Jump to content

Recommended Posts

I had the animalware doctor but managed to get rid of it, but now I have something wierd with explorer it redirectes me when I click a link in Google. Also had Army music start when no programs were open. Having a hard time cleaning it out!

I have attached the zip of Attach.txt & ark.txt

Had to run GMER while I was in Safe mode since it kept crashing if I wasn't

Here is the latest Malwarebytes' Anti-Malware log & dds.txt:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4297

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/10/2010 5:26:27 PM

mbam-log-2010-07-10 (17-26-27).txt

Scan type: Quick scan

Objects scanned: 160014

Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the dds.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by IVitsut at 17:39:39.43 on Sat 07/10/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1254 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DWRCS.EXE

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\DWRCST.exe

C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe

C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\StacSV.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\KADxMain.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\DOCUME~1\IVitsut\LOCALS~1\Temp\wininst.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\TEMP\a0e4452a.tmp

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

C:\Documents and Settings\IVitsut\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer, optimized for Bing and MSN

uDefault_Page_URL = hxxp://www.msn.com

uInternet Settings,ProxyOverride = *.local

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [hsehf98u34i9tjioaugy987iuegdsg] c:\docume~1\ivitsut\locals~1\temp\wininst.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [<NO NAME>]

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Macro Manager] c:\program files\grasssoft\macro expert\MacroManager.exe /q

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [Vvoyida] rundll32.exe "c:\windows\eqasodamape.dll",Startup

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies\smart product drivers\SMARTBoardTools.exe

uPolicies-explorer: NoFolderOptions = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201293187000

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224188495870

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {3AAF5171-D069-43EB-9A4C-2AF5D8F77C6E} = 10.1.2.10,10.1.2.90

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

Hosts: 84.16.244.15 www.google.com

Hosts: 84.16.244.15 us.

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-15 342128]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2010-6-30 236928]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-4-9 21256]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-4-9 144888]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-4-9 62800]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-4-15 70216]

R2 SMART Display Controller;SMART Display Controller;c:\program files\smart technologies\smart product drivers\UCService.exe [2010-1-5 779560]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-15 91640]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-15 43288]

S2 Macro Expert;Macro Expert;c:\program files\grasssoft\macro expert\MacroService.exe [2009-8-28 212992]

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-4-15 65224]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe [2010-1-5 1053992]

S3 SMART Web Server;SMART Web Server;c:\program files\smart technologies\smart product drivers\WebServer.exe [2010-1-5 1262888]

=============== Created Last 30 ================

2010-07-11 00:31:50 0 ----a-w- c:\documents and settings\ivitsut\defogger_reenable

2010-07-10 17:44:34 0 d-----w- c:\program files\Trend Micro

2010-07-09 21:45:59 0 ----a-w- c:\windows\Mmetokaxuwena.bin

2010-07-09 21:45:58 120 ----a-w- c:\windows\Dcajiyalogujage.dat

2010-07-09 20:01:55 0 d-----w- c:\docume~1\ivitsut\applic~1\Malwarebytes

2010-07-09 20:01:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-09 20:01:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-09 20:01:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-09 20:01:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-09 19:25:11 0 d-----w- C:\spoolerlogs

2010-07-09 19:24:44 0 ----a-w- c:\windows\eqawukuw.dll

2010-07-09 19:16:43 766464 ----a-w- c:\windows\system32\drivers\zllflnj.sys

2010-07-09 19:16:23 0 d-----w- c:\docume~1\ivitsut\applic~1\6A5168F5F08F134D96C3001FB26C6A55

2010-07-08 08:28:27 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2010-07-08 08:28:22 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2010-07-08 08:28:15 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2010-07-08 08:28:08 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll

2010-07-08 08:28:00 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll

2010-07-08 08:27:49 0 d-----w- c:\windows\Logs

2010-07-08 07:50:47 0 d-----w- c:\docume~1\ivitsut\applic~1\WinAVI

2010-07-08 07:48:41 0 d-----w- c:\program files\WinAVI Video Converter

2010-07-05 23:32:25 0 d-sh--w- c:\documents and settings\ivitsut\IECompatCache

2010-07-05 23:31:42 0 d-sh--w- c:\documents and settings\ivitsut\PrivacIE

2010-07-05 23:26:43 0 d-sh--w- c:\documents and settings\ivitsut\IETldCache

2010-07-05 23:24:25 0 d-----w- c:\windows\ie8updates

2010-07-05 23:23:01 0 dc-h--w- c:\windows\ie8

2010-07-05 23:22:29 0 d-----w- c:\program files\MSN Toolbar

2010-07-05 23:19:29 0 d-----w- c:\program files\Bing Bar Installer

2010-07-05 23:13:22 0 d--h--w- c:\windows\msdownld.tmp

2010-07-05 23:10:56 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-07-05 23:10:55 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-05 23:10:55 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-07-05 23:09:20 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-07-01 20:32:24 0 d-----w- c:\docume~1\ivitsut\applic~1\ElevatedDiagnostics

2010-07-01 06:37:14 236928 ----a-w- c:\windows\system32\drivers\c2scsi.sys

2010-06-23 23:39:21 0 d-----w- c:\program files\Zip Password Recovery Magic

2010-06-23 23:33:15 0 d-----w- c:\program files\RAR Password Recovery Magic

2010-06-23 20:56:31 0 d-----w- c:\windows\system32\drivers\myrmbin

2010-06-23 20:56:30 0 d-----w- c:\windows\system32\drivers\mycodec

2010-06-23 20:56:29 0 d-----w- c:\program files\MyVideoConverter

2010-06-19 17:08:56 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-06-19 17:08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-06-19 17:08:56 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-06-19 17:08:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-17 01:51:09 0 d-----w- c:\program files\QuickPar

==================== Find3M ====================

2010-06-27 02:39:27 523259 ----a-w- c:\windows\system32\nvModes.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-23 12:57:30 114688 ----a-w- c:\windows\system32\DirShowEXDD.dll

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-01-29 18:13:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-12 17:35:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 17:41:35.60 ===============

Attach.zip

ark.zip

Link to post
Share on other sites

Hello JoeIsuzu

Welcome to Malwarebytes.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I don't have permissions to turn off Antivirus (work laptop) and ComboFix crashed the puter, so I tried to run it in safe mode; then I got a message midway through saying it needed to reboot. But after rebooting it finished running normally. Here's the ComboFix.txt

ComboFix 10-07-11.01 - IVitsut 07/11/2010 10:58:15.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1541 [GMT -7:00]

Running from: c:\documents and settings\IVitsut\Desktop\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk

c:\documents and settings\IVitsut\Application Data\6A5168F5F08F134D96C3001FB26C6A55

c:\documents and settings\IVitsut\Application Data\6A5168F5F08F134D96C3001FB26C6A55\enemies-names.txt

c:\documents and settings\IVitsut\Application Data\6A5168F5F08F134D96C3001FB26C6A55\local.ini

c:\documents and settings\IVitsut\Application Data\6A5168F5F08F134D96C3001FB26C6A55\lsrslt.ini

c:\documents and settings\IVitsut\Local Settings\Application Data\{CED8839E-785A-4CD4-8421-9DBD4B56D637}

c:\documents and settings\IVitsut\Local Settings\Application Data\{CED8839E-785A-4CD4-8421-9DBD4B56D637}\chrome.manifest

c:\documents and settings\IVitsut\Local Settings\Application Data\{CED8839E-785A-4CD4-8421-9DBD4B56D637}\chrome\content\_cfg.js

c:\documents and settings\IVitsut\Local Settings\Application Data\{CED8839E-785A-4CD4-8421-9DBD4B56D637}\chrome\content\overlay.xul

c:\documents and settings\IVitsut\Local Settings\Application Data\{CED8839E-785A-4CD4-8421-9DBD4B56D637}\install.rdf

c:\documents and settings\IVitsut\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\IVitsut\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\IVitsut\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\windows\eqasodamape.dll

c:\windows\eqawukuw.dll

c:\windows\system32\st325602.dll

c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))

.

2010-07-10 17:44 . 2010-07-10 17:44 -------- d-----w- c:\program files\Trend Micro

2010-07-09 21:45 . 2010-07-10 17:03 0 ----a-w- c:\windows\Mmetokaxuwena.bin

2010-07-09 21:45 . 2010-07-11 00:29 120 ----a-w- c:\windows\Dcajiyalogujage.dat

2010-07-09 21:11 . 2010-07-09 21:11 -------- d-----w- c:\documents and settings\IVitsut\Local Settings\Application Data\bmymucxda

2010-07-09 20:01 . 2010-07-09 20:01 -------- d-----w- c:\documents and settings\IVitsut\Application Data\Malwarebytes

2010-07-09 20:01 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-09 20:01 . 2010-07-09 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-09 20:01 . 2010-07-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-09 20:01 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-09 19:35 . 2010-07-09 19:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-09 19:25 . 2010-07-09 19:25 -------- d-----w- C:\spoolerlogs

2010-07-09 19:16 . 2010-07-11 18:06 766464 ----a-w- c:\windows\system32\drivers\zllflnj.sys

2010-07-09 19:16 . 2010-07-09 19:16 -------- d-----w- c:\documents and settings\IVitsut\Local Settings\Application Data\adqpnqhlt

2010-07-09 19:09 . 2010-07-09 19:09 -------- d-----w- c:\documents and settings\IVitsut\Local Settings\Application Data\wmfnyeeik

2010-07-08 08:28 . 2009-09-05 00:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2010-07-08 08:28 . 2009-09-05 00:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2010-07-08 08:28 . 2008-10-15 13:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2010-07-08 08:28 . 2007-07-20 01:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll

2010-07-08 08:28 . 2007-05-16 23:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll

2010-07-08 08:27 . 2010-07-08 08:27 -------- d-----w- c:\windows\Logs

2010-07-08 07:50 . 2010-07-08 07:50 -------- d-----w- c:\documents and settings\IVitsut\Application Data\WinAVI

2010-07-08 07:48 . 2010-07-08 07:48 -------- d-----w- c:\program files\WinAVI Video Converter

2010-07-05 23:32 . 2010-07-05 23:32 -------- d-sh--w- c:\documents and settings\IVitsut\IECompatCache

2010-07-05 23:31 . 2010-07-05 23:31 -------- d-sh--w- c:\documents and settings\IVitsut\PrivacIE

2010-07-05 23:26 . 2010-07-05 23:26 -------- d-sh--w- c:\documents and settings\IVitsut\IETldCache

2010-07-05 23:24 . 2010-07-08 09:41 -------- d-----w- c:\windows\ie8updates

2010-07-05 23:23 . 2010-07-05 23:23 -------- dc-h--w- c:\windows\ie8

2010-07-05 23:22 . 2010-07-05 23:22 -------- d-----w- c:\program files\MSN Toolbar

2010-07-05 23:19 . 2010-07-05 23:22 -------- d-----w- c:\program files\Bing Bar Installer

2010-07-05 23:13 . 2010-07-05 23:24 -------- d--h--w- c:\windows\msdownld.tmp

2010-07-05 23:10 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-07-05 23:10 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-07-05 23:10 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-05 23:09 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-07-01 20:32 . 2010-07-01 20:32 -------- d-----w- c:\documents and settings\IVitsut\Application Data\ElevatedDiagnostics

2010-07-01 06:37 . 2005-05-11 12:00 236928 ----a-w- c:\windows\system32\drivers\c2scsi.sys

2010-06-23 23:39 . 2010-06-23 23:39 -------- d-----w- c:\program files\Zip Password Recovery Magic

2010-06-23 23:33 . 2010-06-23 23:33 -------- d-----w- c:\program files\RAR Password Recovery Magic

2010-06-23 20:56 . 2010-06-23 20:56 -------- d-----w- c:\windows\system32\drivers\myrmbin

2010-06-23 20:56 . 2010-06-23 20:56 -------- d-----w- c:\windows\system32\drivers\mycodec

2010-06-23 20:56 . 2010-06-23 20:56 -------- d-----w- c:\program files\MyVideoConverter

2010-06-19 17:08 . 2008-04-14 12:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-06-19 17:08 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-06-19 17:08 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-19 17:08 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-06-17 02:08 . 2010-07-08 07:44 -------- d-----w- c:\documents and settings\IVitsut\Local Settings\Application Data\QuickPar

2010-06-17 01:51 . 2010-06-17 02:08 -------- d-----w- c:\program files\QuickPar

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-09 23:59 . 2009-10-28 00:01 -------- d-----w- c:\documents and settings\IVitsut\Application Data\SuperNZB

2010-07-08 07:21 . 2009-08-27 17:33 -------- d-----w- c:\documents and settings\IVitsut\Application Data\Roxio

2010-07-07 21:04 . 2010-04-03 19:21 -------- d-----w- c:\documents and settings\IVitsut\Application Data\Skype

2010-07-07 19:10 . 2010-04-03 19:23 -------- d-----w- c:\documents and settings\IVitsut\Application Data\skypePM

2010-06-27 02:39 . 2008-05-09 21:17 523259 ----a-w- c:\windows\system32\nvModes.dat

2010-06-18 02:28 . 2009-04-15 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-03 21:00 . 2008-05-20 17:22 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-23 12:57 . 2010-04-23 12:57 114688 ----a-w- c:\windows\system32\DirShowEXDD.dll

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-30 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]

"nwiz"="nwiz.exe" [2008-02-22 1626112]

"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]

"NvMediaCenter"="NvMCTray.dll" [2008-02-22 86016]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-10-09 100888]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-10 124240]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Macro Manager"="c:\program files\GrassSoft\Macro Expert\MacroManager.exe" [2009-10-19 2479104]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]

"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]

"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]

SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-1-5 11154728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SetPoint.lnk

backup=c:\windows\pss\SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2008-02-22 19:43 1245184 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-28 00:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2004-07-28 00:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

2008-03-14 11:00 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-01-19 04:47 1687552 ----a-w- c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2006-01-19 17:17 163840 ----a-w- c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-05-11 19:35 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"RoxWatch"=2 (0x2)

"RoxUpnpServer"=2 (0x2)

"RoxUPnPRenderer"=3 (0x3)

"RoxMediaDB"=3 (0x3)

"RoxLiveShare"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [6/30/2010 11:37 PM 236928]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 2:00 AM 26624]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/9/2009 8:07 PM 21256]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/15/2009 3:02 PM 70216]

R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [1/5/2010 2:43 PM 779560]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 2:00 AM 3712]

S2 Macro Expert;Macro Expert;c:\program files\GrassSoft\Macro Expert\MacroService.exe [8/28/2009 7:23 AM 212992]

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/15/2009 3:02 PM 65224]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [1/5/2010 2:44 PM 1053992]

S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Product Drivers\WebServer.exe [1/5/2010 2:44 PM 1262888]

--- Other Services/Drivers In Memory ---

*Deregistered* - zllflnj

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: intuit.com\ttlc

TCP: {3AAF5171-D069-43EB-9A4C-2AF5D8F77C6E} = 10.1.2.10,10.1.2.90

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Vvoyida - c:\windows\eqasodamape.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-11 11:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zllflnj]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)

c:\windows\system32\netprovcredman.dll

.

Completion time: 2010-07-11 11:08:07

ComboFix-quarantined-files.txt 2010-07-11 18:08

Pre-Run: 45,956,022,272 bytes free

Post-Run: 46,305,112,064 bytes free

- - End Of File - - 74D2728835F271A4ACAE057988B00653

Link to post
Share on other sites

1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
zllflnj

Drivers to delete:
zllflnj

Files to delete:
c:\windows\Mmetokaxuwena.bin
c:\windows\Dcajiyalogujage.dat
c:\windows\system32\drivers\zllflnj.sys

Folders to delete:
c:\documents and settings\IVitsut\Local Settings\Application Data\bmymucxda
c:\documents and settings\IVitsut\Local Settings\Application Data\adqpnqhlt
c:\documents and settings\IVitsut\Local Settings\Application Data\wmfnyeeik

Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zllflnj

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Thank you very much for your continued help!

Here are the log files for avenger, Malwarebytes, and ESET:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Driver "zllflnj" disabled successfully.

Driver "zllflnj" deleted successfully.

File "c:\windows\Mmetokaxuwena.bin" deleted successfully.

File "c:\windows\Dcajiyalogujage.dat" deleted successfully.

File "c:\windows\system32\drivers\zllflnj.sys" deleted successfully.

Folder "c:\documents and settings\IVitsut\Local Settings\Application Data\bmymucxda" deleted successfully.

Folder "c:\documents and settings\IVitsut\Local Settings\Application Data\adqpnqhlt" deleted successfully.

Folder "c:\documents and settings\IVitsut\Local Settings\Application Data\wmfnyeeik" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zllflnj" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zllflnj" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4309

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 9:31:35 AM

mbam-log-2010-07-13 (09-31-35).txt

Scan type: Quick scan

Objects scanned: 161963

Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\JDK5SWFMZY (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\6ceaebec.tmp (Trojan.Ransom) -> Quarantined and deleted successfully.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=1d36f21131c3a249941d26761e5642e4

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-07-13 07:06:58

# local_time=2010-07-13 12:06:58 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 170498 170498 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=134995

# found=1

# cleaned=1

# scan_time=7245

C:\Qoobox\Quarantine\C\WINDOWS\eqasodamape.dll.vir a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Seems to be working fine now :)

Here's the new dds log

DDS (Ver_10-03-17.01) - NTFSx86

Run by IVitsut at 14:02:15.92 on Wed 07/14/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1303 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DWRCS.EXE

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe

C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe

C:\WINDOWS\system32\StacSV.exe

C:\WINDOWS\system32\DWRCST.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Documents and Settings\IVitsut\Desktop\dds.scr

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Macro Manager] c:\program files\grasssoft\macro expert\MacroManager.exe /q

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies\smart product drivers\SMARTBoardTools.exe

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201293187000

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224188495870

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {3AAF5171-D069-43EB-9A4C-2AF5D8F77C6E} = 10.1.2.10,10.1.2.90

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-15 342128]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2010-6-30 236928]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-4-9 21256]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-4-9 144888]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-4-9 62800]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-4-15 70216]

R2 SMART Display Controller;SMART Display Controller;c:\program files\smart technologies\smart product drivers\UCService.exe [2010-1-5 779560]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-15 91640]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-15 43288]

S2 Macro Expert;Macro Expert;c:\program files\grasssoft\macro expert\MacroService.exe [2009-8-28 212992]

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-4-15 65224]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe [2010-1-5 1053992]

S3 SMART Web Server;SMART Web Server;c:\program files\smart technologies\smart product drivers\WebServer.exe [2010-1-5 1262888]

=============== Created Last 30 ================

2010-07-14 21:02:45 0 d-----w- C:\d25d38ec1fef4371a6694f

2010-07-13 16:54:41 0 d-----w- c:\program files\ESET

2010-07-13 15:54:47 0 ----a-w- C:\backup.reg

2010-07-13 15:54:45 574 ----a-w- C:\cleanup.bat

2010-07-13 15:54:45 135168 ----a-w- C:\zip.exe

2010-07-11 17:51:51 0 d-----w- C:\ComboFix

2010-07-11 17:45:07 0 d-sha-r- C:\cmdcons

2010-07-11 17:39:34 77312 ----a-w- c:\windows\MBR.exe

2010-07-11 17:39:32 98816 ----a-w- c:\windows\sed.exe

2010-07-11 17:39:32 256512 ----a-w- c:\windows\PEV.exe

2010-07-11 17:39:32 161792 ----a-w- c:\windows\SWREG.exe

2010-07-11 00:31:50 0 ----a-w- c:\documents and settings\ivitsut\defogger_reenable

2010-07-10 17:44:34 0 d-----w- c:\program files\Trend Micro

2010-07-09 20:01:55 0 d-----w- c:\docume~1\ivitsut\applic~1\Malwarebytes

2010-07-09 20:01:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-09 20:01:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-09 20:01:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-09 20:01:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-09 19:25:11 0 d-----w- C:\spoolerlogs

2010-07-08 08:28:27 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2010-07-08 08:28:22 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2010-07-08 08:28:15 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2010-07-08 08:28:08 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll

2010-07-08 08:28:00 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll

2010-07-08 08:27:49 0 d-----w- c:\windows\Logs

2010-07-08 07:50:47 0 d-----w- c:\docume~1\ivitsut\applic~1\WinAVI

2010-07-08 07:48:41 0 d-----w- c:\program files\WinAVI Video Converter

2010-07-05 23:32:25 0 d-sh--w- c:\documents and settings\ivitsut\IECompatCache

2010-07-05 23:31:42 0 d-sh--w- c:\documents and settings\ivitsut\PrivacIE

2010-07-05 23:26:43 0 d-sh--w- c:\documents and settings\ivitsut\IETldCache

2010-07-05 23:24:25 0 d-----w- c:\windows\ie8updates

2010-07-05 23:23:01 0 dc-h--w- c:\windows\ie8

2010-07-05 23:22:29 0 d-----w- c:\program files\MSN Toolbar

2010-07-05 23:19:29 0 d-----w- c:\program files\Bing Bar Installer

2010-07-05 23:13:22 0 d--h--w- c:\windows\msdownld.tmp

2010-07-05 23:10:56 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-07-05 23:10:55 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-05 23:10:55 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-07-05 23:09:20 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-07-01 20:32:24 0 d-----w- c:\docume~1\ivitsut\applic~1\ElevatedDiagnostics

2010-07-01 06:37:14 236928 ----a-w- c:\windows\system32\drivers\c2scsi.sys

2010-06-23 23:39:21 0 d-----w- c:\program files\Zip Password Recovery Magic

2010-06-23 23:33:15 0 d-----w- c:\program files\RAR Password Recovery Magic

2010-06-23 20:56:31 0 d-----w- c:\windows\system32\drivers\myrmbin

2010-06-23 20:56:30 0 d-----w- c:\windows\system32\drivers\mycodec

2010-06-23 20:56:29 0 d-----w- c:\program files\MyVideoConverter

2010-06-19 17:08:56 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-06-19 17:08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-06-19 17:08:56 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-06-19 17:08:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-06-17 01:51:09 0 d-----w- c:\program files\QuickPar

==================== Find3M ====================

2010-07-13 16:02:43 90112 ----a-w- c:\windows\DUMP5870.tmp

2010-06-27 02:39:27 523259 ----a-w- c:\windows\system32\nvModes.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-23 12:57:30 114688 ----a-w- c:\windows\system32\DirShowEXDD.dll

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-01-29 18:13:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-05-12 17:35:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 14:08:24.87 ===============

Link to post
Share on other sites

Although the computer is running smoothly, there does seem to be an issue. For some reason it keeps wanting to install the same windows updates everytime I reboot, even though I have installed them several times already:

Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417)

Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 200, Windows Server 2003, and Windows XP x86 (KB979909)

Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168)

Link to post
Share on other sites

Hi look in your control panel for those updates and let me know if they are indeed installed.

This is an issue on about every xp machine I have worked on.

You will have to place a check mark next to the option to show updates at the top of the add\remove programs list.

Link to post
Share on other sites

KB974417 and KB982168 are not installed, KB979909 is installed.

To be sure I checked my desktop puter and it does have KB974417 and KB979909 updates installed, but it does not have KB982168 installed either. Can I dismiss the auto updates notifications for these three somehow?

Link to post
Share on other sites

Sure you can disable them by clicking on the Automatic updates yellow icon near the clock.

When it opens to the choice of updates un-check the 3 that will not install and it will ask you if you do not want to see them anymore choose yes then you are all done.

You can alternatively try to download the standalone installer to try to install them.

You can google the Kb numbers to find the standalone installer.

Also try the solution posted in the following links:

http://www.edugeek.net/forums/windows/5257...e-kb974417.html

http://social.technet.microsoft.com/Forums...09-8982da25e61d

Let me know if there is anything else and we can wrap it up.

Link to post
Share on other sites

Great glad it is sorted.

Please uninstall Adobe reader 8 and then download the newest version from here > http://get.adobe.com/reader/

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

===============Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.