Redirects, svchost crashes, no detection

[alshall0]

I hope you can help me.

This morning, I was reading a website, a legitimate blog that I've read before, when I suddenly got the message Generic Host Process for Win 32 services needed to close. I sent the error report to Microsoft, reopened Firefox, and suddenly got a redirect to another website. At that point, I ran MBAM, SuperAntispyware and Avira. Nothing was detected. I shut down the computer, reopened in safe mode and ran all the same scans again. No detection.

I restarted the computer regularly, got the Generic Host Process crash again, and more redirects on the browser. At that point, McAfee told me that a Trojan tried to load.

I'm running fully patched Microsoft XP, SP 3, Zone Alarm firewall, McAfee antivirus, and I run MBAM and SAS scans regularly. I generally use Firefox, the most recent version, and occasionally IE8. Not sure what is going on here, but there is clearly a problem and I'm not sure how it started or how to get rid of it. I don't use file sharing sites, etc.; don't open links in emails, so I'm confused, but seemingly infected.

Thanks for any insight or help you might be able to give me.

[alshall0]

I'm sorry. Here are my logs:

Defogger ran ok and I got the finish button and clicked ok. But it didn't request a reboot, so I manually rebooted. Here is that log.

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 21:17 on 03/07/2010 (Owner)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

(It wouldn't let me upload the file. I'm not sure why).

[alshall0]

Here is DDS.txt:

DDS.txt

[alshall0]

This is DDS Attach file:

Attach.txt

[alshall0]

I am having trouble with GMER, and I'm a bit confused by the instructions posted. It started to run a scan of its own. It didn't say anything about rootkit activity, so I told it to scan as it appeared, and the system rebooted. The one thing I was able to discern from it was that atapi.sys showed suspicious modification.

I'll try to run it again.

[alshall0]

I've still been unable to run a complete GMER scan. However, I was able to save the little bit that it ran on its own before I tried to run the actual scan. Again, thanks in advance.

ark.txt

[alshall0]

It took about 11 hours, but I was finally able to complete a GMER scan in safe mode. This is the complete ark.txt file:

I would be so grateful for your help. Thank you.

ark.txt

[AdvancedSetup]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[alshall0]

Thank you so much for your help.

ComboFix 10-07-14.01 - Owner 07/14/2010 16:47:22.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1402 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\SET1C8.tmp

c:\windows\xpsp1hfm.log

D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))

.

2010-07-03 20:07 . 2010-07-03 20:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2010-07-03 20:03 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-07-03 20:03 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-07-03 20:03 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-07-03 20:03 . 2010-07-03 20:03 -------- d-----w- c:\program files\Avira

2010-07-03 20:03 . 2010-07-03 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-14 23:28 . 2006-11-23 01:11 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-07-14 15:10 . 2008-04-23 21:42 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-04 03:18 . 2010-07-14 15:11 142760 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat

2010-07-03 20:35 . 2010-07-04 02:46 1904640 ----a-w- c:\windows\Internet Logs\xDB1A.tmp

2010-07-03 20:35 . 2010-07-04 02:46 2753536 ----a-w- c:\windows\Internet Logs\xDB19.tmp

2010-07-03 16:48 . 2010-04-30 17:34 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-07-03 16:48 . 2009-03-21 00:25 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-07-03 02:01 . 2006-09-28 03:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express

2010-07-02 23:11 . 2008-12-24 15:42 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-28 14:01 . 2008-07-06 16:10 5109507 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-06-22 22:25 . 2010-04-07 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-21 05:25 . 2010-06-21 14:46 1806336 ----a-w- c:\windows\Internet Logs\xDB18.tmp

2010-06-21 05:25 . 2010-06-21 14:46 2722304 ----a-w- c:\windows\Internet Logs\xDB17.tmp

2010-06-14 16:49 . 2008-12-21 01:46 -------- d-----w- c:\program files\Windows Live Safety Center

2010-06-13 16:38 . 2010-04-03 22:58 -------- d-----w- c:\program files\RealArcade

2010-06-08 05:38 . 2010-06-08 13:18 2501120 ----a-w- c:\windows\Internet Logs\xDB47.tmp

2010-06-05 16:01 . 2008-02-10 21:13 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 21:10 . 2010-06-14 03:42 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-06-04 21:10 . 2010-06-14 03:42 69120 ----a-w- c:\windows\system32\zlcomm.dll

2010-06-04 21:10 . 2010-06-14 03:42 103936 ----a-w- c:\windows\system32\zlcommdb.dll

2010-05-18 19:56 . 2010-05-18 19:56 -------- d-----w- c:\documents and settings\Owner\Application Data\YoudaGames

2010-05-06 10:41 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2006-05-07 00:24 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:39 . 2010-03-18 03:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2010-03-18 03:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2006-05-07 00:24 285696 ----a-w- c:\windows\system32\atmfd.dll

2007-09-30 07:43 . 2007-09-30 07:43 3655488 ----a-w- c:\program files\FLV PlayerRCATSetup.exe

2007-09-30 07:42 . 2007-09-30 07:42 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe

2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Index Washer"="c:\program files\Webroot\Washer\WashIdx.exe" [2007-11-26 55624]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2007-04-09 19456]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-04 1038848]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-10 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-01-13 16:01 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/20/2009 9:12 AM 28552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2010 1:03 PM 135336]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/12/2008 6:47 PM 93320]

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [5/15/2008 2:20 PM 598856]

S2 0164531276556333mcinstcleanup;McAfee Application Installer Cleanup (0164531276556333);c:\windows\TEMP\016453~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\016453~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/30/2006 9:44 PM 69692]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-13 19:22]

2009-07-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-13 19:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ukdj1d23.default\

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071705000014.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ukdj1d23.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

BHO-{49e31514-7044-43c1-a708-5a0a7bd99aba} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-14 16:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-07-14 16:58:55

ComboFix-quarantined-files.txt 2010-07-14 23:58

Pre-Run: 202,492,461,056 bytes free

Post-Run: 202,419,814,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 662F43404C8CBADDDB84160B989C6000

[AdvancedSetup]

You're quite welcome.

STEP 01

The current CF log looks pretty good, however it shows that you have 3 Anti-Virus products installed at the same time and that creates conflicts.

You need to choose one of them to use and then FULLY remove the other one.

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

You also show that you have a piece of Panda Anti-Virus still running on the system as well.

You should be able to uninstall it now too.

Panda ActiveScan 2.0

This old Microsoft scanner is way out dated to and should not be needed. Microsoft now uses MSE but since you already have an AV solution (too many actually) you should be able to remove this one.

Windows Live OneCare safety scanner

You should remove this version of Java unless it is business critical for some legacy work application.

J2SE Runtime Environment 5.0 Update 11 Also clear out all the old cache from Java

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log on your next reply.

STEP 03

Please visit this site and restore Firefox back to the factory default settings.

Restore Firefox Default Settings Without Uninstalling It

STEP 04

Please run a new DDS scan once you've fully completed steps 1, 2, and 3 above.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt
   
   

• Save both reports to your desktop
  
  
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt
  
  

[alshall0]

When you say clear out all the old cache from Java, I take it you mean the browser cache? I did this, but I don't know if there's another cache particular to Java.

When I began the MBAM scan, I suddenly got a message from McAfee saying it had detected and removed a Trojan. Its log read the following:

One or more items were detected on your computer.

Detection name: Artemis!C982532DAB0C (Trojan), Artemis!C982532DAB0C (Trojan)

File: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

Process: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Process description: Malwarebytes' Anti-Malware

If this is too much information, I'm sorry. It seemed worth reporting.

Here is the MBAM scan log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4315

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/14/2010 7:59:44 PM

mbam-log-2010-07-14 (19-59-44).txt

Scan type: Quick scan

Objects scanned: 149559

Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[alshall0]

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 20:30:55.82 on Wed 07/14/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1323 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Webroot\Washer\WasherSvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Webroot\Washer\wwDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\WINDOWS\system32\wscntfy.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

uRun: [Window Washer] "c:\program files\webroot\washer\wwDisp.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [index Washer] c:\program files\webroot\washer\WashIdx.exe "Owner"

mRun: [readericon] "c:\program files\digital media reader\readericon45G.exe"

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [Recguard] "c:\windows\sminst\RECGUARD.EXE"

mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"

mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD}

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213849096792

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://www.vcrlter.virginia.edu/AxisCamControl.ocx

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5318/mcfscan.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ukdj1d23.default\

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll

FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ukdj1d23.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-19 214664]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 67656]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-10 528128]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-12 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-11-12 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-11-12 144704]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-5-15 598856]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-12 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-12 35272]

S2 0164531276556333mcinstcleanup;McAfee Application Installer Cleanup (0164531276556333);c:\windows\temp\016453~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\016453~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-6-30 69692]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-12 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-12 40552]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 12872]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-11-12 606736]

=============== Created Last 30 ================

2010-07-14 23:37:52 0 d-sha-r- C:\cmdcons

2010-07-14 23:33:51 98816 ----a-w- c:\windows\sed.exe

2010-07-14 23:33:51 77312 ----a-w- c:\windows\MBR.exe

2010-07-14 23:33:51 256512 ----a-w- c:\windows\PEV.exe

2010-07-14 23:33:51 161792 ----a-w- c:\windows\SWREG.exe

2010-07-04 04:17:49 0 ----a-w- c:\documents and settings\owner\defogger_reenable

==================== Find3M ====================

2010-07-15 03:04:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-04 21:10:24 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2007-09-30 07:43:36 3655488 ----a-w- c:\program files\FLV PlayerRCATSetup.exe

2007-09-30 07:42:37 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe

2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

2009-10-14 16:20:10 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 20:31:58.26 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 8/23/2006 10:43:45 AM

System Uptime: 7/14/2010 7:46:35 PM (1 hours ago)

Motherboard: Intel Corporation | | OEMD975XWT2G1

Processor: Intel® Pentium® D CPU 3.40GHz | J3E1 | 3400/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 293 GiB total, 188.771 GiB free.

D: is FIXED (FAT32) - 5 GiB total, 1.421 GiB free.

E: is CDROM ()

F: is CDROM (CDFS)

G: is Removable

H: is Removable

I: is Removable

J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP520: 4/4/2010 4:44:37 PM - System Checkpoint

RP521: 4/6/2010 5:09:30 PM - System Checkpoint

RP522: 4/7/2010 9:17:54 AM - Avira AntiVir Personal - 4/7/2010 9:17

RP523: 4/7/2010 11:57:58 AM - Avira AntiVir Personal - 4/7/2010 11:57

RP524: 4/7/2010 12:48:56 PM - Removed Java 6 Update 12

RP525: 4/7/2010 12:49:49 PM - Installed Java 6 Update 19

RP526: 4/7/2010 1:13:00 PM - Cleaned registry with Windows Live OneCare safety scanner

RP527: 4/8/2010 1:37:05 PM - System Checkpoint

RP528: 4/9/2010 4:26:17 PM - System Checkpoint

RP529: 4/10/2010 5:36:07 PM - System Checkpoint

RP530: 4/11/2010 7:37:33 PM - System Checkpoint

RP531: 4/13/2010 2:34:44 PM - Software Distribution Service 3.0

RP532: 4/14/2010 10:46:08 PM - System Checkpoint

RP533: 4/16/2010 7:10:50 AM - System Checkpoint

RP534: 4/17/2010 10:15:52 AM - System Checkpoint

RP535: 4/18/2010 1:31:22 PM - System Checkpoint

RP536: 4/19/2010 5:34:57 PM - System Checkpoint

RP537: 4/21/2010 7:02:12 AM - System Checkpoint

RP538: 4/22/2010 11:27:00 AM - Installed Java 6 Update 20

RP539: 4/23/2010 12:26:24 PM - System Checkpoint

RP540: 4/24/2010 2:04:41 PM - System Checkpoint

RP541: 4/25/2010 4:47:27 PM - System Checkpoint

RP542: 4/26/2010 5:28:00 PM - System Checkpoint

RP543: 4/27/2010 6:12:14 PM - System Checkpoint

RP544: 4/28/2010 8:32:02 PM - System Checkpoint

RP545: 4/30/2010 8:58:51 AM - System Checkpoint

RP546: 5/1/2010 12:54:33 PM - System Checkpoint

RP547: 5/2/2010 4:53:08 PM - System Checkpoint

RP548: 5/3/2010 5:44:39 PM - System Checkpoint

RP549: 5/4/2010 9:11:40 PM - System Checkpoint

RP550: 5/6/2010 5:36:49 PM - System Checkpoint

RP551: 5/7/2010 6:18:43 PM - System Checkpoint

RP552: 5/8/2010 6:27:08 PM - System Checkpoint

RP553: 5/9/2010 7:11:47 PM - System Checkpoint

RP554: 5/11/2010 8:59:59 AM - System Checkpoint

RP555: 5/12/2010 7:35:03 AM - Software Distribution Service 3.0

RP556: 5/13/2010 3:59:17 PM - System Checkpoint

RP557: 5/14/2010 4:32:50 PM - System Checkpoint

RP558: 5/16/2010 4:06:16 PM - System Checkpoint

RP559: 5/17/2010 6:40:06 PM - System Checkpoint

RP560: 5/18/2010 6:55:42 PM - System Checkpoint

RP561: 5/20/2010 6:01:13 PM - System Checkpoint

RP562: 5/21/2010 7:48:05 PM - System Checkpoint

RP563: 5/22/2010 8:11:03 PM - System Checkpoint

RP564: 5/23/2010 8:21:41 PM - System Checkpoint

RP565: 5/25/2010 8:04:59 PM - System Checkpoint

RP566: 5/26/2010 8:56:53 AM - Software Distribution Service 3.0

RP567: 5/27/2010 6:18:26 PM - System Checkpoint

RP568: 5/28/2010 10:11:46 PM - System Checkpoint

RP569: 5/30/2010 12:19:45 PM - System Checkpoint

RP570: 5/31/2010 2:08:17 PM - System Checkpoint

RP571: 6/1/2010 7:47:58 PM - System Checkpoint

RP572: 6/3/2010 2:35:50 PM - System Checkpoint

RP573: 6/4/2010 10:43:06 AM - Software Distribution Service 3.0

RP574: 6/5/2010 1:23:13 PM - System Checkpoint

RP575: 6/6/2010 7:44:24 PM - System Checkpoint

RP576: 6/8/2010 8:29:39 AM - System Checkpoint

RP577: 6/8/2010 5:19:53 PM - Software Distribution Service 3.0

RP578: 6/9/2010 6:16:27 PM - System Checkpoint

RP579: 6/10/2010 6:32:10 PM - System Checkpoint

RP580: 6/11/2010 6:38:34 PM - System Checkpoint

RP581: 6/12/2010 7:15:08 PM - System Checkpoint

RP582: 6/13/2010 7:38:30 PM - System Checkpoint

RP583: 6/14/2010 10:29:49 AM - Cleaned registry with Windows Live OneCare safety scanner

RP584: 6/15/2010 10:34:20 AM - System Checkpoint

RP585: 6/16/2010 12:01:49 PM - System Checkpoint

RP586: 6/17/2010 3:08:20 PM - System Checkpoint

RP587: 6/18/2010 3:29:00 PM - System Checkpoint

RP588: 6/19/2010 3:35:38 PM - System Checkpoint

RP589: 6/20/2010 3:59:28 PM - System Checkpoint

RP590: 6/21/2010 4:19:04 PM - System Checkpoint

RP591: 6/22/2010 7:05:43 PM - System Checkpoint

RP592: 6/23/2010 8:02:52 AM - Software Distribution Service 3.0

RP593: 6/24/2010 8:56:46 AM - System Checkpoint

RP594: 6/25/2010 10:07:17 AM - System Checkpoint

RP595: 6/26/2010 4:48:25 PM - System Checkpoint

RP596: 6/27/2010 5:32:33 PM - System Checkpoint

RP597: 6/30/2010 2:41:16 PM - System Checkpoint

RP598: 7/2/2010 11:32:30 AM - System Checkpoint

RP599: 7/14/2010 4:34:06 PM - ComboFix created restore point

RP600: 7/14/2010 7:43:53 PM - Removed J2SE Runtime Environment 5.0 Update 11

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.0

Adobe Shockwave Player 11

AiO_Scan_CDA

AiOSoftwareNPI

AnswerWorks 4.0 Runtime - English

AnswerWorks 5.0 English Runtime

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft PhotoImpression

ATI - Software Uninstall Utility

ATI Display Driver

ATI Parental Control & Encoder

Audacity 1.2.4

Bonjour

Browser Address Error Redirector

BufferChm

Compatibility Pack for the 2007 Office system

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

Critical Update for Windows Media Player 11 (KB959772)

Destinations

DeviceManagementQFolder

Digital Media Reader

DivX Content Uploader

DivX Web Player

DocProc

Drive Manager

DVD Solution

eSupportQFolder

F300

F300_Help

F300Trb

Fax_CDA

FLV Player

High Definition Audio Driver Package - KB835221

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Imaging Device Functions 6.1

HP Photosmart Essential

HP PSC & OfficeJet 6.1.A

HP Solution Center and Imaging Support Tools 6.1

HP Update

HPProductAssistant

Intel® PRO Network Connections Drivers

Intel® Quick Resume Technology Drivers

iPod Updater 2004-11-15

iTunes

Java Auto Updater

Java 6 Update 20

Jewel Quest

Learn2 Player (Uninstall Only)

Lemonade Tycoon

Malwarebytes' Anti-Malware

McAfee SecurityCenter

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Digital Image Library 9 - Blocker

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2005

Microsoft National Language Support Downlevel APIs

Microsoft Office Basic Edition 2003

Microsoft Picture It! Library 10

Microsoft Picture It! Premium 10

Microsoft Silverlight

Microsoft Streets and Trips 2005

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Miriel's Enchanted Mystery

MobileMe Control Panel

Move Media Player

Mozilla Firefox (3.6.6)

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

MSXML 4.0 SP2 Parser and SDK

MSXML 6.0 Parser (KB933579)

Network Magic

NewCopy_CDA

Nikon Message Center

Picket Fences

PictureProject

PictureProject In Touch Downloader 1.0

Plant Tycoon

Posh Boutique

Power2Go 4.0

PowerDVD

ProductContextNPI

Pure Networks Platform

QuickTime

Readme

Recovery Software Suite Gateway

Replay Converter 2.8

Replay Media Catcher

Scan

ScannerCopy

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

SigmaTel Audio

SKIP-BO Castaway Caper

Soft Data Fax Modem with SmartCP

SolutionCenter

Status

StumbleUpon IE Toolbar

Super Mah Jong from GameHouse

SUPERAntiSpyware Free Edition

The Sims 2

The Sims 2 Nightlife

The Sims 2 Open For Business

The Sims 2 University

The Sims

[AdvancedSetup]

That's okay for now. McAfee saw some files from Combofix as infections and removed them.

Please update your Anti-Virus and do a Full System scan and let me know if you have any issues.

[alshall0]

McAfee full scan came back with zero detections.

Is it ok for me to remove the diagnostic and fix programs now (GMER, Combofix) and logs, and reenable CD emulation?

Also, since I'm not entirely sure what this infection was, are there any other security issues I need to be aware of?

Finally, this computer is part of a wireless home network. None of the other computers (Vista and Windows 7 OS) have shown any signs of issues--no redirects, no unusual behavior. Is there reason to be concerned that they also might be infected? Each has its own AV and firewall, of course.

Again, thank you so much for your help. My family also extends their thanks as my fingernails are finally loosening from the ceiling.

[AdvancedSetup]

You're quite welcome for the assistance. The other systems should be ok

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disable your AntiVirus temporarily so that it does not block removal of Combofix.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Re-enable your virtual CDROM if needed.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

[alshall0]

I followed your ComboFix removal instructions to the letter, and got the message that Windows could not find ComboFix. Sure enough, the red icon was gone from my desktop. Could McAfee have removed it when it was "cleaning" the infection it thought it saw? It said it "repaired" the problem.

Otherwise, everything else went as expected.

Thank you also for the link. I've got almost all of those suggestions implemented, but will look into the ones I haven't got.

[AdvancedSetup]

All should be okay now. If you do run into any further issues please go ahead and post a new post and we'll help you out.

Take care and stay safe out there.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!