Jump to content

Recommended Posts

Hello:

When I type a search word or phrase in Google and then get a list of proposed website, and then when I click on one of the listed websites, instead of goiing to that website, I am sent to a similar website that offers additional search services for the same word or phrase. This is also happening with yahoo and bing searches.

I ran malwarebytes but it did not find a virsu.

I ran Hijackthis, and the log is below. I would appreciate any advice anyone has for me to remove this program. I have a Dell Inspiron 6000 laptop running Windows XP.

Thank you

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:14:18 AM, on 7/16/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bible.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100712084745.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\Run: [joewvbsy] C:\Documents and Settings\NetworkService\Local Settings\Application Data\cdhggcuvl\luhmecttssd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [joewvbsy] C:\Documents and Settings\NetworkService\Local Settings\Application Data\cdhggcuvl\luhmecttssd.exe (User 'Default user')

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate1ca2da78770ed56) (gupdate1ca2da78770ed56) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--

End of file - 8164 bytes

Link to post
Share on other sites

Hi pbtay And Welcome to Malwarebytes Forum!

I see you ran HijackThis in Safe mode?

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Link to post
Share on other sites

Hello again:

I ran the DDS program. Here is the log and the zipped attach file. Thanks for any further advice anyone can give me.

pbtay

DDS (Ver_10-03-17.01) - NTFSx86

Run by Paul at 13:59:13.14 on Sat 07/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1128 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k Akamai

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\windows\eHome\ehRecvr.exe

C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\windows\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

uStart Page = hxxp://www.bible.com/

uSearch Bar =

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchAssistant =

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100712084745.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

dRun: [joewvbsy] c:\documents and settings\networkservice\local settings\application data\cdhggcuvl\luhmecttssd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 385880]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-12 82952]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-12 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-12 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-12 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-12 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-12 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-12 141792]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-12 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-14 152320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-12 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-12 88480]

S2 gupdate1ca2da78770ed56;Google Update Service (gupdate1ca2da78770ed56);c:\program files\google\update\GoogleUpdate.exe [2009-9-4 133104]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-9-14 203280]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 mrtRate;mrtRate; [x]

S3 jatmlano;jatmlano;c:\docume~1\paul\locals~1\temp\jatmlano.sys [2004-8-5 15872]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-14 51688]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-12 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-12 83496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-14 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-14 40552]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-5-8 11520]

=============== Created Last 30 ================

2010-07-16 14:07:03 0 d-----w- c:\program files\Trend Micro

2010-07-12 12:47:44 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-07-12 12:47:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-07-12 12:47:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-07-12 12:47:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-07-12 12:47:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-07-12 12:47:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-07-12 12:47:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-07-10 01:51:59 0 d-----w- c:\program files\Counter-Strike Online

2010-07-09 17:54:59 20480 ----a-w- C:\t20k.1

2010-07-09 17:13:08 0 d-----w- c:\documents and settings\paul\HShield

2010-07-05 12:48:17 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-04 02:40:07 0 d-----w- C:\Fraps

2010-07-03 01:24:18 0 d-----w- c:\program files\iPod

2010-07-03 01:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-03 01:24:09 0 d-----w- c:\program files\iTunes

2010-07-03 01:18:31 0 d-----w- c:\program files\Bonjour

2010-07-01 21:57:55 0 d-----w- c:\program files\CSO-NST

2010-07-01 15:05:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

2010-06-28 18:24:30 0 d-----w- c:\program files\Vivendi Universal Games

==================== Find3M ====================

2010-07-06 22:06:16 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-07-03 02:03:16 81216 ---ha-w- c:\windows\system32\mlfcache.dat

2010-06-15 01:47:24 86016 ----a-w- c:\windows\system32\frapsvid.dll

2010-06-11 12:37:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2010-06-01 00:32:58 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-01 00:32:58 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-06-01 00:32:58 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-17 14:21:06 1325618 ----a-w- c:\windows\Condition Zero Uninstaller.exe

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-01-11 12:48:27 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-08-27 18:48:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082720090828\index.dat

2010-02-13 22:58:41 16384 --sha-w- c:\windows\temp\cookies\index.dat

2010-02-13 22:58:41 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2010-02-13 22:58:41 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:00:29.46 ===============

zipped file:

Attach.zip

Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

========

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply.
    Please include the TDSSKiller and C:\ComboFix.txt in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

========

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply.
    Please include the TDSSKiller and C:\ComboFix.txt in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Here are the logs:

15:14:39:593 5832 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49

15:14:39:593 5832 ================================================================================

15:14:39:593 5832 SystemInfo:

15:14:39:593 5832 OS Version: 5.1.2600 ServicePack: 3.0

15:14:39:593 5832 Product type: Workstation

15:14:39:593 5832 ComputerName: LAPTOP1

15:14:39:593 5832 UserName: Paul

15:14:39:593 5832 Windows directory: C:\WINDOWS

15:14:39:593 5832 System windows directory: C:\WINDOWS

15:14:39:593 5832 Processor architecture: Intel x86

15:14:39:593 5832 Number of processors: 1

15:14:39:593 5832 Page size: 0x1000

15:14:39:593 5832 Boot type: Normal boot

15:14:39:593 5832 ================================================================================

15:14:39:765 5832 Initialize success

15:14:39:765 5832

15:14:39:765 5832 Scanning Services ...

15:14:40:281 5832 Raw services enum returned 375 services

15:14:40:312 5832

15:14:40:312 5832 Scanning Drivers ...

15:14:41:218 5832 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

15:14:41:265 5832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

15:14:41:343 5832 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

15:14:41:390 5832 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

15:14:41:468 5832 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

15:14:41:546 5832 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

15:14:41:562 5832 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

15:14:41:703 5832 ati2mtag (ec2743bf722d4356375a0a01b69a81e0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

15:14:41:812 5832 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

15:14:41:875 5832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

15:14:41:890 5832 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

15:14:41:937 5832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

15:14:41:984 5832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

15:14:42:046 5832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

15:14:42:093 5832 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

15:14:42:125 5832 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

15:14:42:156 5832 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys

15:14:42:234 5832 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

15:14:42:250 5832 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

15:14:42:312 5832 Disk (9c4cd1e2fbb6d2e6146732b2e00e9d11) C:\WINDOWS\system32\DRIVERS\disk.sys

15:14:42:312 5832 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: 9c4cd1e2fbb6d2e6146732b2e00e9d11, Fake md5: 044452051f3e02e7963599fc8f4f3e25

15:14:42:312 5832 File "C:\WINDOWS\system32\DRIVERS\disk.sys" infected by TDSS rootkit ... 15:14:42:781 5832 Backup copy found, using it..

15:14:42:781 5832 will be cured on next reboot

15:14:42:875 5832 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

15:14:42:890 5832 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

15:14:42:937 5832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

15:14:42:968 5832 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

15:14:43:015 5832 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

15:14:43:031 5832 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

15:14:43:078 5832 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

15:14:43:109 5832 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

15:14:43:125 5832 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

15:14:43:171 5832 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

15:14:43:187 5832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

15:14:43:203 5832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

15:14:43:234 5832 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

15:14:43:265 5832 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

15:14:43:281 5832 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

15:14:43:328 5832 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

15:14:43:359 5832 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

15:14:43:406 5832 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

15:14:43:453 5832 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

15:14:43:515 5832 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

15:14:43:546 5832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

15:14:43:593 5832 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

15:14:43:625 5832 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

15:14:43:656 5832 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

15:14:43:703 5832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

15:14:43:734 5832 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

15:14:43:765 5832 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

15:14:43:796 5832 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

15:14:43:828 5832 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

15:14:43:859 5832 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

15:14:44:000 5832 jatmlano (5012f080fccf701e2cd6b045ac7814d9) C:\DOCUME~1\Paul\LOCALS~1\Temp\jatmlano.sys

15:14:44:046 5832 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

15:14:44:093 5832 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys

15:14:44:140 5832 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

15:14:44:156 5832 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

15:14:44:187 5832 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys

15:14:44:234 5832 L8042mou (bea61fda2103f6f51b14eb0872e8a050) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys

15:14:44:265 5832 LHidFilt (3fa98339e8d9e007726be62f231e2015) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

15:14:44:296 5832 LMouFilt (f259f758e04d8fb8d48c6cdbe45223e8) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

15:14:44:312 5832 LMouKE (cab504e38fced9a56d87d838e9ba13e9) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys

15:14:44:359 5832 LUsbFilt (ca26e46ec8891058c9e10363df4e4650) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys

15:14:44:390 5832 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys

15:14:44:437 5832 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys

15:14:44:500 5832 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys

15:14:44:531 5832 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys

15:14:44:578 5832 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys

15:14:44:625 5832 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

15:14:44:640 5832 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

15:14:44:671 5832 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys

15:14:44:718 5832 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

15:14:44:750 5832 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

15:14:44:796 5832 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys

15:14:44:812 5832 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

15:14:44:859 5832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

15:14:44:921 5832 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

15:14:44:937 5832 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

15:14:44:968 5832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

15:14:44:984 5832 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

15:14:45:031 5832 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

15:14:45:078 5832 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

15:14:45:109 5832 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

15:14:45:125 5832 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

15:14:45:156 5832 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

15:14:45:171 5832 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

15:14:45:203 5832 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

15:14:45:218 5832 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

15:14:45:234 5832 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

15:14:45:265 5832 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

15:14:45:296 5832 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

15:14:45:312 5832 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

15:14:45:328 5832 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

15:14:45:359 5832 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

15:14:45:390 5832 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

15:14:45:406 5832 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

15:14:45:437 5832 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

15:14:45:484 5832 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

15:14:45:515 5832 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

15:14:45:546 5832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

15:14:45:593 5832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

15:14:45:609 5832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

15:14:45:625 5832 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

15:14:45:656 5832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

15:14:45:671 5832 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

15:14:45:703 5832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

15:14:45:734 5832 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

15:14:45:765 5832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

15:14:45:781 5832 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

15:14:45:890 5832 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

15:14:45:906 5832 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

15:14:45:953 5832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

15:14:46:046 5832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:14:46:062 5832 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:14:46:093 5832 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:14:46:109 5832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

15:14:46:125 5832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:14:46:140 5832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:14:46:156 5832 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

15:14:46:187 5832 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

15:14:46:203 5832 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

15:14:46:250 5832 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

15:14:46:281 5832 Secdrv (07f7f501ad50de2ba2d5842d9b6d6155) C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:14:46:296 5832 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

15:14:46:328 5832 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

15:14:46:390 5832 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

15:14:46:390 5832 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

15:14:46:453 5832 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

15:14:46:468 5832 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

15:14:46:500 5832 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

15:14:46:562 5832 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys

15:14:46:578 5832 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

15:14:46:609 5832 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

15:14:46:687 5832 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

15:14:46:734 5832 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:14:46:765 5832 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

15:14:46:781 5832 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

15:14:46:796 5832 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

15:14:46:843 5832 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

15:14:46:921 5832 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

15:14:46:968 5832 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:14:47:015 5832 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:14:47:031 5832 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:14:47:046 5832 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

15:14:47:093 5832 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

15:14:47:125 5832 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:14:47:140 5832 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

15:14:47:156 5832 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

15:14:47:203 5832 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

15:14:47:328 5832 w29n51 (a22abd73e0d6ba666cba4e86eeb001b3) C:\WINDOWS\system32\DRIVERS\w29n51.sys

15:14:47:375 5832 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:14:47:421 5832 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys

15:14:47:484 5832 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

15:14:47:515 5832 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

15:14:47:515 5832 Reboot required for cure complete..

15:14:48:062 5832 Cure on reboot scheduled successfully

15:14:48:062 5832

15:14:48:062 5832 Completed

15:14:48:062 5832

15:14:48:062 5832 Results:

15:14:48:062 5832 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:14:48:062 5832 File objects infected / cured / cured on reboot: 1 / 0 / 1

15:14:48:062 5832

15:14:48:078 5832 KLMD(ARK) unloaded successfully

next log:

ComboFix 10-07-16.01 - Paul 07/17/2010 15:33:29.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1592 [GMT -4:00]

Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Games\Local Settings\Application Data\{9271B7B5-E547-4FA3-BC24-EC29CBEC005F}

c:\documents and settings\Games\Local Settings\Application Data\{9271B7B5-E547-4FA3-BC24-EC29CBEC005F}\chrome.manifest

c:\documents and settings\Games\Local Settings\Application Data\{9271B7B5-E547-4FA3-BC24-EC29CBEC005F}\chrome\content\_cfg.js

c:\documents and settings\Games\Local Settings\Application Data\{9271B7B5-E547-4FA3-BC24-EC29CBEC005F}\chrome\content\overlay.xul

c:\documents and settings\Games\Local Settings\Application Data\{9271B7B5-E547-4FA3-BC24-EC29CBEC005F}\install.rdf

c:\documents and settings\Paul\GoToAssistDownloadHelper.exe

c:\documents and settings\Paul\Local Settings\Application Data\{1E818B60-EA2C-4DA9-907A-1C5BC022C21F}

c:\documents and settings\Paul\Local Settings\Application Data\{1E818B60-EA2C-4DA9-907A-1C5BC022C21F}\chrome.manifest

c:\documents and settings\Paul\Local Settings\Application Data\{1E818B60-EA2C-4DA9-907A-1C5BC022C21F}\chrome\content\_cfg.js

c:\documents and settings\Paul\Local Settings\Application Data\{1E818B60-EA2C-4DA9-907A-1C5BC022C21F}\chrome\content\overlay.xul

c:\documents and settings\Paul\Local Settings\Application Data\{1E818B60-EA2C-4DA9-907A-1C5BC022C21F}\install.rdf

c:\program files\Internet Explorer\SET1A4.tmp

c:\program files\Internet Explorer\SET1A9.tmp

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))

.

2010-07-17 18:36 . 2010-07-17 18:36 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Citrix

2010-07-16 14:07 . 2010-07-16 14:07 -------- d-----w- c:\program files\Trend Micro

2010-07-12 12:47 . 2010-06-01 00:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-07-12 12:47 . 2010-06-01 00:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-07-12 12:47 . 2010-06-01 00:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-07-12 12:47 . 2010-06-01 00:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-07-12 12:47 . 2010-06-01 00:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-07-12 12:47 . 2010-06-01 00:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-07-12 12:47 . 2010-06-01 00:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-07-10 01:51 . 2010-07-10 02:00 -------- d-----w- c:\program files\Counter-Strike Online

2010-07-09 17:13 . 2010-07-10 02:08 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\CSO

2010-07-09 17:13 . 2010-07-09 17:13 -------- d-----w- c:\documents and settings\Paul\HShield

2010-07-09 17:13 . 2010-07-09 17:13 -------- d-----w- c:\documents and settings\Data

2010-07-09 16:31 . 2010-07-09 16:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\cdhggcuvl

2010-07-05 12:48 . 2010-07-05 12:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-05 12:48 . 2010-07-17 19:10 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-04 22:33 . 2010-07-04 22:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-04 22:19 . 2010-07-04 22:19 -------- d-----w- c:\documents and settings\Games\Local Settings\Application Data\iilypdeiw

2010-07-04 02:40 . 2010-07-04 02:41 -------- d-----w- C:\Fraps

2010-07-03 01:24 . 2010-07-03 01:24 -------- d-----w- c:\program files\iPod

2010-07-03 01:24 . 2010-07-03 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-03 01:24 . 2010-07-03 01:25 -------- d-----w- c:\program files\iTunes

2010-07-03 01:18 . 2010-07-03 01:18 -------- d-----w- c:\program files\Bonjour

2010-07-03 01:14 . 2010-07-03 01:14 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-07-01 21:57 . 2010-07-12 01:01 -------- d-----w- c:\program files\CSO-NST

2010-07-01 21:57 . 2010-07-01 21:57 -------- d-----w- c:\documents and settings\Games\Application Data\FFSJ

2010-06-28 18:24 . 2010-06-28 18:24 -------- d-----w- c:\program files\Vivendi Universal Games

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-17 19:42 . 2010-04-24 20:49 -------- d-----w- c:\program files\Common Files\Akamai

2010-07-17 19:16 . 2004-08-10 12:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys

2010-07-17 12:13 . 2009-11-05 23:00 -------- d-----w- c:\program files\Steam

2010-07-13 17:20 . 2009-09-28 13:48 -------- d-----w- c:\program files\McAfee.com

2010-07-12 22:30 . 2009-09-14 19:11 -------- d-----w- c:\program files\McAfee

2010-07-12 22:29 . 2009-09-14 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-07-12 22:28 . 2009-09-28 13:48 -------- d-----w- c:\program files\Common Files\McAfee

2010-07-10 00:36 . 2009-11-23 21:13 -------- d-----w- c:\program files\Jed's Half-Life Model Viewer 1.3.6

2010-07-06 22:06 . 2009-08-27 16:34 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-07-06 14:02 . 2009-07-16 00:07 -------- d-----w- c:\documents and settings\Games\Application Data\Apple Computer

2010-07-05 15:58 . 2010-03-14 14:30 -------- d-----w- c:\program files\Uru Live

2010-07-03 02:03 . 2010-03-14 19:12 81216 ---ha-w- c:\windows\system32\mlfcache.dat

2010-07-03 01:26 . 2009-01-23 00:44 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer

2010-07-03 01:24 . 2009-08-27 16:08 -------- d-----w- c:\program files\Common Files\Apple

2010-07-01 15:05 . 2010-07-01 15:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

2010-06-28 20:30 . 2010-05-30 15:40 120 ----a-w- c:\windows\Nxedid.dat

2010-06-28 18:24 . 2009-08-27 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-28 11:03 . 2010-05-30 15:40 0 ----a-w- c:\windows\Yfofehocozisij.bin

2010-06-15 01:47 . 2010-06-15 01:47 86016 ----a-w- c:\windows\system32\frapsvid.dll

2010-06-11 12:37 . 2010-06-11 12:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\AcrobatUpdater.exe

2010-06-01 00:32 . 2009-09-14 20:55 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-01 00:32 . 2009-09-14 20:55 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-01 00:32 . 2009-07-08 17:44 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-05-31 22:20 . 2010-05-31 22:20 -------- d-----w- c:\documents and settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2010-05-26 22:57 . 2010-05-26 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2010-05-19 07:54 . 2010-05-19 07:54 1824136 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\NMService.exe

2010-05-19 07:54 . 2010-05-19 07:54 1734032 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmconew.dll

2010-05-18 21:19 . 2010-05-18 21:17 -------- d-----w- c:\documents and settings\Games\Application Data\IGN_DLM

2010-05-18 21:17 . 2010-05-18 21:17 -------- d-----w- c:\program files\Download Manager

2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-17 21:08 . 2009-12-18 01:07 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

2010-05-17 21:08 . 2009-12-18 01:06 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll

2010-05-17 21:08 . 2009-12-18 01:06 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll

2010-05-17 21:08 . 2009-12-18 01:06 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll

2010-05-17 21:08 . 2009-12-18 01:06 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe

2010-05-17 14:21 . 2009-11-07 00:01 1325618 ----a-w- c:\windows\Condition Zero Uninstaller.exe

2010-05-13 20:31 . 2009-12-05 15:18 791272 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGMDll.dll

2010-05-08 18:51 . 2009-02-28 23:13 100192 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-06 22:55 . 2009-12-05 15:18 475888 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGMResource.dll

2010-05-06 22:55 . 2009-12-13 15:16 103136 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\npNxGame.dll

2010-05-06 22:55 . 2009-12-05 15:18 307944 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmcogame.dll

2010-05-06 22:55 . 2009-12-05 15:18 131808 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\nxgame.dll

2010-05-06 22:55 . 2009-12-05 15:18 176864 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGM.exe

2010-05-06 10:41 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-03 19:46 . 2009-12-02 12:25 100192 ----a-w- c:\documents and settings\Games\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-02 05:22 . 2004-08-10 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-10-01 14:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-01 14:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-10 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]

c:\documents and settings\Games\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2010-1-24 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^Product Registration.lnk]

path=c:\documents and settings\Paul\Start Menu\Programs\Startup\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2006-02-22 01:05 344064 ----a-w- c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2006-06-29 17:13 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2008-04-14 02:13 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 20:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2004-07-27 20:50 81920 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2007-04-11 20:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2008-04-14 02:13 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qcoguxoxotumud]

2008-04-14 09:42 186880 ----a-w- c:\windows\iwolupufax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-05-16 17:51 1238352 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-09-04 21:33 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Gamania\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\Gamania\\Counter-Strike Online\\Bin\\NMService.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonJP\\503\\NMService.exe"=

"c:\\Program Files\\Uru Live\\UruExplorer.exe"=

"c:\\Program Files\\Blockland\\Blockland.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\CSO-BR\\cstrike.exe"=

"c:\\AeriaGames\\WolfTeam\\Wolfteam.bin"=

"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=

"c:\\cso japan\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\TianCity\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\TianCity\\Counter-Strike Online\\Bin\\NMService.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtay\\half-life\\hl.exe"=

"c:\\SIERRA\\Half-Life\\hl.exe"=

"c:\\SIERRA\\Half-Life\\hlds.exe"=

"c:\\Program Files\\Infogrames\\Steel Tide\\SteelTide.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtay\\counter-strike\\hl.exe"=

"c:\\Valve\\Condition Zero\\cstrike.exe"=

"c:\\Valve\\Condition Zero\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtay\\opposing force\\hl.exe"=

"c:\\Program Files\\CSO-NST\\hl.exe"=

"c:\\Documents and Settings\\Games\\Desktop\\counter-strike online in cs 1.6\\cstrike.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Games\\My Documents\\Cso pack part 1\\CS-?????V1.0\\CS-?????V1.0\\cstrike.exe"=

"c:\\Program Files\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtaylor747\\garrysmod\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57901:TCP"= 57901:TCP:Pando

"57901:UDP"= 57901:UDP:Pando

"1143:TCP"= 1143:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [7/12/2010 8:47 AM 82952]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 8:00 AM 14336]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/12/2010 8:47 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/12/2010 8:47 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/12/2010 8:47 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/12/2010 8:47 AM 141792]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 11:28 AM 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/12/2010 8:47 AM 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/12/2010 8:47 AM 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [7/12/2010 8:47 AM 88480]

S2 gupdate1ca2da78770ed56;Google Update Service (gupdate1ca2da78770ed56);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 5:34 PM 133104]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [9/14/2009 4:59 PM 203280]

S2 mrtRate;mrtRate; [x]

S3 jatmlano;jatmlano;\??\c:\docume~1\Paul\LOCALS~1\Temp\jatmlano.sys --> c:\docume~1\Paul\LOCALS~1\Temp\jatmlano.sys [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [7/12/2010 8:47 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/12/2010 8:47 AM 83496]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/8/2010 2:51 PM 11520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB

*Deregistered* - klmdb

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:33]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:34]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:34]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1563985344-839522115-1006Core.job

- c:\documents and settings\Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-06 20:09]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1563985344-839522115-1006UA.job

- c:\documents and settings\Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-06 20:09]

2010-07-17 c:\windows\Tasks\User_Feed_Synchronization-{BFF7BB6D-8AD2-4B60-B79B-C8A5B131AEFA}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bible.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

SafeBoot-klmdb.sys

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-17 15:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1563985344-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:aa,af,97,f3,0a,df,a6,2a,7e,89,68,f0,a5,2b,da,9b,51,65,b2,61,82,61,e3,

a6,8f,4a,29,10,bd,bb,d1,64,43,9d,0d,f0,4c,cd,4c,1a,c3,61,cd,60,4a,ea,e0,f2,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-2025429265-1563985344-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:be,15,c7,46,7d,ad,95,f9,02,d5,2a,c7,65,7f,89,1d,f6,71,c3,ce,94,

c3,12,36,df,e5,bb,e4,0d,22,94,c4,bc,b8,07,c5,aa,4c,9a,75,5d,d8,0f,e2,53,af,\

"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1372)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-07-17 15:45:08

ComboFix-quarantined-files.txt 2010-07-17 19:45

Pre-Run: 34,195,337,216 bytes free

Post-Run: 34,515,820,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2FB5993437CF851F87F93CD109EA759B

Link to post
Share on other sites

The search redirections should have stopped now.

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57901:TCP"=
"57901:UDP"=
"1143:TCP"=
"5000:UDP"=

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local

Driver::
jatmlano

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

cfscriptb4.gif

This will start ComboFix again. It may ask to reboot. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

The search redirections should have stopped now.

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57901:TCP"=
"57901:UDP"=
"1143:TCP"=
"5000:UDP"=

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local

Driver::
jatmlano

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

cfscriptb4.gif

This will start ComboFix again. It may ask to reboot. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

----------------------------

YES!! Google and Bing searches work properly now without redirections. I will perform your next step. Thank you!

Link to post
Share on other sites

----------------------------

YES!! Google and Bing searches work properly now without redirections. I will perform your next step. Thank you!

------------------------------------

Here is the log file text:

ComboFix 10-07-16.01 - Paul 07/17/2010 18:12:02.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1580 [GMT -4:00]

Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_JATMLANO

-------\Service_jatmlano

((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))

.

2010-07-17 18:36 . 2010-07-17 18:36 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Citrix

2010-07-16 14:07 . 2010-07-16 14:07 -------- d-----w- c:\program files\Trend Micro

2010-07-12 12:47 . 2010-06-01 00:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-07-12 12:47 . 2010-06-01 00:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-07-12 12:47 . 2010-06-01 00:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-07-12 12:47 . 2010-06-01 00:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-07-12 12:47 . 2010-06-01 00:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-07-12 12:47 . 2010-06-01 00:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-07-12 12:47 . 2010-06-01 00:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-07-10 01:51 . 2010-07-10 02:00 -------- d-----w- c:\program files\Counter-Strike Online

2010-07-09 17:13 . 2010-07-10 02:08 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\CSO

2010-07-09 17:13 . 2010-07-09 17:13 -------- d-----w- c:\documents and settings\Paul\HShield

2010-07-09 17:13 . 2010-07-09 17:13 -------- d-----w- c:\documents and settings\Data

2010-07-09 16:31 . 2010-07-09 16:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\cdhggcuvl

2010-07-05 12:48 . 2010-07-05 12:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-05 12:48 . 2010-07-17 19:10 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-04 22:33 . 2010-07-04 22:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-04 22:19 . 2010-07-04 22:19 -------- d-----w- c:\documents and settings\Games\Local Settings\Application Data\iilypdeiw

2010-07-04 02:40 . 2010-07-04 02:41 -------- d-----w- C:\Fraps

2010-07-03 01:24 . 2010-07-03 01:24 -------- d-----w- c:\program files\iPod

2010-07-03 01:24 . 2010-07-03 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-07-03 01:24 . 2010-07-03 01:25 -------- d-----w- c:\program files\iTunes

2010-07-03 01:18 . 2010-07-03 01:18 -------- d-----w- c:\program files\Bonjour

2010-07-01 21:57 . 2010-07-12 01:01 -------- d-----w- c:\program files\CSO-NST

2010-07-01 21:57 . 2010-07-01 21:57 -------- d-----w- c:\documents and settings\Games\Application Data\FFSJ

2010-06-28 18:24 . 2010-06-28 18:24 -------- d-----w- c:\program files\Vivendi Universal Games

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-17 22:31 . 2010-04-24 20:49 -------- d-----w- c:\program files\Common Files\Akamai

2010-07-17 19:16 . 2004-08-10 12:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys

2010-07-17 12:13 . 2009-11-05 23:00 -------- d-----w- c:\program files\Steam

2010-07-13 17:20 . 2009-09-28 13:48 -------- d-----w- c:\program files\McAfee.com

2010-07-12 22:30 . 2009-09-14 19:11 -------- d-----w- c:\program files\McAfee

2010-07-12 22:29 . 2009-09-14 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-07-12 22:28 . 2009-09-28 13:48 -------- d-----w- c:\program files\Common Files\McAfee

2010-07-10 00:36 . 2009-11-23 21:13 -------- d-----w- c:\program files\Jed's Half-Life Model Viewer 1.3.6

2010-07-06 22:06 . 2009-08-27 16:34 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-07-06 14:02 . 2009-07-16 00:07 -------- d-----w- c:\documents and settings\Games\Application Data\Apple Computer

2010-07-05 15:58 . 2010-03-14 14:30 -------- d-----w- c:\program files\Uru Live

2010-07-03 02:03 . 2010-03-14 19:12 81216 ---ha-w- c:\windows\system32\mlfcache.dat

2010-07-03 01:26 . 2009-01-23 00:44 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer

2010-07-03 01:24 . 2009-08-27 16:08 -------- d-----w- c:\program files\Common Files\Apple

2010-07-03 01:14 . 2010-07-03 01:14 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-07-01 15:05 . 2010-07-01 15:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

2010-06-28 20:30 . 2010-05-30 15:40 120 ----a-w- c:\windows\Nxedid.dat

2010-06-28 18:24 . 2009-08-27 15:57 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-28 11:03 . 2010-05-30 15:40 0 ----a-w- c:\windows\Yfofehocozisij.bin

2010-06-15 01:47 . 2010-06-15 01:47 86016 ----a-w- c:\windows\system32\frapsvid.dll

2010-06-11 12:37 . 2010-06-11 12:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27996\AcrobatUpdater.exe

2010-06-01 00:32 . 2009-09-14 20:55 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-01 00:32 . 2009-09-14 20:55 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-01 00:32 . 2009-07-08 17:44 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-05-31 22:20 . 2010-05-31 22:20 -------- d-----w- c:\documents and settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2010-05-26 22:57 . 2010-05-26 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2010-05-19 07:54 . 2010-05-19 07:54 1824136 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\NMService.exe

2010-05-19 07:54 . 2010-05-19 07:54 1734032 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmconew.dll

2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-17 21:08 . 2009-12-18 01:07 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

2010-05-17 21:08 . 2009-12-18 01:06 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll

2010-05-17 21:08 . 2009-12-18 01:06 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll

2010-05-17 21:08 . 2009-12-18 01:06 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll

2010-05-17 21:08 . 2009-12-18 01:06 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe

2010-05-17 14:21 . 2009-11-07 00:01 1325618 ----a-w- c:\windows\Condition Zero Uninstaller.exe

2010-05-13 20:31 . 2009-12-05 15:18 791272 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGMDll.dll

2010-05-08 18:51 . 2009-02-28 23:13 100192 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-06 22:55 . 2009-12-05 15:18 475888 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGMResource.dll

2010-05-06 22:55 . 2009-12-13 15:16 103136 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\npNxGame.dll

2010-05-06 22:55 . 2009-12-05 15:18 307944 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmcogame.dll

2010-05-06 22:55 . 2009-12-05 15:18 131808 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\nxgame.dll

2010-05-06 22:55 . 2009-12-05 15:18 176864 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\NGM\NGM.exe

2010-05-06 10:41 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-03 19:46 . 2009-12-02 12:25 100192 ----a-w- c:\documents and settings\Games\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-02 05:22 . 2004-08-10 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-10-01 14:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-10-01 14:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-10 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-07-17_19.41.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-17 22:30 . 2010-07-17 22:30 16384 c:\windows\Temp\Perflib_Perfdata_564.dat

+ 2010-07-17 22:30 . 2010-07-17 22:30 16384 c:\windows\Temp\Perflib_Perfdata_330.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]

c:\documents and settings\Games\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2010-1-24 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^Product Registration.lnk]

path=c:\documents and settings\Paul\Start Menu\Programs\Startup\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2008-04-14 02:13 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 20:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2004-07-27 20:50 81920 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2007-04-11 20:32 56080 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2008-04-14 02:13 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qcoguxoxotumud]

2008-04-14 09:42 186880 ----a-w- c:\windows\iwolupufax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-05-16 17:51 1238352 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-09-04 21:33 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Gamania\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\Gamania\\Counter-Strike Online\\Bin\\NMService.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonJP\\503\\NMService.exe"=

"c:\\Program Files\\Uru Live\\UruExplorer.exe"=

"c:\\Program Files\\Blockland\\Blockland.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\CSO-BR\\cstrike.exe"=

"c:\\AeriaGames\\WolfTeam\\Wolfteam.bin"=

"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=

"c:\\cso japan\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\TianCity\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\TianCity\\Counter-Strike Online\\Bin\\NMService.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtay\\half-life\\hl.exe"=

"c:\\SIERRA\\Half-Life\\hl.exe"=

"c:\\SIERRA\\Half-Life\\hlds.exe"=

"c:\\Program Files\\Infogrames\\Steel Tide\\SteelTide.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtay\\counter-strike\\hl.exe"=

"c:\\Valve\\Condition Zero\\cstrike.exe"=

"c:\\Valve\\Condition Zero\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtay\\opposing force\\hl.exe"=

"c:\\Program Files\\CSO-NST\\hl.exe"=

"c:\\Documents and Settings\\Games\\Desktop\\counter-strike online in cs 1.6\\cstrike.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Games\\My Documents\\Cso pack part 1\\CS-?????V1.0\\CS-?????V1.0\\cstrike.exe"=

"c:\\Program Files\\Counter-Strike Online\\Bin\\cstrike-online.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\Steam\\steamapps\\pbtaylor747\\garrysmod\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57901:TCP"= 57901:TCP:Pando

"57901:UDP"= 57901:UDP:Pando

"1038:TCP"= 1038:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [7/12/2010 8:47 AM 82952]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 8:00 AM 14336]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/12/2010 8:47 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/12/2010 8:47 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/12/2010 8:47 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/12/2010 8:47 AM 141792]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 11:28 AM 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/12/2010 8:47 AM 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/12/2010 8:47 AM 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [7/12/2010 8:47 AM 88480]

S2 gupdate1ca2da78770ed56;Google Update Service (gupdate1ca2da78770ed56);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 5:34 PM 133104]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [9/14/2009 4:59 PM 203280]

S2 mrtRate;mrtRate; [x]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [7/12/2010 8:47 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/12/2010 8:47 AM 83496]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/8/2010 2:51 PM 11520]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:33]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:34]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:34]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1563985344-839522115-1006Core.job

- c:\documents and settings\Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-06 20:09]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1563985344-839522115-1006UA.job

- c:\documents and settings\Games\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-06 20:09]

2010-07-17 c:\windows\Tasks\User_Feed_Synchronization-{BFF7BB6D-8AD2-4B60-B79B-C8A5B131AEFA}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bible.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-17 18:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1563985344-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:aa,af,97,f3,0a,df,a6,2a,7e,89,68,f0,a5,2b,da,9b,51,65,b2,61,82,61,e3,

a6,8f,4a,29,10,bd,bb,d1,64,43,9d,0d,f0,4c,cd,4c,1a,c3,61,cd,60,4a,ea,e0,f2,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-2025429265-1563985344-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:be,15,c7,46,7d,ad,95,f9,02,d5,2a,c7,65,7f,89,1d,f6,71,c3,ce,94,

c3,12,36,df,e5,bb,e4,0d,22,94,c4,bc,b8,07,c5,aa,4c,9a,75,5d,d8,0f,e2,53,af,\

"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1952)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\eHome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-07-17 18:39:08 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-17 22:39

ComboFix2.txt 2010-07-17 19:45

Pre-Run: 34,541,051,904 bytes free

Post-Run: 34,435,035,136 bytes free

- - End Of File - - 8D887536A81AD432B9FA5235A54C6FB3

Link to post
Share on other sites

We are almost done here..... :) How is your computer doing now?

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

-------------------------------------------------------------------

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Google and Bing searches working without redirection. Computer eems to run a little faster as well. I will proceed to your next set of instructions and will update when I am done. Thank you for helping me through this process. I could never have figured any of this out.

Link to post
Share on other sites

Google and Bing searches working without redirection. Computer eems to run a little faster as well. I will proceed to your next set of instructions and will update when I am done. Thank you for helping me through this process. I could never have figured any of this out.

-------------------------------------

Here is the Malwarebytes scan log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4319

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/18/2010 9:57:55 AM

mbam-log-2010-07-18 (09-57-55).txt

Scan type: Quick scan

Objects scanned: 149242

Time elapsed: 12 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Thank you Kenny. I deleted Combofix and ran through the IE security updates.

Thank you for helping me. By the way, is there a name for the virus that was in my computer and redirecting Google searches? Any info on where it came from? My 12-year old son uses my laptop sometimes and my guess is one of his online games got us infected.

Thanks.

Pbtay

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.