Jump to content

Recommended Posts

I've apparently got a rootkit. It came in along with a bunch of junk associated w/ a Whitesmoke translator infection (or whitesmoke came with it, who knows?) Google had been hijacked, and I was locked out of Registry editing and System Restore. Macafee (my original anti-virus on this machine) has also been innaccesible.

I have finally managed to get rid of the other junk, but this thing is still lingering, and keeps inserting a registry key on bootup.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf

Going step by step through the instructions at http://forums.malwarebytes.org/index.php?showtopic=9573, I had to skip the Update Malwarebytes' Anti-Malware procedure, because doing so consistently produced a Blue Screen of Death at about 38%.

Here is my DDS log;

DDS (Ver_10-12-05.01) - NTFSx86 NETWORK

Run by Glenn at 17:04:16.31 on Fri 12/10/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.3107 [GMT -6:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\WINDOWS\System32\svchost.exe"

"C:\WINDOWS\System32\svchost.exe"

C:\Documents and Settings\Glenn\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:43902

uInternet Settings,ProxyOverride = <local>

BHO: c:\windows\system32\h4wg3k9obl.dll: {b1b220c1-a503-59bd-f413-02b53a2c8954} - c:\windows\system32\h4wg3k9obl.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe

uRun: [Magical Glass] "c:\program files\magical glass\Magical Glass.exe" /a

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [ARSA] "c:\program files\answersthatwork\a really small app\A_Really_Small_App.exe" -startup

uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 9.0\acrobat\AdobeCollabSync.exe"

uRun: [MKWPz0+OWS\TEMP\2049941414.exe] c:\windows\temp\2049941414.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [FinePrint Dispatcher v4] c:\windows\system32\spool\drivers\w32x86\2\fpdisp4.exe

mRun: [pdfFactory Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\2\fppdis1.exe

mRun: [MKWPz0+OWS\TEMP\2049941414.exe] c:\windows\temp\2049941414.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [MKWPwe] c:\windows\temp\setup.exe

dRun: [MKWPsf] c:\windows\temp\lsass.exe

dRun: [MKWPoc] c:\windows\temp\debug.exe

dRun: [MKWPeP] c:\windows\temp\avp32.exe

dRun: [MKWPsfa/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0] c:\windows\temp\lsass.exe

dRun: [MKWPz0+OWS\TEMP\2049941414.exe] c:\windows\temp\2049941414.exe

dRunOnce: [PCmover CookieMerge] "c:\program files\laplink\pcmover\cookiemerge.exe" c:\windows\system32\config\systemprofile\local settings\application data\laplink\pcmover\Cookies

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe

StartupFolder: c:\docume~1\glenn\startm~1\programs\startup\digida~1.lnk - c:\program files\digiday\dd_clock.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\mssql\binn\sqlmangr.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187980883500

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256283227875

DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab

DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://172.16.39.248/GVersionMan.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://172.16.39.248/webviewer.cab

TCP: {16CBA065-8126-4EA5-BCA0-F59870508CCC} = 208.67.222.222,208.67.220.220

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll

Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll

Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.811.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: c:\windows\system32\h4wg3k9obl.dll: {b1b220c1-a503-59bd-f413-02b53a2c8954} - c:\windows\system32\h4wg3k9obl.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\glenn\application data\mozilla\firefox\profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\glenn\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: XULRunner: {53E35C31-092F-477D-B761-74BEE5A0103B} - c:\documents and settings\glenn\local settings\application data\{53E35C31-092F-477D-B761-74BEE5A0103B}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Extension: FoxClocks: {d37dc5d0-431d-44e5-8c91-49419370caa1} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Extension: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}

FF - Extension: FoxVox: foxvox@wordit.com - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\foxvox@wordit.com

FF - Extension: Add to Netvibes: addnetvibes@maurice.svay - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\addnetvibes@maurice.svay

FF - Extension: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\glenn\application data\Move Networks

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 54948062;54948062 Boot Guard Driver;c:\windows\system32\drivers\54948062.sys [2010-12-8 37392]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-7-4 244368]

S1 54948061;54948061;c:\windows\system32\drivers\54948061.sys [2010-12-8 128016]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-9 11608]

S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-4 214664]

S1 setup_9.0.0.722_08.12.2010_14-20drv;setup_9.0.0.722_08.12.2010_14-20drv;c:\windows\system32\drivers\5494806.sys [2010-12-8 315408]

S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-2-24 81920]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-9 135336]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-9 267944]

S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-9 61960]

S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]

S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]

S2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-7-4 14144]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-1 133104]

S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]

S2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-7-4 144704]

S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2009-5-27 29262680]

S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-4-12 282824]

S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]

S2 Tether;Tether;c:\program files\tetherberry\TBService.exe [2009-12-7 49080]

S2 TetherBerry;TetherBerry;c:\program files\tetherberry\TBService.exe [2009-12-7 49080]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-4 112512]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]

S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-7-4 32808]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-4 109568]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2009-7-15 4736]

S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-7-4 79816]

S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-7-4 35272]

S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-7-4 34248]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2009-7-15 8960]

S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2009-12-7 45608]

S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-7-4 232744]

S3 utc1njew;AVZ Kernel Driver;c:\windows\system32\drivers\utc1njew.sys [2010-12-9 7168]

S4 Active Task Manager;Active Task Manager;c:\program files\active task manager\Atmsrv95.exe [2005-11-21 187392]

=============== Created Last 30 ================

2010-12-09 16:39:16 -------- d-----w- c:\docume~1\glenn\applic~1\Avira

2010-12-09 16:38:05 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-12-09 16:38:04 -------- d-----w- c:\program files\Avira

2010-12-09 16:38:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-12-09 15:50:32 7168 ----a-w- c:\windows\system32\drivers\utc1njew.sys

2010-12-09 08:13:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-09 08:13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-09 08:01:21 -------- d-----w- c:\docume~1\glenn\applic~1\Malwarebytes

2010-12-09 08:01:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-09 08:01:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-08 13:05:58 37392 ----a-w- c:\windows\system32\drivers\54948062.sys

2010-12-08 13:05:58 128016 ----a-w- c:\windows\system32\drivers\54948061.sys

2010-12-08 13:05:57 315408 ----a-w- c:\windows\system32\drivers\5494806.sys

2010-12-08 12:46:12 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-08 11:29:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt

2010-12-08 11:18:42 -------- d-----w- c:\docume~1\glenn\applic~1\Sunbelt

2010-12-08 11:05:33 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys

2010-12-08 10:13:50 0 ----a-w- c:\windows\Epahoyadomipu.bin

2010-12-08 10:13:49 -------- d-----w- c:\docume~1\glenn\locals~1\applic~1\{53E35C31-092F-477D-B761-74BEE5A0103B}

2010-12-08 10:12:45 762368 ----a-w- c:\windows\system32\drivers\horqccpof.sys

2010-12-08 10:12:22 0 ----a-w- c:\windows\system32\lsp9A5.tmp

2010-12-08 10:12:22 0 ----a-w- c:\windows\system32\lsp9A4.tmp

2010-12-08 10:12:22 0 ----a-w- c:\windows\system32\lsp9A3.tmp

2010-12-08 10:11:59 45568 ---ha-w- c:\windows\helpabel.dll

2010-12-08 10:11:57 45568 ---ha-w- c:\windows\system32\helpabel.dll

2010-12-08 10:11:44 167424 --sha-r- c:\windows\system32\mfc70u4.dll

2010-12-08 10:11:36 251392 ----a-w- c:\windows\Mpaxea.exe

2010-12-08 10:11:19 -------- d-----w- c:\docume~1\glenn\applic~1\D6387FDFB49D34943B41F359E7ECBAA0

2010-11-16 06:09:55 -------- d-----w- c:\docume~1\glenn\locals~1\applic~1\Digsby

2010-11-16 06:09:55 -------- d-----w- c:\docume~1\glenn\applic~1\Digsby

2010-11-16 06:09:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Digsby

2010-11-16 06:05:35 -------- d-----w- c:\program files\Digsby

==================== Find3M ====================

2010-11-27 17:18:30 256 ----a-w- c:\windows\system32\pool.bin

2010-10-31 04:48:38 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2003-03-21 18:45:22 250544 ----a-w- c:\program files\common files\keyhelp.ocx

============= FINISH: 17:07:55.03 ===============

Ark.txt and Attach.txt are here;

ark.zip

Thanks for any help you can provide on this!

Link to post
Share on other sites

Hello coolway! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira AntiVir , so please uninstall:

McAfee Firewall Protection Service

McAfee Virus and Spyware Protection Service

Step 2

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe
  6. iExplore.exe

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Step 3

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 4

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. RKill log
  2. Malwarebytes' Anti-Malware log
  3. a new fresh DDS log only

Link to post
Share on other sites

Thanks for looking at this, Borislav. Here's my results so far;

Step 1

uninstalled McAfee Firewall Protection Service and McAfee Virus and Spyware Protection Service.

Rebooted.

Step 2

Ran rkill. Here's the log;

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 12/11/2010 at 12:11:24.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 12/11/2010 at 12:12:07.

Step 3

Renamed mbam.exe to firefox.com, rebooted.

Step 4

Ran the newly renamed firefox.com file. Popup informed me it was 12 days out of date, asked if I wanted to update. About halfway through the update, I got a BSOD with the following details;

DRIVER_IRQL_NOT_LESS-OR-EQUAL

Technical Information

*** Stop: 0x000000D1 (0xF79ED000, 0x00000002, 0x00000000, 0xF743D747)

*** horqccpof.sys- Address F743d745 base at F74390D0, datestamp 4cff59b1

Rebooting into normal mode resulted in unspecified BSOD, so I rebooted into safe mode (which I've been running for a couple of days now.) Once back in safe mode, I ran MBAM (firefox.com) without updating and generated the following;

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/11/2010 12:50:58 PM

mbam-log-2010-12-11 (12-50-58).txt

Scan type: Quick scan

Objects scanned: 258939

Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the DDS log;

DDS (Ver_10-12-05.01) - NTFSx86 NETWORK

Run by Glenn at 12:51:56.23 on Sat 12/11/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2979 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\WINDOWS\System32\svchost.exe"

"C:\WINDOWS\System32\svchost.exe"

C:\PROGRA~1\MALWAR~1\FIREFOX.COM

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Glenn\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:43902

uInternet Settings,ProxyOverride = <local>

BHO: c:\windows\system32\h4wg3k9obl.dll: {b1b220c1-a503-59bd-f413-02b53a2c8954} - c:\windows\system32\h4wg3k9obl.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe

uRun: [Magical Glass] "c:\program files\magical glass\Magical Glass.exe" /a

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [ARSA] "c:\program files\answersthatwork\a really small app\A_Really_Small_App.exe" -startup

uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 9.0\acrobat\AdobeCollabSync.exe"

uRun: [MKWPz0+OWS\TEMP\2049941414.exe] c:\windows\temp\2049941414.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [FinePrint Dispatcher v4] c:\windows\system32\spool\drivers\w32x86\2\fpdisp4.exe

mRun: [pdfFactory Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\2\fppdis1.exe

mRun: [MKWPz0+OWS\TEMP\2049941414.exe] c:\windows\temp\2049941414.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRunOnce: [RunMVSMyClean] "c:\windows\system32\cmd.exe" /c "c:\windows\myclean.bat c:\progra~1\mcafee\manage~1 c:\progra~1\McAfee"

dRun: [MKWPwe] c:\windows\temp\setup.exe

dRun: [MKWPsf] c:\windows\temp\lsass.exe

dRun: [MKWPoc] c:\windows\temp\debug.exe

dRun: [MKWPeP] c:\windows\temp\avp32.exe

dRun: [MKWPsfa/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0] c:\windows\temp\lsass.exe

dRun: [MKWPz0+OWS\TEMP\2049941414.exe] c:\windows\temp\2049941414.exe

dRunOnce: [PCmover CookieMerge] "c:\program files\laplink\pcmover\cookiemerge.exe" c:\windows\system32\config\systemprofile\local settings\application data\laplink\pcmover\Cookies

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe

StartupFolder: c:\docume~1\glenn\startm~1\programs\startup\digida~1.lnk - c:\program files\digiday\dd_clock.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\mssql\binn\sqlmangr.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187980883500

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256283227875

DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab

DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://172.16.39.248/GVersionMan.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://172.16.39.248/webviewer.cab

TCP: {16CBA065-8126-4EA5-BCA0-F59870508CCC} = 208.67.222.222,208.67.220.220

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll

Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: c:\windows\system32\h4wg3k9obl.dll: {b1b220c1-a503-59bd-f413-02b53a2c8954} - c:\windows\system32\h4wg3k9obl.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\glenn\application data\mozilla\firefox\profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\glenn\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: XULRunner: {53E35C31-092F-477D-B761-74BEE5A0103B} - c:\documents and settings\glenn\local settings\application data\{53E35C31-092F-477D-B761-74BEE5A0103B}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Extension: FoxClocks: {d37dc5d0-431d-44e5-8c91-49419370caa1} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Extension: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}

FF - Extension: FoxVox: foxvox@wordit.com - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\foxvox@wordit.com

FF - Extension: Add to Netvibes: addnetvibes@maurice.svay - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\addnetvibes@maurice.svay

FF - Extension: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\docume~1\glenn\applic~1\mozilla\firefox\profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\glenn\application data\Move Networks

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 54948062;54948062 Boot Guard Driver;c:\windows\system32\drivers\54948062.sys [2010-12-8 37392]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-7-4 244368]

S1 54948061;54948061;c:\windows\system32\drivers\54948061.sys [2010-12-8 128016]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-9 11608]

S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-4 214664]

S1 setup_9.0.0.722_08.12.2010_14-20drv;setup_9.0.0.722_08.12.2010_14-20drv;c:\windows\system32\drivers\5494806.sys [2010-12-8 315408]

S2 0201871292090667mcinstcleanup;McAfee Application Installer Cleanup (0201871292090667);c:\docume~1\glenn\locals~1\temp\020187~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\glenn\locals~1\temp\020187~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2009-2-24 81920]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-9 135336]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-9 267944]

S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-9 61960]

S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-1-22 808296]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-1-22 20840]

S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-1 133104]

S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]

S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2009-5-27 29262680]

S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]

S2 Tether;Tether;c:\program files\tetherberry\TBService.exe [2009-12-7 49080]

S2 TetherBerry;TetherBerry;c:\program files\tetherberry\TBService.exe [2009-12-7 49080]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-7-4 112512]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]

S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-7-4 32808]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-4 109568]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2009-7-15 4736]

S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-7-4 79816]

S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-7-4 35272]

S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-7-4 34248]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2009-7-15 8960]

S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2009-12-7 45608]

S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-7-4 232744]

S3 utc1njew;AVZ Kernel Driver;c:\windows\system32\drivers\utc1njew.sys [2010-12-9 7168]

S4 Active Task Manager;Active Task Manager;c:\program files\active task manager\Atmsrv95.exe [2005-11-21 187392]

=============== Created Last 30 ================

2010-12-11 18:07:55 306 ----a-w- c:\windows\myClean.bat

2010-12-09 16:39:16 -------- d-----w- c:\docume~1\glenn\applic~1\Avira

2010-12-09 16:38:05 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-12-09 16:38:04 -------- d-----w- c:\program files\Avira

2010-12-09 16:38:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-12-09 15:50:32 7168 ----a-w- c:\windows\system32\drivers\utc1njew.sys

2010-12-09 08:13:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-09 08:13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-09 08:01:21 -------- d-----w- c:\docume~1\glenn\applic~1\Malwarebytes

2010-12-09 08:01:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-09 08:01:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-08 13:05:58 37392 ----a-w- c:\windows\system32\drivers\54948062.sys

2010-12-08 13:05:58 128016 ----a-w- c:\windows\system32\drivers\54948061.sys

2010-12-08 13:05:57 315408 ----a-w- c:\windows\system32\drivers\5494806.sys

2010-12-08 12:46:12 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-08 11:29:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt

2010-12-08 11:18:42 -------- d-----w- c:\docume~1\glenn\applic~1\Sunbelt

2010-12-08 11:05:33 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys

2010-12-08 10:13:50 0 ----a-w- c:\windows\Epahoyadomipu.bin

2010-12-08 10:13:49 -------- d-----w- c:\docume~1\glenn\locals~1\applic~1\{53E35C31-092F-477D-B761-74BEE5A0103B}

2010-12-08 10:12:45 762368 ----a-w- c:\windows\system32\drivers\horqccpof.sys

2010-12-08 10:12:22 0 ----a-w- c:\windows\system32\lsp9A5.tmp

2010-12-08 10:12:22 0 ----a-w- c:\windows\system32\lsp9A4.tmp

2010-12-08 10:12:22 0 ----a-w- c:\windows\system32\lsp9A3.tmp

2010-12-08 10:11:59 45568 ---ha-w- c:\windows\helpabel.dll

2010-12-08 10:11:57 45568 ---ha-w- c:\windows\system32\helpabel.dll

2010-12-08 10:11:44 167424 --sha-r- c:\windows\system32\mfc70u4.dll

2010-12-08 10:11:36 251392 ----a-w- c:\windows\Mpaxea.exe

2010-12-08 10:11:19 -------- d-----w- c:\docume~1\glenn\applic~1\D6387FDFB49D34943B41F359E7ECBAA0

2010-11-16 06:09:55 -------- d-----w- c:\docume~1\glenn\locals~1\applic~1\Digsby

2010-11-16 06:09:55 -------- d-----w- c:\docume~1\glenn\applic~1\Digsby

2010-11-16 06:09:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Digsby

2010-11-16 06:05:35 -------- d-----w- c:\program files\Digsby

==================== Find3M ====================

2010-11-27 17:18:30 256 ----a-w- c:\windows\system32\pool.bin

2010-10-31 04:48:38 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2003-03-21 18:45:22 250544 ----a-w- c:\program files\common files\keyhelp.ocx

============= FINISH: 12:55:56.62 ===============

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

I had to completely uninstall AntiVir to get it to turn off. The process didn't show in the task manager, and the services could not be turned off manually.

Here is the Combofix log;

ComboFix 10-12-11.03 - Glenn 12/11/2010 17:10:04.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2963 [GMT -6:00]

Running from: c:\documents and settings\Glenn\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Glenn\Application Data\D6387FDFB49D34943B41F359E7ECBAA0

c:\documents and settings\Glenn\Application Data\D6387FDFB49D34943B41F359E7ECBAA0\enemies-names.txt

c:\documents and settings\Glenn\Application Data\D6387FDFB49D34943B41F359E7ECBAA0\local.ini

c:\documents and settings\Glenn\Local Settings\Application Data\{53E35C31-092F-477D-B761-74BEE5A0103B}

c:\documents and settings\Glenn\Local Settings\Application Data\{53E35C31-092F-477D-B761-74BEE5A0103B}\chrome.manifest

c:\documents and settings\Glenn\Local Settings\Application Data\{53E35C31-092F-477D-B761-74BEE5A0103B}\chrome\content\_cfg.js

c:\documents and settings\Glenn\Local Settings\Application Data\{53E35C31-092F-477D-B761-74BEE5A0103B}\chrome\content\overlay.xul

c:\documents and settings\Glenn\Local Settings\Application Data\{53E35C31-092F-477D-B761-74BEE5A0103B}\install.rdf

c:\windows\helpabel.dll

c:\windows\system32\helpabel.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IAS

-------\Legacy_SSHNAS

-------\Service_Ias

((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))

.

2010-12-11 18:07 . 2009-08-19 10:08 306 ----a-w- c:\windows\myClean.bat

2010-12-10 22:58 . 2010-12-10 22:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-12-09 15:54 . 2010-12-09 15:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-12-09 15:50 . 2010-12-09 15:50 7168 ----a-w- c:\windows\system32\drivers\utc1njew.sys

2010-12-09 09:31 . 2010-12-09 09:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-12-09 08:13 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-09 08:13 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-09 08:01 . 2010-12-09 08:01 -------- d-----w- c:\documents and settings\Glenn\Application Data\Malwarebytes

2010-12-09 08:01 . 2010-12-09 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-09 08:01 . 2010-12-11 18:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-09 04:20 . 2010-12-09 04:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

2010-12-09 04:19 . 2010-12-09 04:19 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-12-08 13:05 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\54948062.sys

2010-12-08 13:05 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\54948061.sys

2010-12-08 13:05 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\5494806.sys

2010-12-08 12:46 . 2010-12-08 12:46 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-08 11:29 . 2010-12-08 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

2010-12-08 11:18 . 2010-12-08 11:18 -------- d-----w- c:\documents and settings\Glenn\Application Data\Sunbelt

2010-12-08 11:05 . 2010-07-27 10:48 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys

2010-12-08 10:31 . 2010-12-08 10:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-12-08 10:15 . 2010-12-08 10:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-12-08 10:13 . 2010-12-08 10:13 0 ----a-w- c:\windows\Epahoyadomipu.bin

2010-12-08 10:12 . 2010-12-08 10:12 0 ----a-w- c:\windows\system32\lsp9A5.tmp

2010-12-08 10:12 . 2010-12-08 10:12 0 ----a-w- c:\windows\system32\lsp9A4.tmp

2010-12-08 10:12 . 2010-12-08 10:12 0 ----a-w- c:\windows\system32\lsp9A3.tmp

2010-12-08 10:11 . 2010-12-08 10:11 167424 --sha-r- c:\windows\system32\mfc70u4.dll

2010-12-08 10:11 . 2010-12-08 10:11 251392 ----a-w- c:\windows\Mpaxea.exe

2010-11-16 06:09 . 2010-12-08 11:38 -------- d-----w- c:\documents and settings\Glenn\Local Settings\Application Data\Digsby

2010-11-16 06:09 . 2010-11-16 06:09 -------- d-----w- c:\documents and settings\Glenn\Application Data\Digsby

2010-11-16 06:09 . 2010-11-16 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby

2010-11-16 06:05 . 2010-11-16 06:05 -------- d-----w- c:\program files\Digsby

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-11 23:17 . 2009-07-13 19:53 0 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\WavXMapDrive.bat

2010-10-31 04:48 . 2009-07-15 05:50 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-09-18 17:23 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-25 16:16 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-25 16:16 953856 ----a-w- c:\windows\system32\mfc40u.dll

2003-03-21 18:45 . 2010-08-30 00:26 250544 ----a-w- c:\program files\Common Files\keyhelp.ocx

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-08-13 3780608]

"Magical Glass"="c:\program files\Magical Glass\Magical Glass.exe" [2006-09-08 96256]

"ARSA"="c:\program files\AnswersThatWork\A Really Small App\A_Really_Small_App.exe" [2006-08-11 143872]

"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [2009-02-27 542096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-07-04 2220032]

"FinePrint Dispatcher v4"="c:\windows\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe" [2002-05-30 352256]

"pdfFactory Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\2\fppdis1.exe" [2002-04-24 352256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"PCmover CookieMerge"="c:\program files\Laplink\PCmover\CookieMerge.exe" [2009-03-26 42288]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

c:\documents and settings\Glenn\Start Menu\Programs\Startup\

DigiDay Clock.lnk - c:\program files\DigiDay\dd_clock.exe [2006-4-20 126976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - c:\mssql\Binn\sqlmangr.exe [2009-7-18 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Active Backup Expert\\ABE-PRO.EXE"=

"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=

"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\{2D250E57-9890-44a6-B08F-5C02C991EF24}\\setup\\hpznui01.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1583:TCP"= 1583:TCP:Pervasive DBEngine

"3351:TCP"= 3351:TCP:Pervasive DBEngine

R0 54948062;54948062 Boot Guard Driver;c:\windows\system32\drivers\54948062.sys [12/8/2010 7:05 AM 37392]

R1 54948061;54948061;c:\windows\system32\drivers\54948061.sys [12/8/2010 7:05 AM 128016]

R1 setup_9.0.0.722_08.12.2010_14-20drv;setup_9.0.0.722_08.12.2010_14-20drv;c:\windows\system32\drivers\5494806.sys [12/8/2010 7:05 AM 315408]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 4:56 AM 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 10:07 AM 320800]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 9:19 AM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 9:19 AM 20840]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [4/9/2009 1:02 PM 447264]

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]

R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 1:03 PM 435496]

R2 Tether;Tether;c:\program files\TetherBerry\TBService.exe [12/7/2009 10:16 AM 49080]

R2 TetherBerry;TetherBerry;c:\program files\TetherBerry\TBService.exe [12/7/2009 10:16 AM 49080]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/4/2009 7:39 PM 112512]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [7/4/2009 7:39 PM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [7/4/2009 7:39 PM 244368]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [7/4/2009 7:39 PM 109568]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [7/4/2009 5:22 PM 232744]

S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2/24/2009 12:05 PM 81920]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2009 10:30 PM 133104]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 4:28 AM 42832]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [7/15/2009 12:06 PM 4736]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [7/15/2009 12:06 PM 8960]

S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [12/7/2009 10:16 AM 45608]

S3 utc1njew;AVZ Kernel Driver;c:\windows\system32\drivers\utc1njew.sys [12/9/2010 9:50 AM 7168]

S4 Active Task Manager;Active Task Manager;c:\program files\Active Task Manager\Atmsrv95.exe [11/21/2005 12:45 PM 187392]

--- Other Services/Drivers In Memory ---

*Deregistered* - horqccpof

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\Class Bell (BEGIN).job

- c:\documents and settings\Glenn\My Documents\School\MoH High School\MOH I\Class Bell.pptx [2009-08-05 21:51]

2010-12-10 c:\windows\Tasks\Class Bell (END).job

- c:\documents and settings\Glenn\My Documents\School\MoH High School\MOH I\Class Bell.pptx [2009-08-05 21:51]

2010-12-11 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-02 04:29]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-02 04:30]

2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-02 04:30]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:43902

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

TCP: {16CBA065-8126-4EA5-BCA0-F59870508CCC} = 208.67.222.222,208.67.220.220

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://172.16.39.248/GVersionMan.cab

DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://172.16.39.248/webviewer.cab

FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\Glenn\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Extension: FoxClocks: {d37dc5d0-431d-44e5-8c91-49419370caa1} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Extension: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}

FF - Extension: FoxVox: foxvox@wordit.com - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\foxvox@wordit.com

FF - Extension: Add to Netvibes: addnetvibes@maurice.svay - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\addnetvibes@maurice.svay

FF - Extension: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord

FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Glenn\Application Data\Move Networks

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

- - - - ORPHANS REMOVED - - - -

BHO-{B1B220C1-A503-59BD-F413-02B53A2C8954} - c:\windows\system32\h4wg3k9obl.dll

HKCU-Run-MKWPz0+OWS\TEMP\2049941414.exe - c:\windows\TEMP\2049941414.exe

HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe

HKLM-Run-MKWPz0+OWS\TEMP\2049941414.exe - c:\windows\TEMP\2049941414.exe

HKU-Default-Run-MKWPz0+OWS\TEMP\2049941414.exe - c:\windows\TEMP\2049941414.exe

SharedTaskScheduler-{B1B220C1-A503-59BD-F413-02B53A2C8954} - c:\windows\system32\h4wg3k9obl.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-11 17:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\horqccpof]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5744)

c:\windows\system32\WININET.dll

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\program files\XemiComputers\Active Desktop Calendar\MouseHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\TFSWAPI.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\system32\rundll32.exe

c:\drivers\audio\r213367\stacsv.exe

c:\windows\System32\SCardSvr.exe

c:\program files\IDT\WDM\sttray.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\windows\system32\bgsvcgen.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\mssql\binn\sqlservr.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\mssql\binn\sqlagent.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2010-12-11 17:22:20 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-11 23:22

Pre-Run: 188,158,246,912 bytes free

Post-Run: 188,050,415,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9056F26BFBC33C267147F7091FDB97B6

Link to post
Share on other sites

File name:

Mpaxea.exe

Submission date:

2010-12-12 00:18:29 (UTC)

Current status:

queued queued analysing finished

Result:

26/ 43 (60.5%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.12.12.00 2010.12.11 Trojan/Win32.FakeAV

AntiVir 7.10.14.255 2010.12.10 DR/Dldr.CodecPack.wrb

Antiy-AVL 2.0.3.7 2010.12.11 -

Avast 4.8.1351.0 2010.12.11 Win32:Trojan-gen

Avast5 5.0.677.0 2010.12.11 Win32:Trojan-gen

AVG 9.0.0.851 2010.12.11 Crypt.AENZ

BitDefender 7.2 2010.12.12 Trojan.Generic.KDV.84125

CAT-QuickHeal 11.00 2010.12.11 -

ClamAV 0.96.4.0 2010.12.11 -

Command 5.2.11.5 2010.12.11 -

Comodo 7029 2010.12.11 -

DrWeb 5.0.2.03300 2010.12.12 Trojan.Siggen2.10540

Emsisoft 5.1.0.1 2010.12.11 Trojan-Downloader.Win32.Renos!IK

eSafe 7.0.17.0 2010.12.09 -

eTrust-Vet 36.1.8034 2010.12.10 Win32/FakeCodec.F!generic

F-Prot 4.6.2.117 2010.12.11 -

F-Secure 9.0.16160.0 2010.12.11 Trojan.Generic.KDV.84125

Fortinet 4.2.254.0 2010.12.11 -

GData 21 2010.12.11 Trojan.Generic.KDV.84125

Ikarus T3.1.1.90.0 2010.12.11 Trojan-Downloader.Win32.Renos

Jiangmin 13.0.900 2010.12.11 -

K7AntiVirus 9.72.3219 2010.12.11 -

Kaspersky 7.0.0.125 2010.12.12 Trojan-Downloader.Win32.CodecPack.wrb

McAfee 5.400.0.1158 2010.12.12 -

McAfee-GW-Edition 2010.1C 2010.12.11 -

Microsoft 1.6402 2010.12.11 TrojanDownloader:Win32/Renos.NT

NOD32 5695 2010.12.11 Win32/TrojanDownloader.FakeAlert.AQI

Norman 6.06.12 2010.12.11 W32/Suspicious_Gen2.FAJCY

nProtect 2010-12-11.01 2010.12.11 Trojan-Downloader/W32.CodecPack.251392.D

Panda 10.0.2.7 2010.12.11 Suspicious file

PCTools 7.0.3.5 2010.12.11 Trojan.Gen

Prevx 3.0 2010.12.12 -

Rising 22.77.04.00 2010.12.11 -

Sophos 4.60.0 2010.12.11 Mal/FakeAV-GX

SUPERAntiSpyware 4.40.0.1006 2010.12.12 Trojan.Agent/Gen-FakePak

Symantec 20101.3.0.103 2010.12.12 Trojan.Gen.2

TheHacker 6.7.0.1.098 2010.12.11 Trojan/Downloader.CodecPack.wrb

TrendMicro 9.120.0.1004 2010.12.11 -

TrendMicro-HouseCall 9.120.0.1004 2010.12.12 -

VBA32 3.12.14.2 2010.12.10 Trojan.DownLoad2.18833

VIPRE 7610 2010.12.12 Trojan.Win32.Generic!SB.0

ViRobot 2010.12.11.4196 2010.12.11 -

VirusBuster 13.6.88.2 2010.12.11 Trojan.Codecpack.Gen.12

Additional information

Show all

MD5 : b068ccc8225f0e9091624ab2dc689fec

SHA1 : 0e5676f9b0f57d0312872ba495aea791c2aadcc3

SHA256: 817d78d511a2415cf2c843831fdcac58a6def7b36aee728d573be022261faff4

ssdeep: 6144:gZi3+onuR44BHOqKY6ikQMPUqNlXHNhU:gZiqCMHOqlxM8aZHo

File size : 251392 bytes

First seen: 2010-12-12 00:18:29

Last seen : 2010-12-12 00:18:29

TrID:

UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (F-Prot): UPX

packers (Kaspersky): UPX

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x9A7C0

timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)

machinetype......: 0x14c (I386)

[[ 3 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

UPX0, 0x1000, 0x5F000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

UPX1, 0x60000, 0x3B000, 0x3AA00, 7.94, 7c094ab7eccd23388b77c8f8e6e19a85

.rsrc, 0x9B000, 0x3000, 0x2800, 5.38, d5887c2c1544d04adad1339cf47e5362

[[ 3 import(s) ]]

KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

user32.dll: PostMessageW

winspool.drv: FindClosePrinterChangeNotification

ExifTool:

file metadata

CodeSize: 241664

EntryPoint: 0x9a7c0

FileSize: 246 kB

FileType: Win32 EXE

ImageVersion: 0.0

InitializedDataSize: 12288

LinkerVersion: 2.25

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

PEType: PE32

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 1992:06:20 00:22:17+02:00

UninitializedDataSize: 389120

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=70016

Collect::[8]
c:\windows\Mpaxea.exe

Driver::
horqccpof

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:43902
uInternet Settings,ProxyOverride = <local>

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\horqccpof]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

I ran Combofix in Safe mode. When it rebooted, it booted into normal mode. While Combofix was preparing the log file, I got the following Blue Screen;

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical Information

*** Stop: 0x000000D1 (0x0006B7D4, 0x00000002, 0x00000001, 0xB9DB0871)

*** iastor.sys- Address B9DB0871 base at B9D6C000, datestamp 49937720

There is no Combofix log.

Should I attempt combofix again and make sure it boots into safe mode to get a log generated?

Link to post
Share on other sites

Thanks for hanging in there with me. Did as you said, and it ran fine (no BSOD!)

At the end, Combofix said it needed to upload some files to be analyzed, but couldn't connect to the server. Here's the Combofix log;

ComboFix 10-12-11.06 - Glenn 12/12/2010 12:11:58.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2977 [GMT -6:00]

Running from: c:\documents and settings\Glenn\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Glenn\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\Mpaxea.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_HORQCCPOF

-------\Service_horqccpof

((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))

.

2010-12-11 18:07 . 2009-08-19 10:08 306 ----a-w- c:\windows\myClean.bat

2010-12-10 22:58 . 2010-12-10 22:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-12-09 15:54 . 2010-12-09 15:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-12-09 15:50 . 2010-12-09 15:50 7168 ----a-w- c:\windows\system32\drivers\utc1njew.sys

2010-12-09 09:31 . 2010-12-09 09:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-12-09 08:13 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-09 08:13 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-09 08:01 . 2010-12-09 08:01 -------- d-----w- c:\documents and settings\Glenn\Application Data\Malwarebytes

2010-12-09 08:01 . 2010-12-09 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-09 08:01 . 2010-12-11 18:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-09 04:20 . 2010-12-09 04:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

2010-12-09 04:19 . 2010-12-09 04:19 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-12-08 13:05 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\54948062.sys

2010-12-08 13:05 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\54948061.sys

2010-12-08 13:05 . 2009-10-10 04:31 315408 ----a-w- c:\windows\system32\drivers\5494806.sys

2010-12-08 12:46 . 2010-12-08 12:46 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-08 11:29 . 2010-12-08 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

2010-12-08 11:18 . 2010-12-08 11:18 -------- d-----w- c:\documents and settings\Glenn\Application Data\Sunbelt

2010-12-08 11:05 . 2010-07-27 10:48 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys

2010-12-08 10:31 . 2010-12-08 10:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-12-08 10:15 . 2010-12-08 10:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-12-08 10:13 . 2010-12-08 10:13 0 ----a-w- c:\windows\Epahoyadomipu.bin

2010-12-08 10:12 . 2010-12-12 15:43 762368 ----a-w- c:\windows\system32\drivers\horqccpof.sys

2010-12-08 10:12 . 2010-12-08 10:12 0 ----a-w- c:\windows\system32\lsp9A5.tmp

2010-12-08 10:12 . 2010-12-08 10:12 0 ----a-w- c:\windows\system32\lsp9A4.tmp

2010-12-08 10:12 . 2010-12-08 10:12 0 ----a-w- c:\windows\system32\lsp9A3.tmp

2010-12-08 10:11 . 2010-12-08 10:11 167424 --sha-r- c:\windows\system32\mfc70u4.dll

2010-11-16 06:09 . 2010-12-08 11:38 -------- d-----w- c:\documents and settings\Glenn\Local Settings\Application Data\Digsby

2010-11-16 06:09 . 2010-11-16 06:09 -------- d-----w- c:\documents and settings\Glenn\Application Data\Digsby

2010-11-16 06:09 . 2010-11-16 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby

2010-11-16 06:05 . 2010-11-16 06:05 -------- d-----w- c:\program files\Digsby

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-12 15:50 . 2009-07-13 19:53 0 ----a-w- c:\documents and settings\Glenn\Local Settings\Application Data\WavXMapDrive.bat

2010-10-31 04:48 . 2009-07-15 05:50 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2010-09-18 17:23 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-04-25 16:16 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-04-25 16:16 953856 ----a-w- c:\windows\system32\mfc40u.dll

2003-03-21 18:45 . 2010-08-30 00:26 250544 ----a-w- c:\program files\Common Files\keyhelp.ocx

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Active Desktop Calendar"="c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-08-13 3780608]

"Magical Glass"="c:\program files\Magical Glass\Magical Glass.exe" [2006-09-08 96256]

"ARSA"="c:\program files\AnswersThatWork\A Really Small App\A_Really_Small_App.exe" [2006-08-11 143872]

"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [2009-02-27 542096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-07-04 2220032]

"FinePrint Dispatcher v4"="c:\windows\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe" [2002-05-30 352256]

"pdfFactory Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\2\fppdis1.exe" [2002-04-24 352256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"PCmover CookieMerge"="c:\program files\Laplink\PCmover\CookieMerge.exe" [2009-03-26 42288]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

c:\documents and settings\Glenn\Start Menu\Programs\Startup\

DigiDay Clock.lnk - c:\program files\DigiDay\dd_clock.exe [2006-4-20 126976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - c:\mssql\Binn\sqlmangr.exe [2009-7-18 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Active Backup Expert\\ABE-PRO.EXE"=

"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=

"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\{2D250E57-9890-44a6-B08F-5C02C991EF24}\\setup\\hpznui01.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1583:TCP"= 1583:TCP:Pervasive DBEngine

"3351:TCP"= 3351:TCP:Pervasive DBEngine

R0 54948062;54948062 Boot Guard Driver;c:\windows\system32\drivers\54948062.sys [12/8/2010 7:05 AM 37392]

R1 54948061;54948061;c:\windows\system32\drivers\54948061.sys [12/8/2010 7:05 AM 128016]

R1 setup_9.0.0.722_08.12.2010_14-20drv;setup_9.0.0.722_08.12.2010_14-20drv;c:\windows\system32\drivers\5494806.sys [12/8/2010 7:05 AM 315408]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 4:56 AM 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [12/29/2008 10:07 AM 320800]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 9:19 AM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 9:19 AM 20840]

R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [4/9/2009 1:02 PM 447264]

R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]

R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 1:03 PM 435496]

R2 Tether;Tether;c:\program files\TetherBerry\TBService.exe [12/7/2009 10:16 AM 49080]

R2 TetherBerry;TetherBerry;c:\program files\TetherBerry\TBService.exe [12/7/2009 10:16 AM 49080]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/4/2009 7:39 PM 112512]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [7/4/2009 7:39 PM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [7/4/2009 7:39 PM 244368]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [7/4/2009 7:39 PM 109568]

R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [7/4/2009 5:22 PM 232744]

S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2/24/2009 12:05 PM 81920]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2009 10:30 PM 133104]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 4:28 AM 42832]

S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [7/15/2009 12:06 PM 4736]

S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [7/15/2009 12:06 PM 8960]

S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [12/7/2009 10:16 AM 45608]

S3 utc1njew;AVZ Kernel Driver;c:\windows\system32\drivers\utc1njew.sys [12/9/2010 9:50 AM 7168]

S4 Active Task Manager;Active Task Manager;c:\program files\Active Task Manager\Atmsrv95.exe [11/21/2005 12:45 PM 187392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-12-09 c:\windows\Tasks\Class Bell (BEGIN).job

- c:\documents and settings\Glenn\My Documents\School\MoH High School\MOH I\Class Bell.pptx [2009-08-05 21:51]

2010-12-10 c:\windows\Tasks\Class Bell (END).job

- c:\documents and settings\Glenn\My Documents\School\MoH High School\MOH I\Class Bell.pptx [2009-08-05 21:51]

2010-12-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-02 04:29]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-02 04:30]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-02 04:30]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com\*

Trusted Zone: mcafeeasap.com\betavscan

Trusted Zone: mcafeeasap.com\vs

Trusted Zone: mcafeeasap.com\www

TCP: {16CBA065-8126-4EA5-BCA0-F59870508CCC} = 208.67.222.222,208.67.220.220

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://172.16.39.248/GVersionMan.cab

DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://172.16.39.248/webviewer.cab

FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/privatepage/1

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\Glenn\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: FoxClocks: {d37dc5d0-431d-44e5-8c91-49419370caa1} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}

FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}

FF - Ext: FoxVox: foxvox@wordit.com - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\foxvox@wordit.com

FF - Ext: Add to Netvibes: addnetvibes@maurice.svay - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\addnetvibes@maurice.svay

FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\19qv4mqz.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Glenn\Application Data\Move Networks

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-12 12:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4836)

c:\windows\system32\WININET.dll

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\program files\XemiComputers\Active Desktop Calendar\MouseHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-12 12:23:06

ComboFix-quarantined-files.txt 2010-12-12 18:22

ComboFix2.txt 2010-12-11 23:22

Pre-Run: 188,097,208,320 bytes free

Post-Run: 188,061,073,408 bytes free

- - End Of File - - C7DA7E08902DB8A448FE11BD04402529

Link to post
Share on other sites

Step 1

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

I've submitted the file you requested.

Good news... MBAM updated without a BSOD!

Here is the MBAM log;

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5302

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/12/2010 5:23:36 PM

mbam-log-2010-12-12 (17-23-36).txt

Scan type: Quick scan

Objects scanned: 253992

Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\OW1T3CYG7T (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Nice job! :)

How are things running now?

Thanks for all your help! Everything seems to be running quite smoothly. No Google redirects, no Blue Screens, rebooting into normal mode just fine. As a matter of fact, the system seems to be running better than before the infection.

I still don't have an active malware app (If you recall, I had to uninstall AntiVir earlier in order to get Combofix to run) and I need to update my Windows installation. Should I go ahead and take care of those items now?

Link to post
Share on other sites

Glad I could help! :)

Yes, please install Avira AntiVir from here:

http://www.free-av.com/

Update your OS too.

Last steps:

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete RKill, DDS and GMER.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.