\program files\common files\mcafee\systemcore\mfevtps.exe

AppleMobileDeviceService.exe App Mem: 000144k, Virt Mem: 002076k, Status: Active

FileDescription - Apple Mobile Device Service

- Path: c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe

jqs.exe App Mem: 000144k, Virt Mem: 002444k, Status: Active

FileDescription - Java Quick Starter Service

- Path: c:\program files\java\jre6\bin\jqs.exe

services.exe App Mem: 000116k, Virt Mem: 001852k, Status: Active

FileDescription - Services and Controller app

- Path: c:\windows\system32\services.exe

McSACore.exe App Mem: 000100k, Virt Mem: 014212k, Status: Active

FileDescription - SiteAdvisor

- Path: c:\program files\mcafee\siteadvisor\mcsacore.exe

spoolsv.exe App Mem: 000064k, Virt Mem: 003572k, Status: Active

FileDescription - Spooler SubSystem App

- Path: c:\windows\system32\spoolsv.exe

CTSVCCDA.exe App Mem: 000060k, Virt Mem: 000548k, Status: Active

FileDescription - Creative Service for CDROM Access

- Path: c:\windows\system32\ctsvccda.exe

smss.exe App Mem: 000060k, Virt Mem: 000168k, Status: Active

- Path: \systemroot\system32\smss.exe

alg.exe App Mem: 000052k, Virt Mem: 001284k, Status: Active

FileDescription - Application Layer Gateway Service

- Path: c:\windows\system32\alg.exe

System.exe App Mem: 000040k, Virt Mem: 000000k, Status: Active

devldr32.exe App Mem: 000036k, Virt Mem: 002156k, Status: Active

FileDescription - DevLdr32

WindowTitle - (DEVLDR)

- Path: c:\windows\system32\devldr32.exe

wlcomm.exe App Mem: 000032k, Virt Mem: 018236k, Status: Active

FileDescription - Windows Live Communications Platform

- Path: c:\program files\windows live\contacts\wlcomm.exe

ctfmon.exe App Mem: 000024k, Virt Mem: 001220k, Status: Active

FileDescription - CTF Loader

WindowTitle - (CiceroUIWndFrame)

- Path: c:\windows\system32\ctfmon.exe

inetinfo.exe App Mem: 000024k, Virt Mem: 005988k, Status: Active

FileDescription - Internet Information Services

- Path: c:\windows\system32\inetsrv\inetinfo.exe

lsass.exe App Mem: 000024k, Virt Mem: 004300k, Status: Active

FileDescription - LSA Shell (Export Version)

- Path: c:\windows\system32\lsass.exe

svchost.exe App Mem: 000024k, Virt Mem: 001548k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 003384k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 003228k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 002208k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 015240k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 013028k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 001840k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

svchost.exe App Mem: 000024k, Virt Mem: 001704k, Status: Active

FileDescription - Generic Host Process for Win32 Services

- Path: c:\windows\system32\svchost.exe

csrss.exe App Mem: 000020k, Virt Mem: 002008k, Status: Active

- Path: \??\c:\windows\system32\csrss.exe

MsMpEng.exe App Mem: 000016k, Virt Mem: 064008k, Status: Active

FileDescription - Service Executable

- Path: c:\program files\windows defender\msmpeng.exe

-----------------------------------------------------------------------------------------

So please let me know when I can reload Google Toolbar, thx.

Link to post
Share on other sites

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. :)

Link to post
Share on other sites

  • Staff

Thundergod,

I will be helping you while Ltangelic is away.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

-screen317

Link to post
Share on other sites

Have not had any Identity theft problems. I have noticed however that my system is running sluggish since I started to rid system of malware. More sluggish now after I downloaded the OTS software and Mcaffee quarantined the file. Plan on reinstalling OS a later time. I have checked all my bank accounts and nothing suspicious indicating Identity theft. Plus sensitve files are encrypted using an encryption sofware and copied to disc. Then I run a Government type file removal prorgam. so lets go ahead and rid this trojan outa here.

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=44619
Collect::
c:\windows\system32\SVKP.sys
Driver::
SVKP

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

-screen317

Link to post
Share on other sites

OK, ran the CFScript twice, once in SAFE MODE and the second in NORMAL MODE, The SAFE MODE log is first and the NORMAL MODE is next.

SAFE MODE CFScript log

ComboFix 10-04-07.01 - Vpr Matrix User 04/07/2010 22:01:46.4.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -7:00]

Running from: c:\documents and settings\Vpr Matrix User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vpr Matrix User\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\system32\SVKP.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\SVKP.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SVKP

-------\Service_SVKP

((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))

.

2010-04-01 06:29 . 2010-04-01 06:29 103784 ----a-w- c:\documents and settings\Vpr Matrix User\GoToAssistDownloadHelper.exe

2010-04-01 00:16 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe

2010-03-31 23:37 . 2001-10-12 00:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll

2010-03-31 23:37 . 2001-10-12 00:34 77824 ----a-w- c:\windows\system32\adistres.dll

2010-03-31 23:37 . 2001-04-27 21:02 101200 ------w- c:\windows\system32\pdfshell.dll

2010-03-31 23:37 . 2010-04-01 00:17 -------- d-----w- c:\windows\system32\Adobe

2010-03-31 23:37 . 2010-04-01 00:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-31 23:33 . 2010-03-31 23:33 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\InterTrust

2010-03-31 23:28 . 2010-03-31 23:31 -------- d-----w- C:\Adobe Acrobat Installer

2010-03-31 05:33 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33 . 2010-01-06 01:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33 . 2010-01-06 01:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33 . 2010-01-06 01:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33 . 2010-03-31 05:34 -------- d-----w- c:\program files\Common Files\Mcafee

2010-03-31 05:33 . 2010-03-31 05:33 -------- d-----w- c:\program files\McAfee.com

2010-03-31 05:32 . 2010-03-31 08:31 -------- d-----w- c:\program files\McAfee

2010-03-31 00:25 . 2010-03-31 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-30 23:54 . 2010-03-30 23:54 124088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-30 23:31 . 2010-03-30 23:55 -------- d-----w- C:\powerpanel_setup

2010-03-27 16:52 . 2010-03-27 17:06 -------- d-----w- C:\games

2010-03-25 18:23 . 2010-03-25 18:23 -------- d-----w- c:\program files\Trend Micro

2010-03-25 07:13 . 2010-03-25 07:13 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\Threat Expert

2010-03-24 20:44 . 2010-03-24 20:44 -------- d-----w- c:\program files\CCleaner

2010-03-24 17:32 . 2010-03-24 17:32 49152 ----a-r- c:\documents and settings\Vpr Matrix User\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-24 07:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\program files\CardPlayer

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer

2010-03-11 04:33 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 17:46 . 2010-03-10 17:46 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\cache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-08 05:14 . 2008-11-05 00:52 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-08 04:21 . 2007-08-04 08:20 1051 ----a-w- c:\windows\aclockz6.dat

2010-04-07 00:56 . 2009-08-23 11:33 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-04-06 17:09 . 2010-01-20 00:26 -------- d-----w- c:\program files\CarbonPoker

2010-04-06 06:41 . 2007-05-09 00:36 -------- d-----w- c:\program files\Full Tilt Poker

2010-04-03 16:04 . 2003-09-07 01:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-04-02 00:08 . 2007-09-21 18:02 -------- d-----w- c:\program files\PokerStars

2010-04-02 00:08 . 2006-02-13 17:00 -------- d-----w- c:\program files\UltimateBet

2010-04-02 00:01 . 2009-04-05 09:25 -------- d-----w- c:\program files\DoylesRoom

2010-04-01 00:09 . 2002-02-13 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-31 19:48 . 2008-02-10 17:16 -------- d-----w- c:\program files\EmpirePokerMaster

2010-03-27 18:12 . 2002-04-13 19:36 -------- d-----w- c:\program files\PCFriendly

2010-03-24 22:04 . 2008-11-17 21:21 -------- d-----w- c:\program files\Grocery List

2010-03-24 07:03 . 2009-08-20 00:06 -------- d-----w- c:\program files\Windows Defender

2010-03-23 21:12 . 2007-10-04 20:17 -------- d-----w- c:\program files\HughesNet

2010-03-23 19:55 . 2002-04-18 01:56 -------- d-----w- c:\program files\Microsoft Works

2010-03-23 19:33 . 2007-09-21 14:45 -------- d-----w- c:\program files\Common Files\Motive

2010-03-17 22:46 . 2009-02-19 00:31 -------- d-----w- c:\program files\ClubWPT

2010-02-27 18:04 . 2009-08-19 16:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-02-25 06:24 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-10-03 09:18 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-21 08:41 . 2008-07-28 02:51 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Uniblue

2010-02-11 14:40 . 2008-11-16 06:33 -------- d-----w- c:\program files\Bodog Poker

2010-02-11 05:43 . 2010-02-11 05:43 55440 ----a-w- c:\documents and settings\Madison Nowinsky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-09 15:37 . 2007-08-04 08:20 -------- d-----w- c:\program files\MemoKit

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-19 2754048]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\

restartsvc.cmd [2007-8-7 47]

c:\documents and settings\Madison Nowinsky\Start Menu\Programs\Startup\

MemoKit.lnk - c:\program files\MemoKit\mk.exe [2010-2-2 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\^cabbage casaroole.tx_]

path=\cabbage casaroole.tx_

[HKLM\~\startupfolder\^ooida.tx_]

path=\ooida.tx_

[HKLM\~\startupfolder\^PUTTY.RN_]

path=\PUTTY.RN_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_

[HKLM\~\startupfolder\^winzipreg.tx_]

path=\winzipreg.tx_

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TSIRCSRV"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)

"ZipToA"=2 (0x2)

"Iomega App Services"=2 (0x2)

"usnjsvc"=3 (0x3)

"gupdate1c9dee0876276ec"=2 (0x2)

"Viewpoint Manager Service"=2 (0x2)

"AOL ACS"=2 (0x2)

"0285181250872064mcinstcleanup"=2 (0x2)

"SeaPort"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\IzyMail.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMailAdminControlPanel.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/30/2010 22:33 82952]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/30/2010 22:33 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/30/2010 22:33 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [4/13/2002 08:53 217271]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [4/9/2001 11:11 24424]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/30/2010 22:33 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/24/2007 22:25 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/24/2007 22:25 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [12/24/2007 22:25 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/24/2007 22:25 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [9/25/2003 13:20 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [9/23/2003 05:37 4613]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/23/2009 04:33 36928]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [7/27/2008 20:49 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [3/6/2002 17:20 85632]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [3/19/2003 19:01 171776]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-08-27 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2010-04-07 c:\windows\Tasks\User_Feed_Synchronization-{D809566E-DAFF-4061-ADE7-5B6A67C55BBD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.facebook.com/?sk=messages&tid=1101295109441#!/?ref=home

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

IE: &Download with &DAP - c:\program files\DAP\dapextie.htm

IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Vpr Matrix User\Start Menu\Programs\UltimateBet\UltimateBet.lnk

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-07 22:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1484400983-681764103-101265881-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(740)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Windows Defender\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.EXE

c:\windows\System32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\SiteAdvisor\McSACore.exe

c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\program files\Common Files\McAfee\SystemCore\mfefire.exe

c:\windows\system32\devldr32.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2010-04-07 22:21:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-08 05:21

ComboFix2.txt 2010-04-03 15:50

ComboFix3.txt 2010-04-01 16:14

Pre-Run: 52,545,064,960 bytes free

Post-Run: 52,557,467,648 bytes free

- - End Of File - - CDF6A2F086576C9399826D34588E17A9

NORMAL MODE CFScript Log

ComboFix 10-04-07.01 - Vpr Matrix User 04/07/2010 22:39:34.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.580 [GMT -7:00]

Running from: c:\documents and settings\Vpr Matrix User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vpr Matrix User\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))

.

2010-04-01 06:29 . 2010-04-01 06:29 103784 ----a-w- c:\documents and settings\Vpr Matrix User\GoToAssistDownloadHelper.exe

2010-04-01 00:16 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe

2010-03-31 23:37 . 2001-10-12 00:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll

2010-03-31 23:37 . 2001-10-12 00:34 77824 ----a-w- c:\windows\system32\adistres.dll

2010-03-31 23:37 . 2001-04-27 21:02 101200 ------w- c:\windows\system32\pdfshell.dll

2010-03-31 23:37 . 2010-04-01 00:17 -------- d-----w- c:\windows\system32\Adobe

2010-03-31 23:37 . 2010-04-01 00:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-31 23:33 . 2010-03-31 23:33 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\InterTrust

2010-03-31 23:28 . 2010-03-31 23:31 -------- d-----w- C:\Adobe Acrobat Installer

2010-03-31 05:33 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33 . 2010-01-06 01:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33 . 2010-01-06 01:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33 . 2010-01-06 01:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33 . 2010-03-31 05:34 -------- d-----w- c:\program files\Common Files\Mcafee

2010-03-31 05:33 . 2010-03-31 05:33 -------- d-----w- c:\program files\McAfee.com

2010-03-31 05:32 . 2010-03-31 08:31 -------- d-----w- c:\program files\McAfee

2010-03-31 00:25 . 2010-03-31 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-30 23:54 . 2010-03-30 23:54 124088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-30 23:31 . 2010-03-30 23:55 -------- d-----w- C:\powerpanel_setup

2010-03-27 16:52 . 2010-03-27 17:06 -------- d-----w- C:\games

2010-03-25 18:23 . 2010-03-25 18:23 -------- d-----w- c:\program files\Trend Micro

2010-03-25 07:13 . 2010-03-25 07:13 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\Threat Expert

2010-03-24 20:44 . 2010-03-24 20:44 -------- d-----w- c:\program files\CCleaner

2010-03-24 17:32 . 2010-03-24 17:32 49152 ----a-r- c:\documents and settings\Vpr Matrix User\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-24 07:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\program files\CardPlayer

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer

2010-03-11 04:33 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 17:46 . 2010-03-10 17:46 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\cache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-08 05:14 . 2008-11-05 00:52 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-08 04:21 . 2007-08-04 08:20 1051 ----a-w- c:\windows\aclockz6.dat

2010-04-07 00:56 . 2009-08-23 11:33 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-04-06 17:09 . 2010-01-20 00:26 -------- d-----w- c:\program files\CarbonPoker

2010-04-06 06:41 . 2007-05-09 00:36 -------- d-----w- c:\program files\Full Tilt Poker

2010-04-03 16:04 . 2003-09-07 01:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-04-02 00:08 . 2007-09-21 18:02 -------- d-----w- c:\program files\PokerStars

2010-04-02 00:08 . 2006-02-13 17:00 -------- d-----w- c:\program files\UltimateBet

2010-04-02 00:01 . 2009-04-05 09:25 -------- d-----w- c:\program files\DoylesRoom

2010-04-01 00:09 . 2002-02-13 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-31 19:48 . 2008-02-10 17:16 -------- d-----w- c:\program files\EmpirePokerMaster

2010-03-27 18:12 . 2002-04-13 19:36 -------- d-----w- c:\program files\PCFriendly

2010-03-24 22:04 . 2008-11-17 21:21 -------- d-----w- c:\program files\Grocery List

2010-03-24 07:03 . 2009-08-20 00:06 -------- d-----w- c:\program files\Windows Defender

2010-03-23 21:12 . 2007-10-04 20:17 -------- d-----w- c:\program files\HughesNet

2010-03-23 19:55 . 2002-04-18 01:56 -------- d-----w- c:\program files\Microsoft Works

2010-03-23 19:33 . 2007-09-21 14:45 -------- d-----w- c:\program files\Common Files\Motive

2010-03-17 22:46 . 2009-02-19 00:31 -------- d-----w- c:\program files\ClubWPT

2010-02-27 18:04 . 2009-08-19 16:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-02-25 06:24 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-10-03 09:18 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-21 08:41 . 2008-07-28 02:51 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Uniblue

2010-02-11 14:40 . 2008-11-16 06:33 -------- d-----w- c:\program files\Bodog Poker

2010-02-11 05:43 . 2010-02-11 05:43 55440 ----a-w- c:\documents and settings\Madison Nowinsky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-09 15:37 . 2007-08-04 08:20 -------- d-----w- c:\program files\MemoKit

.

((((((((((((((((((((((((((((( SnapShot@2010-04-03_16.34.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-08 05:12 . 2010-04-08 05:12 16384 c:\windows\temp\Perflib_Perfdata_1fc.dat

+ 2002-02-13 02:12 . 2010-04-08 02:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2002-02-13 02:12 . 2010-04-03 13:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-02-10 21:24 . 2010-04-08 05:12 221673 c:\windows\system32\inetsrv\MetaBase.bin

- 2010-02-10 21:24 . 2010-04-03 16:23 221673 c:\windows\system32\inetsrv\MetaBase.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-19 2754048]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\

restartsvc.cmd [2007-8-7 47]

c:\documents and settings\Madison Nowinsky\Start Menu\Programs\Startup\

MemoKit.lnk - c:\program files\MemoKit\mk.exe [2010-2-2 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\^cabbage casaroole.tx_]

path=\cabbage casaroole.tx_

[HKLM\~\startupfolder\^ooida.tx_]

path=\ooida.tx_

[HKLM\~\startupfolder\^PUTTY.RN_]

path=\PUTTY.RN_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_

[HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_]

path=\S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_

[HKLM\~\startupfolder\^winzipreg.tx_]

path=\winzipreg.tx_

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TSIRCSRV"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)

"ZipToA"=2 (0x2)

"Iomega App Services"=2 (0x2)

"usnjsvc"=3 (0x3)

"gupdate1c9dee0876276ec"=2 (0x2)

"Viewpoint Manager Service"=2 (0x2)

"AOL ACS"=2 (0x2)

"0285181250872064mcinstcleanup"=2 (0x2)

"SeaPort"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\IzyMail.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMailAdminControlPanel.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/30/2010 22:33 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/30/2010 22:34 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/30/2010 22:33 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/30/2010 22:33 141792]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/30/2010 22:33 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/30/2010 22:33 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [4/13/2002 08:53 217271]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [4/9/2001 11:11 24424]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/30/2010 22:33 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/24/2007 22:25 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/24/2007 22:25 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [12/24/2007 22:25 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/24/2007 22:25 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [9/25/2003 13:20 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [9/23/2003 05:37 4613]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/23/2009 04:33 36928]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [7/27/2008 20:49 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [3/6/2002 17:20 85632]

S3 svcChoiceMail;Choice Mail;c:\program files\DigiPortal Software\ChoiceMail\CMServer.exe [8/23/2009 04:33 4640768]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [3/19/2003 19:01 171776]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-08-27 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2010-04-07 c:\windows\Tasks\User_Feed_Synchronization-{D809566E-DAFF-4061-ADE7-5B6A67C55BBD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.facebook.com/?sk=messages&tid=1101295109441#!/?ref=home

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

IE: &Download with &DAP - c:\program files\DAP\dapextie.htm

IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Vpr Matrix User\Start Menu\Programs\UltimateBet\UltimateBet.lnk

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-07 22:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1484400983-681764103-101265881-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1168)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-04-07 22:52:20

ComboFix-quarantined-files.txt 2010-04-08 05:52

ComboFix2.txt 2010-04-08 05:21

ComboFix3.txt 2010-04-03 15:50

ComboFix4.txt 2010-04-01 16:14

Pre-Run: 52,570,951,680 bytes free

Post-Run: 52,551,847,936 bytes free

- - End Of File - - AA8E42E5485AF11329EF1843FEB172BF

Link to post
Share on other sites

  • Staff

Hi,

Please only perform my instructions in Normal Mode unless otherwise stated.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

KILLALL::

Registry::

[-HKLM\~\startupfolder\^cabbage casaroole.tx_]

[-HKLM\~\startupfolder\^ooida.tx_]

[-HKLM\~\startupfolder\^PUTTY.RN_]

[-HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-1005.rrr.LO_]

[-HKLM\~\startupfolder\^S-1-5-21-1484400983-681764103-101265881-500.rrr.LO_]

[-HKLM\~\startupfolder\^winzipreg.tx_]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Next, navigate to this file:

c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\restartsvc.cmd

Right-click it and open it in Notepad; post its contents here.

-screen317

Link to post
Share on other sites

ComboFix 10-04-09.03 - Vpr Matrix User 04/10/2010 0:44.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.577 [GMT -7:00]

Running from: c:\documents and settings\Vpr Matrix User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vpr Matrix User\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))

.

2010-04-10 08:41 . 2010-04-10 08:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-04-01 06:29 . 2010-04-01 06:29 103784 ----a-w- c:\documents and settings\Vpr Matrix User\GoToAssistDownloadHelper.exe

2010-04-01 00:16 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe

2010-03-31 23:37 . 2001-10-12 00:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll

2010-03-31 23:37 . 2001-10-12 00:34 77824 ----a-w- c:\windows\system32\adistres.dll

2010-03-31 23:37 . 2001-04-27 21:02 101200 ------w- c:\windows\system32\pdfshell.dll

2010-03-31 23:37 . 2010-04-01 00:17 -------- d-----w- c:\windows\system32\Adobe

2010-03-31 23:37 . 2010-04-01 00:16 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-31 23:33 . 2010-03-31 23:33 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\InterTrust

2010-03-31 23:28 . 2010-03-31 23:31 -------- d-----w- C:\Adobe Acrobat Installer

2010-03-31 05:33 . 2010-01-06 01:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33 . 2010-01-06 01:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33 . 2010-01-06 01:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33 . 2010-01-06 01:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33 . 2010-01-06 01:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33 . 2010-01-06 01:04 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33 . 2010-01-06 01:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33 . 2010-01-06 01:04 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33 . 2010-03-31 05:34 -------- d-----w- c:\program files\Common Files\Mcafee

2010-03-31 05:33 . 2010-03-31 05:33 -------- d-----w- c:\program files\McAfee.com

2010-03-31 05:32 . 2010-03-31 08:31 -------- d-----w- c:\program files\McAfee

2010-03-31 00:25 . 2010-03-31 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-03-30 23:54 . 2010-03-30 23:54 124088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-30 23:31 . 2010-03-30 23:55 -------- d-----w- C:\powerpanel_setup

2010-03-27 16:52 . 2010-03-27 17:06 -------- d-----w- C:\games

2010-03-25 18:23 . 2010-03-25 18:23 -------- d-----w- c:\program files\Trend Micro

2010-03-25 07:13 . 2010-03-25 07:13 -------- d-----w- c:\documents and settings\Vpr Matrix User\Local Settings\Application Data\Threat Expert

2010-03-24 20:44 . 2010-03-24 20:44 -------- d-----w- c:\program files\CCleaner

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-24 07:50 . 2010-03-24 07:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-24 07:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\program files\CardPlayer

2010-03-15 09:01 . 2010-03-15 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CardPlayer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-10 14:56 . 2008-11-05 00:52 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-09 18:25 . 2009-08-23 11:33 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-04-09 15:09 . 2007-09-21 18:02 -------- d-----w- c:\program files\PokerStars

2010-04-09 02:46 . 2007-08-04 08:20 1051 ----a-w- c:\windows\aclockz6.dat

2010-04-09 02:31 . 2008-11-08 20:25 -------- d-----w- c:\program files\Windows Media Connect 2

2010-04-06 17:09 . 2010-01-20 00:26 -------- d-----w- c:\program files\CarbonPoker

2010-04-06 06:41 . 2007-05-09 00:36 -------- d-----w- c:\program files\Full Tilt Poker

2010-04-03 16:04 . 2003-09-07 01:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-04-02 00:08 . 2006-02-13 17:00 -------- d-----w- c:\program files\UltimateBet

2010-04-02 00:01 . 2009-04-05 09:25 -------- d-----w- c:\program files\DoylesRoom

2010-04-01 00:09 . 2002-02-13 19:29 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-31 19:48 . 2008-02-10 17:16 -------- d-----w- c:\program files\EmpirePokerMaster

2010-03-27 18:12 . 2002-04-13 19:36 -------- d-----w- c:\program files\PCFriendly

2010-03-24 22:04 . 2008-11-17 21:21 -------- d-----w- c:\program files\Grocery List

2010-03-24 17:32 . 2010-03-24 17:32 49152 ----a-r- c:\documents and settings\Vpr Matrix User\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe

2010-03-24 07:03 . 2009-08-20 00:06 -------- d-----w- c:\program files\Windows Defender

2010-03-23 21:12 . 2007-10-04 20:17 -------- d-----w- c:\program files\HughesNet

2010-03-23 19:55 . 2002-04-18 01:56 -------- d-----w- c:\program files\Microsoft Works

2010-03-23 19:33 . 2007-09-21 14:45 -------- d-----w- c:\program files\Common Files\Motive

2010-03-17 22:46 . 2009-02-19 00:31 -------- d-----w- c:\program files\ClubWPT

2010-02-27 18:04 . 2009-08-19 16:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-02-25 06:24 . 2004-02-07 01:05 916480 ------w- c:\windows\system32\wininet.dll

2010-02-24 17:16 . 2009-10-03 09:18 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-21 08:41 . 2008-07-28 02:51 -------- d-----w- c:\documents and settings\Vpr Matrix User\Application Data\Uniblue

2010-02-11 14:40 . 2008-11-16 06:33 -------- d-----w- c:\program files\Bodog Poker

2010-02-11 05:43 . 2010-02-11 05:43 55440 ----a-w- c:\documents and settings\Madison Nowinsky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-09 15:37 . 2007-08-04 08:20 -------- d-----w- c:\program files\MemoKit

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-08-19 2754048]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Vpr Matrix User\Start Menu\Programs\Startup\

restartsvc.cmd [2007-8-7 47]

c:\documents and settings\Madison Nowinsky\Start Menu\Programs\Startup\

MemoKit.lnk - c:\program files\MemoKit\mk.exe [2010-2-2 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"EditLevel"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TSIRCSRV"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"_IOMEGA_ACTIVE_DISK_SERVICE_"=2 (0x2)

"ZipToA"=2 (0x2)

"Iomega App Services"=2 (0x2)

"usnjsvc"=3 (0x3)

"gupdate1c9dee0876276ec"=2 (0x2)

"Viewpoint Manager Service"=2 (0x2)

"AOL ACS"=2 (0x2)

"0285181250872064mcinstcleanup"=2 (0x2)

"SeaPort"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\IzyMail.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMail.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\DigiPortal Software\\ChoiceMail\\ChoiceMailAdminControlPanel.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/30/2010 22:33 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/30/2010 22:34 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/30/2010 22:33 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/30/2010 22:33 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/30/2010 22:33 141792]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/30/2010 22:33 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/30/2010 22:33 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [4/13/2002 08:53 217271]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [4/9/2001 11:11 24424]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/30/2010 22:33 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/30/2010 22:33 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/24/2007 22:25 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/24/2007 22:25 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [12/24/2007 22:25 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/24/2007 22:25 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [9/25/2003 13:20 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [9/23/2003 05:37 4613]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/23/2009 04:33 36928]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [7/27/2008 20:49 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [3/6/2002 17:20 85632]

S3 svcChoiceMail;Choice Mail;c:\program files\DigiPortal Software\ChoiceMail\CMServer.exe [8/23/2009 04:33 4640768]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [3/19/2003 19:01 171776]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-08-27 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 19:25]

2010-04-09 c:\windows\Tasks\User_Feed_Synchronization-{D809566E-DAFF-4061-ADE7-5B6A67C55BBD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.facebook.com/?sk=messages&tid=1101295109441#!/?ref=home

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

IE: &Download with &DAP - c:\program files\DAP\dapextie.htm

IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Vpr Matrix User\Start Menu\Programs\UltimateBet\UltimateBet.lnk

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-10 07:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1484400983-681764103-101265881-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3736)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WS_FTP\nsftpch.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.EXE

c:\windows\System32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\WgaTray.exe

c:\windows\system32\devldr32.exe

c:\windows\system32\wpabaln.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

.

**************************************************************************

.

Completion time: 2010-04-10 08:03:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-10 15:03

ComboFix2.txt 2010-04-08 05:52

ComboFix3.txt 2010-04-08 05:21

ComboFix4.txt 2010-04-03 15:50

ComboFix5.txt 2010-04-10 07:42

Pre-Run: 52,081,262,592 bytes free

Post-Run: 52,083,970,048 bytes free

- - End Of File - - 30E9BB474E775415C535277E6709C36E

DDS File

DDS (Ver_10-03-17.01) - NTFSx86

Run by Vpr Matrix User at 8:38:09.54 on Sat 04/10/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.552 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\DAP\DAP.EXE

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\ctfmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Vpr Matrix User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.facebook.com/?sk=messages&tid=1101295109441#!/?ref=home

uInternet Connection Wizard,ShellNext = hxxp://support.regcure.com/

uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;localh

ost;<local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=&sourceid=ie8&rls=com.microsoft:en-us:&ie=&oe=

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: AutorunsDisabled - No File

BHO: AOL Toolbar Launcher - No File

BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\DAPBHO.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100330223328.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\documents and settings\vpr matrix user\start menu\programs\startup\restartsvc.cmd

StartupFolder: c:\documents and settings\vpr matrix user\start menu\programs\startup\restartsvc.cmd

uPolicies-explorer: <NO NAME> =

uPolicies-explorer: EditLevel = 0 (0x0)

uPolicies-explorer: NoCommonGroups = 0 (0x0)

IE: &Download with &DAP - c:\program files\dap\dapextie.htm

IE: Download &all with DAP - c:\program files\dap\dapextie2.htm

IE: {6224f700-cba3-4071-b251-47cb894244cd}

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\vpr matrix user\start menu\programs\ultimatebet\UltimateBet.lnk

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {669695BC-A811-4A9D-8CDF-BA8C795F261C} - c:\progra~1\dap\DAP.EXE

IE: {725E77D3-B919-4eef-8EEE-D09DE618B6C1}

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe

IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: bankofamerica.com

Trusted Zone: capitalone.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: myhughesnet.com\customercare

Trusted Zone: ooida.com

Trusted Zone: swiftowner.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://stcooemail.swiftowner.com/iNotes6W.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://www.2omni.com/ifw/DISK1/setup.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-30 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-30 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-30 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-30 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-30 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-30 141792]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-30 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-30 152320]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-30 51688]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-30 312584]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]

R3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2002-4-13 217271]

S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [2001-4-9 24424]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-30 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-30 83496]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-12-24 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-12-24 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-12-24 42112]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-12-24 23680]

S3 NET1080;LapLink Inc. USB Cable Network Adapter;c:\windows\system32\drivers\NETTC.SYS [2003-9-25 12536]

S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\NIC2000.SYS [2003-9-23 4613]

S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-8-23 36928]

S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3sav3dm.sys [2008-7-27 61504]

S3 S3SAV2K;S3SAV2K;c:\windows\system32\drivers\s3sav2km.sys [2002-3-6 85632]

S3 svcChoiceMail;Choice Mail;c:\program files\digiportal software\choicemail\CMServer.exe [2009-8-23 4640768]

S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;c:\windows\system32\drivers\WMP11V27.sys [2003-3-19 171776]

S4 DPCNET5U;Satellite USB Driver;c:\windows\system32\drivers\dpcnet5u.sys --> c:\windows\system32\drivers\dpcnet5u.sys [?]

=============== Created Last 30 ================

2010-04-10 15:14:02 4444 ----a-w- c:\windows\system32\pid.PNF

2010-04-01 15:48:49 0 d-sha-r- C:\cmdcons

2010-04-01 15:46:27 98816 ----a-w- c:\windows\sed.exe

2010-04-01 15:46:27 77312 ----a-w- c:\windows\MBR.exe

2010-04-01 15:46:27 261632 ----a-w- c:\windows\PEV.exe

2010-04-01 15:46:27 161792 ----a-w- c:\windows\SWREG.exe

2010-04-01 06:29:47 103784 ----a-w- c:\documents and settings\vpr matrix user\GoToAssistDownloadHelper.exe

2010-04-01 00:16:59 16384 ----a-w- c:\windows\system32\FileOps.exe

2010-03-31 23:37:50 77824 ----a-w- c:\windows\system32\adistres.dll

2010-03-31 23:37:50 20588 ----a-w- c:\windows\system32\PdfPorts.dll

2010-03-31 23:37:38 101200 ------w- c:\windows\system32\pdfshell.dll

2010-03-31 23:37:14 0 d-----w- c:\windows\system32\Adobe

2010-03-31 23:28:45 0 d-----w- C:\Adobe Acrobat Installer

2010-03-31 05:33:27 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-03-31 05:33:18 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-03-31 05:33:17 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-03-31 05:33:17 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-03-31 05:33:17 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-03-31 05:33:17 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-03-31 05:33:17 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-03-31 05:33:17 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-03-31 05:33:07 0 d-----w- c:\program files\common files\Mcafee

2010-03-31 05:33:06 0 d-----w- c:\program files\McAfee.com

2010-03-31 05:32:32 0 d-----w- c:\program files\McAfee

2010-03-30 23:31:53 0 d-----w- C:\powerpanel_setup

2010-03-28 07:00:49 9216 --sha-w- c:\windows\Thumbs.db

2010-03-27 18:53:32 8192 ----a-w- C:\s-1-5-21-1484400983-681764103-101265881-1019.rrr

2010-03-27 18:53:25 3801088 ----a-w- c:\documents and settings\vpr matrix user\s-1-5-21-1484400983-681764103-101265881-1005.rrr

2010-03-27 16:52:57 0 d-----w- C:\games

2010-03-25 18:23:53 0 d-----w- c:\program files\Trend Micro

2010-03-24 20:44:28 0 d-----w- c:\program files\CCleaner

2010-03-24 07:50:37 0 d-----w- c:\docume~1\vprmat~1\applic~1\Malwarebytes

2010-03-24 07:50:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-24 07:50:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-24 07:50:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-24 07:50:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 19:55:42 849 ----a-w- C:\Microsoft Works Calendar Reminders.lnk

2010-03-15 09:01:58 0 d-----w- c:\program files\CardPlayer

2010-03-15 09:01:58 0 d-----w- c:\docume~1\alluse~1\applic~1\CardPlayer

==================== Find3M ====================

2010-04-09 18:25:00 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys

2010-04-01 00:29:21 81073 ----a-w- c:\windows\fonts\AdobeFnt.lst

2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-20 08:30:11 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2008-08-27 05:58:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 8:38:37.73 ===============

restrartsvc.xtx

net stop svcChoiceMail

net start svcChoiceMail

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

OK here are the results.

Scanning Report

Tuesday, April 13, 2010 01:03:52 - 07:14:32

Computer name: THOR

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

15 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

C:\WINDOWS\SYSTEM32\A FESTIVE CHRISTMAS.SCR (Not cleaned)

Trojan.Generic.IS.544439 (virus)

C:\PROGRAM FILES\MICROGAMING\POKER\DOYLESROOMMPP\LOCAL\EN\COMMON\COMMONRES.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 54866

System: 4655

Not scanned: 9

Actions:

Disinfected: 13

Renamed: 1

Deleted: 0

Not cleaned: 1

Submitted: 1

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\TEMP\MCAFEE_IVDUCXSEKMFGUDP

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\VPR MATRIX USER\LOCAL SETTINGS\TEMP\HSPERFDATA_VPR MATRIX USER\3432

C:\DOCUMENTS AND SETTINGS\VPR MATRIX USER\LOCAL SETTINGS\TEMP\HSPERFDATA_VPR MATRIX USER\2832

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Completed the tasks that you have requested.

Removed ComboFix

Removed SecurityCheck

Removed Java as directed in your last post.

ReInstalled Java

ReInstalled Google and set it as Default search engine.

Went to do a search to test it out by clicking Start>>>>Search and entered the search string as seen below:

ExplrSrch.gif

and as you can see by the search results seen below I am still being redirected.

search_results.gif

Now when I use the Google Address Bar to the right of the address bar in IE8 I do not get redirected.

I then typed the search string in the Address Bar of IE8 and got redirected as seen earlier.

I then opened up Windows Exlporer and typed in the search string in the Address Bar and was redirected to the same site.

So this leads me to believe that the Address Bar is affected. :D

Link to post
Share on other sites

  • Staff

Okay, now let's look a little deeper.

First, are you using Road Runner as your ISP?

Download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter web-help-service as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.