Antivirus Action

[My Computer Is Pwned]

Long sotry to this one.

Some stupid stuff happened to me on another website and I got banned for "drama surrounding you" which I think is a lame reason to ban someone but whatever. This is one of those places where you can't even look at the place as a guest while banned, so I tried to enlist a proxy to look for something about the ban (admin posts, for example). Suddenly the proxy opens like 50 popups and the command line

Anyway, it gave me Antivirus Action. McAfee can't find it and I'ts blocking everything (including task manager). It won't let me visit any web sites other than the Viagra stuff it opens for me.

What should I do? HELP

[negster22]

Hi and Welcome,

Please try to remove Antivirus Action using these removal instructions:

http://www.bleepingcomputer.com/virus-remo...ntivirus-action

If still no joy, please follow the directions to create requested logs here:

http://forums.malwarebytes.org/index.php?showtopic=9573

Then copy/paste the logs into your topic (do not attach them)!

Thanks!

[My Computer Is Pwned]

I'll have to do it tomorrow because it's getting late here.

[My Computer Is Pwned]

Once again, it'll be delayed until tomorrow. A massive wind sotrm ripped through the Matanuska Sustitna valley (still sort of going, in fact) and power was out from this morning until about 20-30 minutes ago. It's now almost 9PM >_<

Sorry for double post. If you could tell me how to edit my posts, I'd appreciate your help.

[negster22]

Thanks for the status update and don't worry about the double-post. So you see a blue edit button? That's how to edit your post but I'm not sure if that edit button is only present for staff replies.

[My Computer Is Pwned]

I don't see an edit button.

I tried the Bleeping Computer process, and it went well except for the swapped hosts file. I still can't go anywhere even after multiple restarts. Do you want any logs?

[negster22]

Yes, let me see all the logs you have - please copy/paste them (do not attach them) right into this topic.

I'm giving you some directions to follow - in the event you cannot access the websites to download the tools I direct you to use, please try to access a clean PC to download all the utilities (renaming the executables as you go) and then copy them over to the infected PC by using a CDROM or USB flash drive.

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Some background information on what we're planning to do next can be found HERE

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Please run ExeHelper, again and then run the RKill program that You downloaded as part of the Bleeping Computer Antivirus Action removal steps.

Note:

If you used the iexplore.exe version of RKill the first time, download the WiNlOgOn.exe version this time because we're going to name Combofix to iexplore.exe (in the coming steps).

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove on-board components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
    

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers and programs.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  
• If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
  

1. To Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Do the following and ONLY if You have trouble running Combofix in normal mode, run it in Safe Mode with Networking instead:

How to get into Safe Mode:

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode with Networking, then press Enter.

Choose your usual account.

[My Computer Is Pwned]

McAfee identifies exehelper as a trojan and deletes it as soon as I download it to my thumb drive.

[negster22]

Either disable McAfee: using the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Or add EXEhelper.com and combofix,exe to McAfee's exclusion list.

Or boot into safe mode with networking and download all required tools before rebooting back to normal mode.

[My Computer Is Pwned]

Thanks for your help, virus is FIXED. Here's all the logs anyway

As for the 2002 date on some of these, a power outage hit sometime after the virus and I never bothered to change the date until today.

First EXEhelper log:

exeHelper by Raktor

Build 20100414

Run at 19:29:01 on 08/31/02

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

TDSSKiller log:

2002/08/31 19:33:38.0250 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53

2002/08/31 19:33:38.0250 ================================================================================

2002/08/31 19:33:38.0250 SystemInfo:

2002/08/31 19:33:38.0250

2002/08/31 19:33:38.0250 OS Version: 5.1.2600 ServicePack: 2.0

2002/08/31 19:33:38.0250 Product type: Workstation

2002/08/31 19:33:38.0250 ComputerName: KING-KONG

2002/08/31 19:33:38.0250 UserName: Rayann

2002/08/31 19:33:38.0250 Windows directory: C:\WINDOWS

2002/08/31 19:33:38.0250 System windows directory: C:\WINDOWS

2002/08/31 19:33:38.0250 Processor architecture: Intel x86

2002/08/31 19:33:38.0250 Number of processors: 1

2002/08/31 19:33:38.0250 Page size: 0x1000

2002/08/31 19:33:38.0250 Boot type: Normal boot

2002/08/31 19:33:38.0250 ================================================================================

2002/08/31 19:33:38.0671 Initialize success

2002/08/31 19:33:42.0468 ================================================================================

2002/08/31 19:33:42.0468 Scan started

2002/08/31 19:33:42.0468 Mode: Manual;

2002/08/31 19:33:42.0468 ================================================================================

2002/08/31 19:33:44.0843 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

2002/08/31 19:33:45.0234 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys

2002/08/31 19:33:45.0718 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2002/08/31 19:33:46.0093 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2002/08/31 19:33:46.0468 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

2002/08/31 19:33:47.0093 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2002/08/31 19:33:47.0968 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2002/08/31 19:33:48.0156 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2002/08/31 19:33:48.0562 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2002/08/31 19:33:48.0953 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

2002/08/31 19:33:49.0281 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

2002/08/31 19:33:49.0656 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

2002/08/31 19:33:50.0031 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

2002/08/31 19:33:50.0500 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

2002/08/31 19:33:50.0921 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\System32\DRIVERS\alim1541.sys

2002/08/31 19:33:51.0703 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\System32\DRIVERS\amdagp.sys

2002/08/31 19:33:52.0171 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

2002/08/31 19:33:52.0609 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

2002/08/31 19:33:53.0812 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

2002/08/31 19:33:54.0265 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

2002/08/31 19:33:54.0843 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2002/08/31 19:33:55.0109 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2002/08/31 19:33:56.0109 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2002/08/31 19:33:56.0578 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2002/08/31 19:33:57.0343 basic2 (9372cc48814a17e67c28945eb4acc189) C:\WINDOWS\system32\DRIVERS\basic2.sys

2002/08/31 19:33:57.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2002/08/31 19:33:58.0312 bvrp_pci (c043ca48f1f5c00ff8272180fbbd15e9) C:\WINDOWS\system32\drivers\bvrp_pci.sys

2002/08/31 19:33:58.0546 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

2002/08/31 19:33:58.0781 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2002/08/31 19:33:59.0203 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

2002/08/31 19:33:59.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2002/08/31 19:33:59.0625 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2002/08/31 19:33:59.0781 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2002/08/31 19:34:00.0515 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys

2002/08/31 19:34:01.0281 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

2002/08/31 19:34:01.0687 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

2002/08/31 19:34:02.0000 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

2002/08/31 19:34:02.0453 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

2002/08/31 19:34:02.0718 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2002/08/31 19:34:03.0250 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2002/08/31 19:34:03.0703 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2002/08/31 19:34:03.0843 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2002/08/31 19:34:04.0359 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2002/08/31 19:34:04.0765 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

2002/08/31 19:34:04.0984 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2002/08/31 19:34:05.0578 E1000 (7dbe45f359b20ae06cdb6a09900e0b18) C:\WINDOWS\system32\DRIVERS\e1000nt5.sys

2002/08/31 19:34:06.0031 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

2002/08/31 19:34:06.0796 Fallback (9ea76a7f28cd968f8adc709e479f23b2) C:\WINDOWS\system32\DRIVERS\fallback.sys

2002/08/31 19:34:07.0015 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2002/08/31 19:34:07.0250 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2002/08/31 19:34:07.0500 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2002/08/31 19:34:07.0921 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2002/08/31 19:34:08.0468 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2002/08/31 19:34:09.0093 Fsks (b7b262d0431374f3afd1349e35b368d9) C:\WINDOWS\system32\DRIVERS\fsksnt.sys

2002/08/31 19:34:09.0328 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2002/08/31 19:34:09.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2002/08/31 19:34:10.0437 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2002/08/31 19:34:10.0921 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2002/08/31 19:34:13.0625 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS

2002/08/31 19:34:13.0984 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

2002/08/31 19:34:14.0078 hpt3xx (b077b7f8e79779ea967e84a4fc040227) C:\WINDOWS\System32\DRIVERS\hpt3xx.sys

2002/08/31 19:34:14.0859 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2002/08/31 19:34:15.0390 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2002/08/31 19:34:16.0078 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2002/08/31 19:34:16.0656 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys

2002/08/31 19:34:17.0250 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys

2002/08/31 19:34:17.0765 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2002/08/31 19:34:18.0078 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\System32\DRIVERS\i2omp.sys

2002/08/31 19:34:18.0328 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2002/08/31 19:34:18.0718 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2002/08/31 19:34:19.0000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\drivers\Imapi.sys

2002/08/31 19:34:19.0500 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

2002/08/31 19:34:19.0750 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\System32\DRIVERS\intelide.sys

2002/08/31 19:34:20.0281 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2002/08/31 19:34:20.0984 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2002/08/31 19:34:21.0296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2002/08/31 19:34:21.0609 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2002/08/31 19:34:22.0109 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2002/08/31 19:34:22.0515 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2002/08/31 19:34:22.0671 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2002/08/31 19:34:23.0203 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2002/08/31 19:34:24.0171 K56 (a4e3277398c8aba999483d4c658c9696) C:\WINDOWS\system32\DRIVERS\k56nt.sys

2002/08/31 19:34:24.0671 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2002/08/31 19:34:24.0984 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2002/08/31 19:34:25.0875 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2002/08/31 19:34:27.0968 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys

2002/08/31 19:34:28.0812 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys

2002/08/31 19:34:29.0500 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys

2002/08/31 19:34:30.0218 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys

2002/08/31 19:34:30.0609 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys

2002/08/31 19:34:31.0062 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

2002/08/31 19:34:31.0125 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

2002/08/31 19:34:31.0968 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys

2002/08/31 19:34:32.0671 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys

2002/08/31 19:34:33.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2002/08/31 19:34:33.0750 MOBKFilter (e896775837a8bce436348df460522394) C:\WINDOWS\system32\DRIVERS\MOBK.sys

2002/08/31 19:34:33.0921 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2002/08/31 19:34:34.0000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2002/08/31 19:34:34.0046 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2002/08/31 19:34:34.0187 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

2002/08/31 19:34:34.0375 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2002/08/31 19:34:34.0546 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2002/08/31 19:34:34.0828 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2002/08/31 19:34:35.0328 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2002/08/31 19:34:35.0812 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2002/08/31 19:34:36.0187 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2002/08/31 19:34:36.0828 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2002/08/31 19:34:37.0000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2002/08/31 19:34:37.0281 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2002/08/31 19:34:37.0484 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2002/08/31 19:34:37.0687 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2002/08/31 19:34:37.0875 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2002/08/31 19:34:38.0093 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2002/08/31 19:34:39.0765 NetAlrt (73c0f29643f54ebe777521c88535114a) C:\WINDOWS\System32\drivers\NetAlrt.sys

2002/08/31 19:34:40.0687 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2002/08/31 19:34:41.0171 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2002/08/31 19:34:42.0781 NMSCFG (fad815a20fd2f828673b5b3b281a8cc3) C:\WINDOWS\System32\drivers\NMSCFG.SYS

2002/08/31 19:34:44.0031 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2002/08/31 19:34:44.0578 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2002/08/31 19:34:45.0000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2002/08/31 19:34:45.0625 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2002/08/31 19:34:46.0140 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys

2002/08/31 19:34:46.0468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2002/08/31 19:34:46.0625 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2002/08/31 19:34:46.0859 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys

2002/08/31 19:34:47.0234 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys

2002/08/31 19:34:47.0500 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys

2002/08/31 19:34:47.0703 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys

2002/08/31 19:34:48.0234 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2002/08/31 19:34:48.0468 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2002/08/31 19:34:48.0703 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2002/08/31 19:34:49.0234 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2002/08/31 19:34:50.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2002/08/31 19:34:50.0546 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2002/08/31 19:34:52.0250 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

2002/08/31 19:34:52.0671 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

2002/08/31 19:34:53.0843 PlatAlrt (7e885eb50520747204947eff818b0a29) C:\WINDOWS\System32\drivers\PlatAlrt.sys

2002/08/31 19:34:54.0046 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2002/08/31 19:34:54.0250 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2002/08/31 19:34:54.0453 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2002/08/31 19:34:54.0671 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2002/08/31 19:34:54.0984 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

2002/08/31 19:34:55.0406 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

2002/08/31 19:34:55.0812 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

2002/08/31 19:34:56.0031 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

2002/08/31 19:34:56.0484 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

2002/08/31 19:34:56.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2002/08/31 19:34:56.0953 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2002/08/31 19:34:57.0500 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2002/08/31 19:34:57.0703 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2002/08/31 19:34:58.0000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2002/08/31 19:34:58.0218 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2002/08/31 19:34:58.0781 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2002/08/31 19:34:59.0125 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2002/08/31 19:34:59.0453 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2002/08/31 19:35:00.0218 Rksample (4c35e57300a2dc5932a8e29efa527c32) C:\WINDOWS\system32\DRIVERS\rksample.sys

2002/08/31 19:35:00.0578 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2002/08/31 19:35:00.0984 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2002/08/31 19:35:01.0171 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2002/08/31 19:35:01.0406 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2002/08/31 19:35:01.0781 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2002/08/31 19:35:02.0562 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\System32\DRIVERS\sisagp.sys

2002/08/31 19:35:03.0218 smwdm (b911c822922cf62df83ad36d5c9775cc) C:\WINDOWS\system32\drivers\smwdm.sys

2002/08/31 19:35:04.0062 SoftFax (413cfa795cad19a010889df0ec060408) C:\WINDOWS\system32\DRIVERS\faxnt.sys

2002/08/31 19:35:04.0453 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

2002/08/31 19:35:04.0593 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2002/08/31 19:35:05.0125 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2002/08/31 19:35:05.0468 Srv (ab9c79ed12d65e800aaad3d72a04792f) C:\WINDOWS\system32\DRIVERS\srv.sys

2002/08/31 19:35:06.0015 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2002/08/31 19:35:06.0500 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2002/08/31 19:35:06.0921 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

2002/08/31 19:35:07.0312 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

2002/08/31 19:35:07.0671 SYMDNS (2287d8411157815dd202a4f133ae482d) C:\WINDOWS\System32\Drivers\SYMDNS.SYS

2002/08/31 19:35:08.0109 SYMFW (11e32c865f1dfe7c0986900ec7aeb4b8) C:\WINDOWS\System32\Drivers\SYMFW.SYS

2002/08/31 19:35:08.0437 SYMIDS (157e49ab4f9ccce37361b28ac25096a9) C:\WINDOWS\System32\Drivers\SYMIDS.SYS

2002/08/31 19:35:08.0968 SYMIDSCO (38b02773e70b671852dd765aaf24ef62) C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS

2002/08/31 19:35:09.0343 SYMNDIS (ef3ad6fc8a1ef592e4e6409a4b4f4c3a) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS

2002/08/31 19:35:09.0656 SYMREDRV (121448e97995a6828422cd897c5c7456) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2002/08/31 19:35:10.0140 SYMTDI (42bc4d0917737debe50df861fe8cdcb9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2002/08/31 19:35:10.0578 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

2002/08/31 19:35:11.0031 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

2002/08/31 19:35:11.0375 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2002/08/31 19:35:11.0671 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2002/08/31 19:35:12.0109 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2002/08/31 19:35:12.0484 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2002/08/31 19:35:12.0828 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2002/08/31 19:35:13.0625 Tones (e0f10a379239b4fab319c55a9cd6bc96) C:\WINDOWS\system32\DRIVERS\tonesnt.sys

2002/08/31 19:35:14.0093 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

2002/08/31 19:35:14.0265 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2002/08/31 19:35:14.0718 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

2002/08/31 19:35:15.0046 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

2002/08/31 19:35:15.0703 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2002/08/31 19:35:16.0250 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2002/08/31 19:35:16.0609 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2002/08/31 19:35:17.0265 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2002/08/31 19:35:17.0937 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2002/08/31 19:35:18.0625 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2002/08/31 19:35:18.0859 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2002/08/31 19:35:19.0328 USB_RNDIS (af090265ec388bab320f1ff7e7a7d5ea) C:\WINDOWS\system32\DRIVERS\usb8023.sys

2002/08/31 19:35:20.0125 V124 (177b65899d418f8c8f037b20567a99d6) C:\WINDOWS\system32\DRIVERS\v124nt.sys

2002/08/31 19:35:20.0375 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2002/08/31 19:35:20.0953 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\System32\DRIVERS\viaagp.sys

2002/08/31 19:35:21.0140 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\System32\DRIVERS\viaide.sys

2002/08/31 19:35:21.0328 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2002/08/31 19:35:21.0515 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2002/08/31 19:35:22.0437 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2002/08/31 19:35:23.0078 winachsf (a941aa38e3951058e584c4bbddd56ed9) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2002/08/31 19:35:23.0562 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2002/08/31 19:35:24.0359 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2002/08/31 19:35:25.0109 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2002/08/31 19:35:25.0843 {6080A529-897E-4629-A488-ABA0C29B635E} (6f221e213521179132cf019d9dbf5cae) C:\WINDOWS\system32\drivers\ialmsbw.sys

2002/08/31 19:35:26.0546 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d972db6f3fc84df74adc2a305e436301) C:\WINDOWS\system32\drivers\ialmkchw.sys

2002/08/31 19:35:26.0765 ================================================================================

2002/08/31 19:35:26.0765 Scan finished

2002/08/31 19:35:26.0765 ================================================================================

Other EXEhelper log:

exeHelper by Raktor

Build 20100414

Run at 19:29:01 on 08/31/02

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

exeHelper by Raktor

Build 20100414

Run at 19:38:52 on 08/31/02

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

RKill:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 08/31/2002 at 19:42:12.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 08/31/2002 at 19:42:23.

And finally ComboFix log:

ComboFix 11-01-22.01 - Rayann 01/22/2011 16:39:48.1.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1150.757 [GMT -9:00]

Running from: c:\documents and settings\Rayann\Desktop\ComboFix.exe

Command switches used :: /killall

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Rayann\MYDOCU~1\BEEHiv~1.exe

c:\documents and settings\All Users\Favorites\Thumbs.db

c:\documents and settings\Rayann\GoToAssistDownloadHelper.exe

C:\Install.exe

c:\program files\autorun.inf

c:\windows\patch.exe

c:\windows\system32\download

c:\windows\system32\download\ispinfo.csv

c:\windows\system32\work.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-12-23 to 2011-01-23 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-30 20:22 . 2002-07-26 02:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-30 20:22 . 2002-07-26 02:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-02-06 06:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-02-06 06:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-02-06 06:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-14 26192168]

"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-30 151597]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-14 49152]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-29 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-22 305440]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SRUUninstall"="c:\windows\System32\msiexec.exe" [2005-03-22 78848]

"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

SnagIt 9.lnk - c:\program files\TechSmith\SnagIt 9\SnagIt32.exe [2008-5-15 6822728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\WINDOWS\\System32\\mmc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/6/2010 3:55 PM 84072]

R1 MOBKFilter;MOBKFilter;c:\windows\SYSTEM32\DRIVERS\MOBK.sys [3/6/2010 4:02 PM 54776]

R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 9:51 AM 212992]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/6/2010 3:55 PM 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/6/2010 3:55 PM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/6/2010 3:55 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/6/2010 3:59 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [3/6/2010 3:56 PM 141792]

R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 9:14 PM 229688]

R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 4:05 PM 39680]

R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 4:06 PM 23744]

R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/6/2010 3:55 PM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/6/2010 3:55 PM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/6/2010 3:55 PM 88544]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/6/2010 3:55 PM 84264]

S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys --> c:\windows\system32\drivers\McPvDrv.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/6/2010 3:55 PM 88544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2011-01-23 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\SYSTEM32\cleanmgr.exe [1980-01-01 09:56]

2010-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 21:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:59274

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: ameritrade.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: paypal.com

Trusted Zone: tdameritrade.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKU-Default-Run-start extracting - spoolvse.exe

HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe

HKU-Default-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe

HKU-Default-RunServices-start extracting - spoolvse.exe

AddRemove-Elliott Wave Analyzer II - c:\program files\Elliott Wave Analyzer II\Uninst.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-22 16:57

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2268)

c:\windows\system32\WININET.dll

c:\program files\McAfee Online Backup\MOBKshell.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Linksys\WUSB54GSC\WLService.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\program files\Linksys\WUSB54GSC\WUSB54GSC.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\program files\Skype\Phone\Skype.exe

c:\program files\TechSmith\SnagIt 9\TSCHelp.exe

c:\program files\TechSmith\SnagIt 9\SnagPriv.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\TechSmith\SnagIt 9\snagiteditor.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Java\jre6\bin\jucheck.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\Common Files\Real\Update_OB\realevent.exe

.

**************************************************************************

.

Completion time: 2011-01-22 17:10:22 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-23 02:10

Pre-Run: 711,278,592 bytes free

Post-Run: 1,038,237,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 132CA28B21C21B7354B61BE292515985

Thanks for all your help.

McAfee had to be the most worthless antivirus ever. It's being replaced with VIPRE today.

[negster22]

Your Combofix log is clean except for this Fake AV vestige which will remove with a registry fix.

Copy/paste the following text in the code box to Notepad, making sure that Wordwrap is UNChecked under the Format settings!!

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this to your desktop as fix.reg, by setting the " Save as Type"* to All files (*.*)in the pull down menu.

Double-click fix.reg (looks like aqua blocks icon)on your desktop and when you're prompted as to whether You want to add the information to the Registry, respond Y (yes).

Reboot.

Then run DDS.scr again and post the log!

Here are the directions in case you need them:

Download DDS and save it to your desktop from here

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
    

  [*]Save both reports to your desktop

  [*]Please copy and paste dds.txt into your next reply (do NOT attach and hold on to attach.txt for now).

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!