Jump to content

Unable to Remove Malware


Recommended Posts

----- Malwarebytes' Anti-Malware log file -----

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4517

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/31/2010 4:30:50 PM

mbam-log-2010-08-31 (16-30-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 206957

Time elapsed: 1 hour(s), 13 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----- DDS Log File -----

DDS (Ver_10-03-17.01) - NTFSx86

Run by George at 19:40:10.82 on Tue 08/31/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.76 [GMT -4:00]

AV: Antivirus Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\CompuServe 7.0c\cstray.exe

svchost.exe

C:\Documents and Settings\George\Local Settings\Application Data\CrossLoop\CrossLoopService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

G:\dds.com

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.search.msn.com

mSearch Bar =

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uURLSearchHooks: MapNeto 1 Toolbar: {1e7e4de1-5ef4-4baa-9250-c26258dc499a} - c:\program files\mapneto_1\tbMapN.dll

BHO: MapNeto 1 Toolbar: {1e7e4de1-5ef4-4baa-9250-c26258dc499a} - c:\program files\mapneto_1\tbMapN.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100831174155.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: MapNeto 1 Toolbar: {1e7e4de1-5ef4-4baa-9250-c26258dc499a} - c:\program files\mapneto_1\tbMapN.dll

TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe

mRun: [VTTimer] VTTimer.exe

mRun: [<NO NAME>]

mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compus~1.lnk - c:\program files\compuserve 7.0c\cstray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - hxxp://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george\applic~1\mozilla\firefox\profiles\mjpkxhg3.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin9.dll

FF - plugin: c:\program files\verizon\vsp\nprpspa.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-31 385880]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-15 82952]

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\george\local settings\application data\crossloop\CrossLoopService.exe [2010-8-24 560848]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-31 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-15 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-15 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-15 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-15 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-31 152320]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-31 51688]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-15 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-15 88480]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26.tmp --> c:\windows\system32\26.tmp [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-15 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-15 83496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-31 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-31 40552]

S3 uvnc_service;uvnc_service;c:\documents and settings\george\local settings\application data\crossloop\winvnc.exe [2010-8-24 1587352]

=============== Created Last 30 ================

2010-08-31 23:39:05 0 ----a-w- c:\documents and settings\george\defogger_reenable

2010-08-31 18:38:09 0 d-----w- c:\program files\Sophos

2010-08-31 17:33:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-31 17:33:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-31 17:33:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-31 17:06:12 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-08-31 17:06:12 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-08-31 17:06:04 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-08-31 17:06:04 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-08-31 17:05:48 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-08-31 17:05:48 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-08-30 12:30:24 0 d-----w- c:\docume~1\george\applic~1\McAfee

2010-08-25 01:09:10 0 d-----w- c:\docume~1\george\applic~1\PriceGong

2010-08-24 15:23:15 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-08-24 15:04:10 0 d-----w- c:\docume~1\george\applic~1\Malwarebytes

2010-08-24 15:03:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-24 14:31:58 0 d-----w- c:\program files\CompuServe 7.0c

2010-08-24 14:28:22 403 ---ha-w- C:\IPH.PH

2010-08-21 14:22:02 1409 ----a-w- c:\windows\QTFont.for

2010-08-21 14:22:01 54156 ---ha-w- c:\windows\QTFont.qfn

2010-08-18 22:11:35 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-08-03 12:42:46 0 d-----w- c:\program files\Conduit

2010-08-03 12:42:45 0 d-----w- c:\program files\MapNeto_1

==================== Find3M ====================

2010-08-24 14:37:47 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-03-31 13:58:59 62976 --sha-r- c:\windows\system32\spoolss0.dll

2008-09-20 13:28:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

2010-02-20 22:42:20 29844000 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-02-20 22:42:21 2456096 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-11-11 15:25:20 16384 --sha-w- c:\windows\temp\cookies\index.dat

2009-11-11 15:25:20 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-11-11 15:25:20 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:42:01.18 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks, I appreciate the help.

I am following the instructions provided for running ComboFix. I have disabled the McAffe AntiVirus Plus Real-Time Scanning. When I run ComboFix I receive the following message:

Warning!!

ComboFix has detected the following real time scanner(s) to be active:

antivirus: Antivirus Suite

McAffe assures me that the real-time scanner is disabled but given the dire warning from ComboFix I wanted to check with you before proceeding.

Thanks.

Link to post
Share on other sites

----- ComboFix Log -----

ComboFix 10-09-02.03 - George 09/03/2010 9:38.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.242 [GMT -4:00]

Running from: G:\ComboFix.exe

Command switches used :: /killall

AV: Antivirus Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\George\Application Data\PriceGong

c:\documents and settings\George\Application Data\PriceGong\Data\1.xml

c:\documents and settings\George\Application Data\PriceGong\Data\a.xml

c:\documents and settings\George\Application Data\PriceGong\Data\b.xml

c:\documents and settings\George\Application Data\PriceGong\Data\c.xml

c:\documents and settings\George\Application Data\PriceGong\Data\d.xml

c:\documents and settings\George\Application Data\PriceGong\Data\e.xml

c:\documents and settings\George\Application Data\PriceGong\Data\f.xml

c:\documents and settings\George\Application Data\PriceGong\Data\g.xml

c:\documents and settings\George\Application Data\PriceGong\Data\h.xml

c:\documents and settings\George\Application Data\PriceGong\Data\i.xml

c:\documents and settings\George\Application Data\PriceGong\Data\J.xml

c:\documents and settings\George\Application Data\PriceGong\Data\k.xml

c:\documents and settings\George\Application Data\PriceGong\Data\l.xml

c:\documents and settings\George\Application Data\PriceGong\Data\m.xml

c:\documents and settings\George\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\George\Application Data\PriceGong\Data\n.xml

c:\documents and settings\George\Application Data\PriceGong\Data\o.xml

c:\documents and settings\George\Application Data\PriceGong\Data\p.xml

c:\documents and settings\George\Application Data\PriceGong\Data\q.xml

c:\documents and settings\George\Application Data\PriceGong\Data\r.xml

c:\documents and settings\George\Application Data\PriceGong\Data\s.xml

c:\documents and settings\George\Application Data\PriceGong\Data\t.xml

c:\documents and settings\George\Application Data\PriceGong\Data\u.xml

c:\documents and settings\George\Application Data\PriceGong\Data\v.xml

c:\documents and settings\George\Application Data\PriceGong\Data\w.xml

c:\documents and settings\George\Application Data\PriceGong\Data\x.xml

c:\documents and settings\George\Application Data\PriceGong\Data\y.xml

c:\documents and settings\George\Application Data\PriceGong\Data\z.xml

c:\documents and settings\George\Recent\WEBBER.PED.lnk.ADD

c:\documents and settings\George\Recent\WEBBER.PED.lnk.ADR

c:\documents and settings\George\Recent\WEBBER.PED.lnk.CMT

c:\documents and settings\George\Recent\WEBBER.PED.lnk.EDU

c:\documents and settings\George\Recent\WEBBER.PED.lnk.EMP

c:\documents and settings\George\Recent\WEBBER.PED.lnk.GRP

c:\documents and settings\George\Recent\WEBBER.PED.lnk.LDS

c:\documents and settings\George\Recent\WEBBER.PED.lnk.MED

c:\documents and settings\George\Recent\WEBBER.PED.lnk.NTE

c:\documents and settings\George\Recent\WEBBER.PED.lnk.PBY

c:\documents and settings\George\Recent\WEBBER.PED.lnk.PED

c:\documents and settings\George\Recent\WEBBER.PED.lnk.PHO

c:\documents and settings\George\Recent\WEBBER.PED.lnk.RES

c:\documents and settings\George\Recent\WEBBER.PED.lnk.RXT

c:\documents and settings\George\Recent\WEBBER.PED.XML

c:\program files\Common Files\csshare\plugins0942\npqtplugin2.dll

c:\program files\Common Files\csshare\plugins0942\npqtplugin3.dll

c:\program files\Common Files\csshare\plugins0942\npqtplugin4.dll

c:\program files\Common Files\csshare\plugins0942\npqtplugin5.dll

c:\program files\Common Files\csshare\plugins0942\npqtplugin6.dll

c:\program files\Common Files\csshare\plugins0942\npqtplugin7.dll

c:\program files\Common Files\csshare\plugins0942\npqtplugin8.dll

c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

c:\program files\Internet Explorer\Plugins\npqtplugin5.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

c:\program files\Internet Explorer\PLUGINS\npqtplugin8.dll

c:\program files\Internet Explorer\Plugins\npqtplugin9.dll

c:\program files\QuickTime\Plugins\npqtplugin2.dll

c:\program files\QuickTime\Plugins\npqtplugin3.dll

c:\program files\QuickTime\Plugins\npqtplugin4.dll

c:\program files\QuickTime\Plugins\npqtplugin5.dll

c:\program files\QuickTime\Plugins\npqtplugin6.dll

c:\program files\QuickTime\Plugins\npqtplugin7.dll

c:\program files\QuickTime\Plugins\npqtplugin8.dll

c:\program files\QuickTime\Plugins\npqtplugin9.dll

c:\windows\system32\download

c:\windows\system32\download\ispinfo.csv

c:\windows\system32\system

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))

.

2010-08-31 19:14 . 2010-08-31 19:14 0 ----a-w- c:\windows\nsreg.dat

2010-08-31 19:14 . 2010-08-31 19:14 -------- d-----w- c:\documents and settings\George\Local Settings\Application Data\Mozilla

2010-08-31 18:38 . 2010-08-31 18:38 -------- d-----w- c:\program files\Sophos

2010-08-31 17:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-31 17:33 . 2010-08-31 17:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-31 17:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-31 17:06 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-08-31 17:06 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-08-31 17:06 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-08-31 17:06 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-08-31 17:05 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-08-31 17:05 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-08-30 12:30 . 2010-08-30 12:30 -------- d-----w- c:\documents and settings\George\Application Data\McAfee

2010-08-24 15:40 . 2010-08-25 01:06 -------- d-----w- c:\documents and settings\George\Local Settings\Application Data\CrossLoop

2010-08-24 15:04 . 2010-08-24 15:04 -------- d-----w- c:\documents and settings\George\Application Data\Malwarebytes

2010-08-24 15:03 . 2010-08-24 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-24 14:31 . 2010-08-26 14:16 -------- d-----w- c:\program files\CompuServe 7.0c

2010-08-18 22:11 . 2010-08-24 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-08-11 19:31 . 2010-08-11 19:31 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-02 19:06 . 2008-12-27 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-08-30 12:30 . 2010-08-30 12:31 300384 ----a-w- c:\documents and settings\George\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2010-08-30 12:30 . 2010-08-30 12:30 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll

2010-08-30 12:29 . 2009-01-31 21:14 -------- d-----w- c:\program files\McAfee

2010-08-30 12:29 . 2009-01-31 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-08-29 20:47 . 2004-11-16 01:30 -------- d-----w- c:\program files\Quicken

2010-08-24 15:24 . 2010-08-24 15:23 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-08-24 14:37 . 2004-11-16 00:34 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys

2010-08-24 14:37 . 2004-11-16 00:34 -------- d-----w- c:\program files\Common Files\Real

2010-08-24 14:32 . 2005-11-08 00:19 -------- d-----w- c:\program files\Common Files\csshare

2010-08-24 14:16 . 2010-02-24 01:29 -------- d-----w- c:\program files\CompuServe 7.0b

2010-08-18 22:17 . 2010-08-18 22:24 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll

2010-08-03 12:50 . 2010-08-03 12:42 -------- d-----w- c:\program files\MapNeto_1

2010-08-03 12:42 . 2010-08-03 12:42 -------- d-----w- c:\program files\Conduit

2010-08-02 12:42 . 2004-08-23 19:49 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-06-30 12:31 . 2004-08-23 19:32 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-23 19:33 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-23 19:33 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-23 19:32 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2004-08-23 19:48 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-23 19:32 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-04-27 21:16 . 2010-08-31 21:41 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

2010-03-31 13:58 . 2010-03-31 13:58 62976 --sha-r- c:\windows\system32\spoolss0.dll

2010-02-20 22:42 . 2008-12-15 15:18 29844000 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-02-20 22:42 . 2008-12-15 15:18 2456096 --sha-w- c:\windows\system32\drivers\fidbox2.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

"{1e7e4de1-5ef4-4baa-9250-c26258dc499a}"= "c:\program files\MapNeto_1\tbMapN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]

2010-06-13 23:10 2734688 ----a-w- c:\program files\MapNeto_1\tbMapN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-05-26 19:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

"{1e7e4de1-5ef4-4baa-9250-c26258dc499a}"= "c:\program files\MapNeto_1\tbMapN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

"{1E7E4DE1-5EF4-4BAA-9250-C26258DC499A}"= "c:\program files\MapNeto_1\tbMapN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{1e7e4de1-5ef4-4baa-9250-c26258dc499a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2008-10-27 87328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2004-01-07 36864]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-04 98304]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2010-08-24 26112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

CompuServe 7.0 Tray Icon.lnk - c:\program files\CompuServe 7.0c\cstray.exe [2010-8-24 32840]

Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2001-8-14 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Quicken WillMaker Plus 2004\\qlp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\CompuServe 7.0\\cs.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Documents and Settings\\George\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5910:TCP"= 5910:TCP:vnc5910

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/15/2010 8:03 AM 82952]

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\George\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [8/24/2010 11:40 AM 560848]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/31/2009 5:20 PM 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/15/2010 8:02 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/15/2010 8:02 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/15/2010 8:03 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/15/2010 8:03 AM 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/15/2010 8:03 AM 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/15/2010 8:03 AM 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/15/2010 8:03 AM 88480]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26.tmp --> c:\windows\system32\26.tmp [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/15/2010 8:03 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/15/2010 8:03 AM 83496]

S3 uvnc_service;uvnc_service;c:\documents and settings\George\Local Settings\Application Data\CrossLoop\winvnc.exe [8/24/2010 11:40 AM 1587352]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-24 14:43]

2010-09-03 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 19:23]

2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{C8E9351C-3871-4F74-98E0-0068A7FBBEF6}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

mSearch Bar =

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\mjpkxhg3.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll

FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-03 09:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\26.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3988)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\wanmpsvc.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2010-09-03 09:55:57 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-03 13:55

Pre-Run: 61,310,341,120 bytes free

Post-Run: 61,419,077,632 bytes free

- - End Of File - - 234D6B98D5323914827D96F43169DCC8

----- DDS Log -----

DDS (Ver_10-03-17.01) - NTFSx86

Run by George at 10:06:58.89 on Fri 09/03/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.199 [GMT -4:00]

AV: Antivirus Suite *On-access scanning enabled* (Updated) {AE716D16-40FE-4cb9-8FD2-2975088F55B2}

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\Documents and Settings\George\Local Settings\Application Data\CrossLoop\CrossLoopService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\CompuServe 7.0c\cstray.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\explorer.exe

G:\dds.com

============== Pseudo HJT Report ===============

mSearch Bar =

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uURLSearchHooks: MapNeto 1 Toolbar: {1e7e4de1-5ef4-4baa-9250-c26258dc499a} - c:\program files\mapneto_1\tbMapN.dll

BHO: MapNeto 1 Toolbar: {1e7e4de1-5ef4-4baa-9250-c26258dc499a} - c:\program files\mapneto_1\tbMapN.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100831174155.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: MapNeto 1 Toolbar: {1e7e4de1-5ef4-4baa-9250-c26258dc499a} - c:\program files\mapneto_1\tbMapN.dll

TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File

uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe

mRun: [VTTimer] VTTimer.exe

mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compus~1.lnk - c:\program files\compuserve 7.0c\cstray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - hxxp://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george\applic~1\mozilla\firefox\profiles\mjpkxhg3.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-31 385880]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-15 82952]

R2 CrossLoopService;CrossLoop Service;c:\documents and settings\george\local settings\application data\crossloop\CrossLoopService.exe [2010-8-24 560848]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-31 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-15 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-15 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-15 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-15 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-31 152320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-15 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-15 88480]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\26.tmp --> c:\windows\system32\26.tmp [?]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-31 51688]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-15 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-15 83496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-31 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-31 40552]

S3 uvnc_service;uvnc_service;c:\documents and settings\george\local settings\application data\crossloop\winvnc.exe [2010-8-24 1587352]

=============== Created Last 30 ================

2010-09-03 13:17:31 98816 ----a-w- c:\windows\sed.exe

2010-09-03 13:17:31 77312 ----a-w- c:\windows\MBR.exe

2010-09-03 13:17:31 256512 ----a-w- c:\windows\PEV.exe

2010-09-03 13:17:31 161792 ----a-w- c:\windows\SWREG.exe

2010-08-31 23:39:05 0 ----a-w- c:\documents and settings\george\defogger_reenable

2010-08-31 18:38:09 0 d-----w- c:\program files\Sophos

2010-08-31 17:33:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-31 17:33:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-31 17:33:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-31 17:06:12 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-08-31 17:06:12 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-08-31 17:06:04 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-08-31 17:06:04 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-08-31 17:05:48 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-08-31 17:05:48 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-08-30 12:30:24 0 d-----w- c:\docume~1\george\applic~1\McAfee

2010-08-24 15:23:15 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-08-24 15:04:10 0 d-----w- c:\docume~1\george\applic~1\Malwarebytes

2010-08-24 15:03:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-24 14:31:58 0 d-----w- c:\program files\CompuServe 7.0c

2010-08-24 14:28:22 403 ---ha-w- C:\IPH.PH

2010-08-21 14:22:02 1409 ----a-w- c:\windows\QTFont.for

2010-08-21 14:22:01 54156 ---ha-w- c:\windows\QTFont.qfn

2010-08-18 22:11:35 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

==================== Find3M ====================

2010-08-24 14:37:47 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-03-31 13:58:59 62976 --sha-r- c:\windows\system32\spoolss0.dll

2008-09-20 13:28:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

2010-02-20 22:42:20 29844000 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-02-20 22:42:21 2456096 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 10:07:22.71 ===============

Attach_2_.zip

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.