Jump to content

Google redirect


Recommended Posts

Please help to remove google redirect.

Logfile of IObit HijackScan v1.0.2.0

Scan saved at 19:38:59, on 2011-3-29

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\McAfee\VirusScan\mcods.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

O2 - BHO: PriceGongBHO Class - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110221233010.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\mcafee\SITEAD~1\mcieplg.dll

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Messenger (Yahoo!)] "D:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [Advanced SystemCare 3] "D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iW_ControlCenter] D:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [VOBID] D:\Program Files\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [nwiz] nwiz.exe /install

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [VX6000] C:\WINDOWS\vVX6000.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O8 - Extra context menu item: &Search -

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}MANAGER.DLMCtrl.1 - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}SoftwareDistribution.WebControl.1 - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220712864697

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616}npdivx.DivXBrowserPlugin.1 - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_23 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}Java Plug-in 1.6.0_23 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_23 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE

O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Unknown - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service (McAfee SiteAdvisor Service) - Unknown - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - D:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: stllssvr (stllssvr) - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

Link to post
Share on other sites

Hello Pablo2011! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Download DDS and save it to your desktop from here, here or here

Double click dds to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

First report:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 9/6/2008 9:44:59 AM

System Uptime: 4/1/2011 8:05:03 AM (24 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P4S533VL

Processor: Intel® Pentium® 4 CPU 2.66GHz | PGA 478 | 2660/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 14 GiB total, 3.871 GiB free.

D: is FIXED (NTFS) - 98 GiB total, 24.056 GiB free.

E: is CDROM ()

F: is CDROM ()

H: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\WEC0515\4&398EACD8&0

Manufacturer:

Name:

PNP Device ID: ACPI\WEC0515\4&398EACD8&0

Service:

.

==== System Restore Points ===================

.

RP45: 3/19/2011 9:14:43 AM - System Checkpoint

RP46: 3/20/2011 12:09:18 PM - System Checkpoint

RP47: 3/21/2011 12:44:45 PM - System Checkpoint

RP48: 3/22/2011 1:44:44 PM - System Checkpoint

RP49: 3/23/2011 2:44:44 PM - System Checkpoint

RP50: 3/24/2011 9:00:21 AM - Software Distribution Service 3.0

RP51: 3/25/2011 9:00:20 AM - Software Distribution Service 3.0

RP52: 3/26/2011 9:07:33 AM - System Checkpoint

RP53: 3/26/2011 2:03:14 PM - Removed Bing Bar

RP54: 3/27/2011 2:10:46 PM - System Checkpoint

RP55: 3/28/2011 3:07:33 PM - System Checkpoint

RP56: 3/29/2011 3:11:18 PM - System Checkpoint

RP57: 3/30/2011 3:43:53 PM - System Checkpoint

RP58: 4/1/2011 12:25:15 AM - System Checkpoint

RP59: 4/1/2011 6:29:32 PM - Installed Rapport

RP60: 4/1/2011 7:17:18 PM - Removed Skype

Link to post
Share on other sites

Second Report:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Pawel Zyglewski at 8:56:05.12 on Sat 04/02/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.205 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\IObit\Game Booster\gbtray.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

D:\Program Files\Java\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\System32\msdtc.exe

D:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\PROGRA~1\mcafee\msc\mcupdmgr.exe

C:\Documents and Settings\Pawel Zyglewski\Local Settings\Temporary Internet Files\Content.IE5\X03A82J5\dds[1].scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.spoofee.com/

uInternet Connection Wizard,ShellNext = iexplore

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110221233010.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 3] "d:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220712864697

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\pawelz~1\applic~1\mozilla\firefox\profiles\7lidy3nh.default\

FF - prefs.js: browser.search.selectedEngine - MyWebSearch

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRxdm012YYUS&fl=0&ptb=yq20nPdLk6PhvEqvjx.iZQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\pawel zyglewski\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\pawel zyglewski\application data\move networks\plugins\npqmp071504000001.dll

FF - plugin: c:\program files\mozilla firefox\plugins\np_IEGetPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: d:\program files\google\picasa3\npPicasa3.dll

FF - plugin: d:\program files\java\bin\new_plugin\npdeployJava1.dll

FF - plugin: d:\program files\java\bin\new_plugin\npjp2.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\pawel zyglewski\application data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-22 386840]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-2-10 14776]

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-2-20 26679]

R1 Cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-22 84072]

R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus_23945.sys [2011-3-10 55224]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-3-10 66360]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-3-10 158392]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-2-27 186368]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-3-29 312152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-12-1 203280]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-22 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-22 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-22 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-22 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-22 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-22 141792]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;d:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-10-5 188736]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-3-10 821048]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-22 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-22 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-22 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-22 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-22 88544]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-6-4 30576]

S2 6077757b;6077757b;\??\c:\windows\system32\drivers\regi.sys --> c:\windows\system32\drivers\regi.sys [?]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-22 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-22 84264]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2003-3-31 14336]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-6-26 2383152]

.

=============== Created Last 30 ================

.

2011-04-01 23:29:48 -------- dc----w- c:\docume~1\pawelz~1\applic~1\Trusteer

2011-04-01 23:29:36 -------- dc----w- c:\program files\Trusteer

2011-04-01 23:27:36 -------- dc----w- c:\docume~1\alluse~1\applic~1\Trusteer

2011-03-30 04:37:06 -------- dc----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-03-30 04:37:05 -------- dc----w- c:\docume~1\pawelz~1\applic~1\SUPERAntiSpyware.com

2011-03-30 04:36:49 -------- dc----w- c:\program files\SUPERAntiSpyware

2011-03-11 05:50:08 -------- dc----w- c:\program files\Enigma Software Group

2011-03-11 05:49:35 -------- dc----w- c:\windows\8713EF96D15042F19318B4AF40FD9053.TMP

2011-03-11 05:49:29 -------- dc----w- c:\program files\common files\Wise Installation Wizard

2011-03-11 02:09:26 53816 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys

.

==================== Find3M ====================

.

2011-03-13 22:19:45 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys

2011-02-09 13:53:52 270848 -c--a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 -c--a-w- c:\windows\system32\encdec.dll

2011-02-05 21:04:16 135168 -csha-r- c:\windows\system32\prntvpt2.dll

2011-02-02 07:58:35 2067456 -c--a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 -c--a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 8462336 -c--a-w- c:\windows\system32\SET4D3.tmp

2011-01-21 14:44:37 439296 -c--a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 -c--a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 8:58:34.93 ===============

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Borislav,

Your help is appreciated.

Pawel Zyglewski

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6248

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/2/2011 2:17:16 PM

mbam-log-2011-04-02 (14-17-16).txt

Scan type: Quick scan

Objects scanned: 142365

Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Pawel Zyglewski at 14:20:58.15 on Sat 04/02/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.64 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\IObit\Game Booster\gbtray.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

D:\Program Files\Java\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\System32\msdtc.exe

D:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\PROGRA~1\mcafee\msc\mcupdmgr.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Pawel Zyglewski\Local Settings\Temporary Internet Files\Content.IE5\FLQ1OLR3\dds[1].scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.spoofee.com/

uInternet Connection Wizard,ShellNext = iexplore

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110221233010.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 3] "d:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220712864697

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\pawelz~1\applic~1\mozilla\firefox\profiles\7lidy3nh.default\

FF - prefs.js: browser.search.selectedEngine - MyWebSearch

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRxdm012YYUS&fl=0&ptb=yq20nPdLk6PhvEqvjx.iZQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\pawel zyglewski\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\pawel zyglewski\application data\move networks\plugins\npqmp071504000001.dll

FF - plugin: c:\program files\mozilla firefox\plugins\np_IEGetPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: d:\program files\google\picasa3\npPicasa3.dll

FF - plugin: d:\program files\java\bin\new_plugin\npdeployJava1.dll

FF - plugin: d:\program files\java\bin\new_plugin\npjp2.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\java\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\pawel zyglewski\application data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-22 386840]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-2-10 14776]

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-2-20 26679]

R1 Cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-22 84072]

R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus_23945.sys [2011-3-10 55224]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-3-10 66360]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-3-10 158392]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-2-27 186368]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-3-29 312152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-12-1 203280]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-22 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-22 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-22 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-22 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-22 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-22 141792]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;d:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-10-5 188736]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-3-10 821048]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-22 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-22 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-22 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-22 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-22 88544]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-6-4 30576]

S2 6077757b;6077757b;\??\c:\windows\system32\drivers\regi.sys --> c:\windows\system32\drivers\regi.sys [?]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-22 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-22 84264]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2003-3-31 14336]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-6-26 2383152]

.

=============== Created Last 30 ================

.

2011-04-01 23:29:48 -------- dc----w- c:\docume~1\pawelz~1\applic~1\Trusteer

2011-04-01 23:29:36 -------- dc----w- c:\program files\Trusteer

2011-04-01 23:27:36 -------- dc----w- c:\docume~1\alluse~1\applic~1\Trusteer

2011-03-30 04:37:06 -------- dc----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-03-30 04:37:05 -------- dc----w- c:\docume~1\pawelz~1\applic~1\SUPERAntiSpyware.com

2011-03-30 04:36:49 -------- dc----w- c:\program files\SUPERAntiSpyware

2011-03-11 05:50:08 -------- dc----w- c:\program files\Enigma Software Group

2011-03-11 05:49:35 -------- dc----w- c:\windows\8713EF96D15042F19318B4AF40FD9053.TMP

2011-03-11 05:49:29 -------- dc----w- c:\program files\common files\Wise Installation Wizard

2011-03-11 02:09:26 53816 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys

.

==================== Find3M ====================

.

2011-03-13 22:19:45 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys

2011-02-09 13:53:52 270848 -c--a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 -c--a-w- c:\windows\system32\encdec.dll

2011-02-05 21:04:16 135168 -csha-r- c:\windows\system32\prntvpt2.dll

2011-02-02 07:58:35 2067456 -c--a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 -c--a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 8462336 -c--a-w- c:\windows\system32\SET4D3.tmp

2011-01-21 14:44:37 439296 -c--a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 -c--a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 14:23:14.71 ===============

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**


  1. If you are using Firefox, make sure that your download settings are as follows:

    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------



  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 11-04-02.05 - Pawel Zyglewski 04/03/2011 11:52:33.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.589 [GMT -5:00]

Running from: c:\documents and settings\Pawel Zyglewski\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\All Users\Application Data\page\page.ico

c:\documents and settings\All Users\Application Data\page\page.URL

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Pawel Zyglewski\Application Data\PriceGong\Data\z.xml

c:\program files\Internet Explorer\SET428.tmp

c:\program files\Internet Explorer\SET429.tmp

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.2.inf

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000011_.tmp.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_WMPNetworkSvc

.

.

((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))

.

.

2011-04-03 16:43 . 2011-04-03 16:43 63115 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2011-04-03 16:43 . 2011-04-03 16:43 8646 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-04-03 16:43 . 2011-04-03 16:43 6429 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2011-04-03 16:43 . 2011-04-03 16:43 4599 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2011-04-03 16:43 . 2011-04-03 16:43 9310 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2011-04-03 16:43 . 2011-04-03 16:43 8613 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2011-04-03 16:43 . 2011-04-03 16:43 5927 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2011-04-03 16:43 . 2011-04-03 16:43 1651 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2011-04-03 16:43 . 2011-04-03 16:43 6910 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2011-04-03 16:42 . 2011-04-03 16:42 8288 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2011-04-03 16:42 . 2011-04-03 16:42 6208 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2011-04-03 16:42 . 2011-04-03 16:42 18541 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2011-04-03 16:42 . 2011-04-03 16:42 51852 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2011-04-03 16:42 . 2011-04-03 16:42 20719 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2011-04-03 16:42 . 2011-04-03 16:42 8782 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2011-04-03 16:42 . 2011-04-03 16:42 7271 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

2011-04-03 16:42 . 2011-04-03 16:42 23327 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2011-04-01 23:29 . 2011-04-01 23:29 -------- dc----w- c:\documents and settings\Pawel Zyglewski\Application Data\Trusteer

2011-04-01 23:29 . 2011-04-01 23:29 -------- dc----w- c:\program files\Trusteer

2011-04-01 23:27 . 2011-04-01 23:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Trusteer

2011-04-01 13:11 . 2011-04-01 13:11 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache

2011-03-30 04:37 . 2011-03-30 04:37 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-03-30 04:37 . 2011-03-30 04:37 -------- dc----w- c:\documents and settings\Pawel Zyglewski\Application Data\SUPERAntiSpyware.com

2011-03-30 04:36 . 2011-03-30 04:37 -------- dc----w- c:\program files\SUPERAntiSpyware

2011-03-11 05:50 . 2011-03-11 05:50 -------- dc----w- c:\program files\Enigma Software Group

2011-03-11 05:49 . 2011-03-11 06:39 -------- dc----w- c:\windows\8713EF96D15042F19318B4AF40FD9053.TMP

2011-03-11 05:49 . 2011-03-11 05:49 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard

2011-03-11 02:09 . 2011-03-11 02:09 53816 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2003-03-31 12:00 270848 -c--a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2003-03-31 12:00 186880 -c--a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-09-06 14:38 2067456 -c--a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-09-06 14:38 677888 -c--a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2011-01-21 14:44 8462336 -c--a-w- c:\windows\system32\SET4D3.tmp

2011-01-21 14:44 . 2003-03-31 12:00 439296 -c--a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2003-03-31 12:00 290048 -c--a-w- c:\windows\system32\atmfd.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2010-10-14 04:28 . 2011-02-22 05:30 24376 -c--a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 3"="d:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2011-03-25 2402512]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2003-02-14 17:59 88107 -c--a-w- c:\windows\AGRSMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:72.156.210.186/255.255.255.255:Enabled:@xpsp2res.dll,-22009

.

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [3/10/2011 9:09 PM 53816]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2/10/2011 10:05 AM 14776]

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2/20/2003 11:42 AM 26679]

R1 Cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 5:33 PM 64000]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/22/2011 12:29 AM 84072]

R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus_23945.sys [3/10/2011 9:17 PM 55224]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [3/10/2011 9:09 PM 66360]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/10/2011 9:09 PM 158392]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2/27/2003 5:32 PM 186368]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [3/29/2011 7:22 PM 312152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/1/2010 12:37 AM 203280]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/22/2011 12:29 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/22/2011 12:29 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/22/2011 12:30 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/22/2011 12:29 AM 141792]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;d:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [10/5/2009 10:08 AM 188736]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/10/2011 9:09 PM 821048]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/22/2011 12:29 AM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/22/2011 12:29 AM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/22/2011 12:29 AM 88544]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [6/4/2010 6:00 PM 30576]

S2 6077757b;6077757b;\??\c:\windows\system32\drivers\regi.sys --> c:\windows\system32\drivers\regi.sys [?]

S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/22/2011 12:29 AM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/22/2011 12:29 AM 84264]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [3/31/2003 7:00 AM 14336]

S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/26/2009 6:21 PM 2383152]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-03 c:\windows\Tasks\AWC AutoSweep.job

- d:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2011-02-10 19:11]

.

2011-04-03 c:\windows\Tasks\AWC Update.job

- d:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2011-02-10 20:24]

.

2011-04-03 c:\windows\Tasks\Game_Booster_Startup.job

- c:\program files\IObit\Game Booster\gbtray.exe [2011-02-10 22:20]

.

2011-04-03 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

.

2011-04-03 c:\windows\Tasks\User_Feed_Synchronization-{A79AE073-CF24-4AB1-B96C-80377AADBE65}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.spoofee.com/

uInternet Connection Wizard,ShellNext = iexplore

Trusted Zone: internet

Trusted Zone: mcafee.com

FF - ProfilePath - c:\documents and settings\Pawel Zyglewski\Application Data\Mozilla\Firefox\Profiles\7lidy3nh.default\

FF - prefs.js: browser.search.selectedEngine - MyWebSearch

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRxdm012YYUS&fl=0&ptb=yq20nPdLk6PhvEqvjx.iZQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - d:\program files\Java\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Pawel Zyglewski\Application Data\Move Networks

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Pawel Zyglewski\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-03 11:59

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1288)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'explorer.exe'(1876)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-04-03 12:02:26

ComboFix-quarantined-files.txt 2011-04-03 17:02

.

Pre-Run: 4,165,574,656 bytes free

Post-Run: 4,136,153,088 bytes free

.

- - End Of File - - 8C6705E2854E2C3171C75F7BAE4766E0

Link to post
Share on other sites

After this step tell me how is your system now:

Open Notepad and copy and paste the text in the code box below into it:

FireFox::
FF - ProfilePath - c:\documents and settings\Pawel Zyglewski\Application Data\Mozilla\Firefox\Profiles\7lidy3nh.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRxdm012YYUS&fl=0&ptb=yq20nPdLk6PhvEqvjx.iZQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Nice job, Pawel! :)

Last steps for you:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.