Jump to content

Recommended Posts

Wife infected computer with the FakeAlert! virus. Cleaned it up with MB in safe mode. Now, however, desktop is blank, startup menu is empty and even at command prompt, cannot see any files on c: drive unless I type in dir /a

HELP!

Here is a log produced by dds:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Run by John at 15:40:42 on 2011-05-19

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2579 [GMT -7:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\nHancer\nHancerService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

G:\Malwarebytes' Anti-Malware\mbam.exe

G:\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AdobeBridge]

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [DQMiuyMNARayQk] c:\documents and settings\all users\application data\DQMiuyMNARayQk.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex

uPolicies-explorer: NoDesktop = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

.

FF - user.js: browser.search.selectedEngine - Search

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-23 38224]

S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552]

S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-04-26 05:19:25 -------- d--h--w- c:\program files\Auslogics

2011-04-26 05:10:41 69632 ---ha-w- c:\windows\system32\CrcCtrl.ocx

.

==================== Find3M ====================

.

2011-04-14 21:01:38 95824 ---ha-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01:38 9344 ---ha-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01:38 88736 ---ha-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01:38 84488 ---ha-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01:38 84200 ---ha-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01:38 56064 ---ha-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01:38 52320 ---ha-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01:38 387480 ---ha-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01:38 314088 ---ha-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01:38 153280 ---ha-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44:14 45648 ---h--w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44:14 133616 ---h--w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44:12 126448 ---h--w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44:12 123888 ---h--w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53:54 99840 ---ha-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ---ha-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ---ha-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ---ha-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ---ha-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ---ha-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 15:42:59.10 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Thanks for the help!

I ran Mbam again with a full scan and this time it found more than just the FakeAlert. I'll include the log files below. I then restarted, ran Unhide.exe, rebooted and then DDS. I can now see my desktop icons, files on the c: drive and start menu. Didn't have a chance to fully test things out to see if everything is working as it was before, but it's a damn good start! Thanks!

Here are the two log files:

===== MBAM LOG =====

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6619

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

5/20/2011 10:22:04 AM

mbam-log-2011-05-20 (10-22-04).txt

Scan type: Full scan (C:\|)

Objects scanned: 561324

Time elapsed: 2 hour(s), 34 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQMiuyMNARayQk (Rogue.Agent.SA) -> Value: DQMiuyMNARayQk -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\John\application data\Sun\Java\deployment\cache\6.0\40\25b9c9a8-1357ddff (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0073805.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0073804.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

===== DDS LOG =====

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Run by John at 19:46:53 on 2011-05-21

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2811 [GMT -7:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\nHancer\nHancerService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Documents and Settings\John\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AdobeBridge]

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

.

FF - user.js: browser.search.selectedEngine - Search

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552]

S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics

2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx

.

==================== Find3M ====================

.

2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 19:48:08.65 ===============

Hi and welcome to Malwarebytes.

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

As a followup to the above:

My program folders in the start menu are visable, but most -- but not all -- are empty (i.e. no programs shortcuts are available).

When using Google, links to Malwarebytes.org are hijacked and sent to the "StopZilla" website.

Ran Mbam again and it found Rogue.WindowsRecoveryConsole in my system restore but once cleaned it now cannot find anything wrong. I also ran SpyBot Search and Destroy it found 2 Fraud.SystemRecovery keys in my registery that Mbab did not.

Now SearchBot, Mbab and Mcafee all say everything is clean. But the link hijacking is still ongoing (no proxies are listed in connection settings)and the program menu is still empty of most shortcuts.

LOGS:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6645

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

5/22/2011 9:22:40 PM

mbam-log-2011-05-22 (21-22-40).txt

Scan type: Full scan (C:\|H:\|)

Objects scanned: 562087

Time elapsed: 2 hour(s), 49 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP809\A0070752.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.

c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0071807.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.

c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0073806.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully.

==== DDS =====

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Run by John at 7:13:13 on 2011-05-23

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2441 [GMT -7:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\nHancer\nHancerService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Documents and Settings\John\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AdobeBridge]

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

.

FF - user.js: browser.search.selectedEngine - Search

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552]

S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics

2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx

.

==================== Find3M ====================

.

2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 7:14:28.23 ===============

Link to post
Share on other sites

Also, just now see that there are two instances of iexplore.exe running when I do not have Internet Explorer open. If I launch IE then instead of one more IE process, I get two (for a total of four processes). Something is definitely wrong.

Link to post
Share on other sites

Thanks for the help Screen.

Ran combofix. It found a rootkit and some more. Now my start folder is populated again with programs. The only noticeable problem is that Internet Explorer won't connect to any websites. Firefox and Chrome are good. No link hijacking. I am a bit worried, however, when using Chrome or Internet Explorer, two processes start even if only one tab or window is started.

Here are the ComboFix and DDS Logs:

===== COMBOFIX =====

ComboFix 11-05-23.02 - John 05/24/2011 22:19:47.4.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2735 [GMT -7:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

.

ADS - WINDOWS: deleted 8 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\John\GoToAssistDownloadHelper.exe

c:\documents and settings\John\WINDOWS

c:\program files\Internet Explorer\xxiexplore.__exe

c:\program files\Internet Explorer\xxxiexplore.__exe

c:\windows\system32\regobj.dll

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))

.

.

2011-05-06 04:16 . 2011-05-06 04:16 -------- d-sh--w- c:\documents and settings\Aloma\PrivacIE

2011-04-26 05:19 . 2011-04-26 05:19 -------- d-----w- c:\program files\Auslogics

2011-04-26 05:10 . 2000-01-19 06:45 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-06 04:14 . 2008-06-18 13:09 1324 ----a-w- c:\documents and settings\Aloma\Local Settings\Application Data\d3d9caps.tmp

2011-04-14 21:01 . 2010-05-08 23:43 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01 . 2010-05-08 23:43 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01 . 2010-05-08 23:43 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01 . 2010-05-08 23:43 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01 . 2010-05-08 23:43 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01 . 2010-05-08 23:43 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01 . 2010-05-08 23:43 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01 . 2008-03-22 18:00 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01 . 2008-03-22 18:00 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01 . 2008-03-22 18:00 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44 . 2006-09-15 00:13 133616 ------w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44 . 2006-07-24 11:00 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44 . 2008-03-27 03:40 126448 ------w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44 . 2008-03-27 03:40 123888 ------w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

2010-10-13 00:33 . 2010-10-13 00:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2010-10-13 02:15 . 2010-10-13 02:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2010-10-13 00:37 . 2010-10-13 00:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2010-10-13 00:35 . 2010-10-13 00:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2010-10-13 00:34 . 2010-10-13 00:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2010-10-13 00:32 . 2010-10-13 00:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2010-10-13 00:35 . 2010-10-13 00:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2010-10-13 00:34 . 2010-10-13 00:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2010-07-14 20:42 . 2010-07-14 20:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2010-10-13 00:37 . 2010-10-13 00:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2011-04-14 21:01 . 2010-05-08 23:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-20 68856]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-12 1961984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]

"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]

"SBEVMON.EXE"="c:\progra~1\SAFEBO~1\SBEVMON.EXE" [2003-06-04 176128]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 55824]

"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-11-18 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-02-22 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-22 13670504]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-08-06 231888]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-21 113664]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-25 789008]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-3-28 815104]

Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-01-09 19:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-12-08 21:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\NewsBin\\nbpro.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

"c:\\Program Files\\EA GAMES\\MOHAANetDemo\\MOHAANetDemo.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"4151:TCP"= 4151:TCP:Akamai NetSession Interface

"4158:TCP"= 4158:TCP:Akamai NetSession Interface

"1279:TCP"= 1279:TCP:Akamai NetSession Interface

"1464:TCP"= 1464:TCP:Akamai NetSession Interface

"1472:TCP"= 1472:TCP:Akamai NetSession Interface

"3257:TCP"= 3257:TCP:Akamai NetSession Interface

"3162:TCP"= 3162:TCP:Akamai NetSession Interface

"3176:TCP"= 3176:TCP:Akamai NetSession Interface

"4273:TCP"= 4273:TCP:Akamai NetSession Interface

"4316:TCP"= 4316:TCP:Akamai NetSession Interface

"2656:TCP"= 2656:TCP:Akamai NetSession Interface

"2678:TCP"= 2678:TCP:Akamai NetSession Interface

"2691:TCP"= 2691:TCP:Akamai NetSession Interface

"2934:TCP"= 2934:TCP:Akamai NetSession Interface

"1426:TCP"= 1426:TCP:Akamai NetSession Interface

"3182:TCP"= 3182:TCP:Akamai NetSession Interface

"1294:TCP"= 1294:TCP:Akamai NetSession Interface

"1628:TCP"= 1628:TCP:Akamai NetSession Interface

"1109:TCP"= 1109:TCP:Akamai NetSession Interface

"1150:TCP"= 1150:TCP:Akamai NetSession Interface

"1554:TCP"= 1554:TCP:Akamai NetSession Interface

"1782:TCP"= 1782:TCP:Akamai NetSession Interface

"1791:TCP"= 1791:TCP:Akamai NetSession Interface

"1989:TCP"= 1989:TCP:Akamai NetSession Interface

"2248:TCP"= 2248:TCP:Akamai NetSession Interface

"1110:TCP"= 1110:TCP:Akamai NetSession Interface

"2260:TCP"= 2260:TCP:Akamai NetSession Interface

"2981:TCP"= 2981:TCP:Akamai NetSession Interface

"3169:TCP"= 3169:TCP:Akamai NetSession Interface

"1048:TCP"= 1048:TCP:Akamai NetSession Interface

"4100:TCP"= 4100:TCP:Akamai NetSession Interface

"2817:TCP"= 2817:TCP:Akamai NetSession Interface

"1719:TCP"= 1719:TCP:Akamai NetSession Interface

"2081:TCP"= 2081:TCP:Akamai NetSession Interface

"1705:TCP"= 1705:TCP:Akamai NetSession Interface

"2919:TCP"= 2919:TCP:Akamai NetSession Interface

"2176:TCP"= 2176:TCP:Akamai NetSession Interface

"2448:TCP"= 2448:TCP:Akamai NetSession Interface

"4670:TCP"= 4670:TCP:Akamai NetSession Interface

"2121:TCP"= 2121:TCP:Akamai NetSession Interface

"1720:TCP"= 1720:TCP:Akamai NetSession Interface

"1094:TCP"= 1094:TCP:Akamai NetSession Interface

"2278:TCP"= 2278:TCP:Akamai NetSession Interface

"1051:TCP"= 1051:TCP:Akamai NetSession Interface

"4283:TCP"= 4283:TCP:Akamai NetSession Interface

"4677:TCP"= 4677:TCP:Akamai NetSession Interface

"1663:TCP"= 1663:TCP:Akamai NetSession Interface

"1437:TCP"= 1437:TCP:Akamai NetSession Interface

"4509:TCP"= 4509:TCP:Akamai NetSession Interface

"1471:TCP"= 1471:TCP:Akamai NetSession Interface

"1030:TCP"= 1030:TCP:Akamai NetSession Interface

"4614:TCP"= 4614:TCP:Akamai NetSession Interface

"1105:TCP"= 1105:TCP:Akamai NetSession Interface

"2590:TCP"= 2590:TCP:Akamai NetSession Interface

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

.

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2/8/2002 6:00 PM 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2/8/2002 6:00 PM 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [6/3/2003 6:00 PM 35988]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/3/2010 10:47 PM 691696]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 1:51 PM 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/8/2010 4:43 PM 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 4:43 PM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 4:43 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/8/2010 4:43 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/8/2010 4:43 PM 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [3/24/2009 10:13 AM 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/8/2010 4:43 PM 56064]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/8/2010 4:43 PM 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/8/2010 4:43 PM 88736]

S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 3:00 AM 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 11:26 PM 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 11:26 PM 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/8/2010 4:43 PM 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/8/2010 4:43 PM 84488]

S3 REVO51;REVO51;c:\windows\system32\DRIVERS\revo51.sys --> c:\windows\system32\DRIVERS\revo51.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:26]

.

2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:26]

.

2011-05-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-03-20 23:31]

.

2011-05-24 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-20 23:31]

.

2011-05-24 c:\windows\Tasks\SyncBack Broadcast music archive.job

- c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07]

.

2011-05-23 c:\windows\Tasks\SyncBack Critical Data Backup.job

- c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07]

.

2011-05-18 c:\windows\Tasks\SyncBack Not for broadcast music archive.job

- c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://news.bbc.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\1tq31uhb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{71FE276A-28E3-442B-A524-B3D6530FBD78} - (no file)

HKCU-Run-AdobeBridge - (no file)

HKLM-Run-nwiz - nwiz.exe

HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe

AddRemove-AOL Emergency Connect Utility 1.0 - c:\program files\Common Files\AOL\ECU\uninst.exe

AddRemove-Fund Manager - i:\fund manager\modsetup.exe

AddRemove-GoldWave v5.23 - c:\program files\GoldWave\unstall.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-24 22:31

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-1123561945-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FE919A6D-3E2F-4CD5-B309-A4A687CA5BE9}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iajfhfgolmkkhiplil"=hex:6a,61,6b,69,6a,65,63,70,6e,69,62,66,69,65,6c,69,66,6e,

68,6c,00,f2

"hadgnmddlcclbehe"=hex:6a,61,68,6a,65,64,70,67,6a,61,62,70,68,6e,64,68,6e,61,

65,6b,00,f2

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1200)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\windows\system32\LMIinit.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2011-05-24 22:33:27

ComboFix-quarantined-files.txt 2011-05-25 05:33

ComboFix2.txt 2009-03-27 02:15

ComboFix3.txt 2009-03-27 01:55

ComboFix4.txt 2009-03-27 01:49

.

Pre-Run: 360,341,880,832 bytes free

Post-Run: 361,621,204,992 bytes free

.

- - End Of File - - 016769F27937857081DB21310272DCF4

===== DDS =====

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Run by John at 23:12:45 on 2011-05-24

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2761 [GMT -7:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\nHancer\nHancerService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\John\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552]

S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-05-25 05:14:04 89088 ----a-w- c:\windows\MBR.exe

2011-05-25 05:14:01 256512 ----a-w- c:\windows\PEV.exe

2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics

2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx

.

==================== Find3M ====================

.

2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 23:13:08.98 ===============

Link to post
Share on other sites

  • Staff

Hi,

when using Chrome or Internet Explorer, two processes start even if only one tab or window is started.
This is normal.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi Screen - Internet Explorer isn't working yet, so I can't use the scan. Any tips on how to get IE working again?

Thanks

Thanks for the help Screen.

Ran combofix. It found a rootkit and some more. Now my start folder is populated again with programs. The only noticeable problem is that Internet Explorer won't connect to any websites. Firefox and Chrome are good. No link hijacking. I am a bit worried, however, when using Chrome or Internet Explorer, two processes start even if only one tab or window is started.

Here are the ComboFix and DDS Logs:

===== COMBOFIX =====

ComboFix 11-05-23.02 - John 05/24/2011 22:19:47.4.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2735 [GMT -7:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

.

ADS - WINDOWS: deleted 8 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\John\GoToAssistDownloadHelper.exe

c:\documents and settings\John\WINDOWS

c:\program files\Internet Explorer\xxiexplore.__exe

c:\program files\Internet Explorer\xxxiexplore.__exe

c:\windows\system32\regobj.dll

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))

.

.

2011-05-06 04:16 . 2011-05-06 04:16 -------- d-sh--w- c:\documents and settings\Aloma\PrivacIE

2011-04-26 05:19 . 2011-04-26 05:19 -------- d-----w- c:\program files\Auslogics

2011-04-26 05:10 . 2000-01-19 06:45 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-06 04:14 . 2008-06-18 13:09 1324 ----a-w- c:\documents and settings\Aloma\Local Settings\Application Data\d3d9caps.tmp

2011-04-14 21:01 . 2010-05-08 23:43 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01 . 2010-05-08 23:43 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01 . 2010-05-08 23:43 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01 . 2010-05-08 23:43 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01 . 2010-05-08 23:43 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01 . 2010-05-08 23:43 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01 . 2010-05-08 23:43 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01 . 2008-03-22 18:00 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01 . 2008-03-22 18:00 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01 . 2008-03-22 18:00 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44 . 2006-09-15 00:13 133616 ------w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44 . 2006-07-24 11:00 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44 . 2008-03-27 03:40 126448 ------w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44 . 2008-03-27 03:40 123888 ------w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL

1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL

1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL

1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL

2010-10-13 00:33 . 2010-10-13 00:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll

2010-10-13 02:15 . 2010-10-13 02:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2010-10-13 00:37 . 2010-10-13 00:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2010-10-13 00:35 . 2010-10-13 00:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2010-10-13 00:34 . 2010-10-13 00:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2010-10-13 00:32 . 2010-10-13 00:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2010-10-13 00:35 . 2010-10-13 00:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2010-10-13 00:34 . 2010-10-13 00:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2010-07-14 20:42 . 2010-07-14 20:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2010-10-13 00:37 . 2010-10-13 00:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

2011-04-14 21:01 . 2010-05-08 23:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-20 68856]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-12 1961984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]

"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]

"SBEVMON.EXE"="c:\progra~1\SAFEBO~1\SBEVMON.EXE" [2003-06-04 176128]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 55824]

"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-11-18 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-02-22 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-22 13670504]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-08-06 231888]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-21 113664]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-25 789008]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-3-28 815104]

Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-01-09 19:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-12-08 21:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\NewsBin\\nbpro.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

"c:\\Program Files\\EA GAMES\\MOHAANetDemo\\MOHAANetDemo.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"4151:TCP"= 4151:TCP:Akamai NetSession Interface

"4158:TCP"= 4158:TCP:Akamai NetSession Interface

"1279:TCP"= 1279:TCP:Akamai NetSession Interface

"1464:TCP"= 1464:TCP:Akamai NetSession Interface

"1472:TCP"= 1472:TCP:Akamai NetSession Interface

"3257:TCP"= 3257:TCP:Akamai NetSession Interface

"3162:TCP"= 3162:TCP:Akamai NetSession Interface

"3176:TCP"= 3176:TCP:Akamai NetSession Interface

"4273:TCP"= 4273:TCP:Akamai NetSession Interface

"4316:TCP"= 4316:TCP:Akamai NetSession Interface

"2656:TCP"= 2656:TCP:Akamai NetSession Interface

"2678:TCP"= 2678:TCP:Akamai NetSession Interface

"2691:TCP"= 2691:TCP:Akamai NetSession Interface

"2934:TCP"= 2934:TCP:Akamai NetSession Interface

"1426:TCP"= 1426:TCP:Akamai NetSession Interface

"3182:TCP"= 3182:TCP:Akamai NetSession Interface

"1294:TCP"= 1294:TCP:Akamai NetSession Interface

"1628:TCP"= 1628:TCP:Akamai NetSession Interface

"1109:TCP"= 1109:TCP:Akamai NetSession Interface

"1150:TCP"= 1150:TCP:Akamai NetSession Interface

"1554:TCP"= 1554:TCP:Akamai NetSession Interface

"1782:TCP"= 1782:TCP:Akamai NetSession Interface

"1791:TCP"= 1791:TCP:Akamai NetSession Interface

"1989:TCP"= 1989:TCP:Akamai NetSession Interface

"2248:TCP"= 2248:TCP:Akamai NetSession Interface

"1110:TCP"= 1110:TCP:Akamai NetSession Interface

"2260:TCP"= 2260:TCP:Akamai NetSession Interface

"2981:TCP"= 2981:TCP:Akamai NetSession Interface

"3169:TCP"= 3169:TCP:Akamai NetSession Interface

"1048:TCP"= 1048:TCP:Akamai NetSession Interface

"4100:TCP"= 4100:TCP:Akamai NetSession Interface

"2817:TCP"= 2817:TCP:Akamai NetSession Interface

"1719:TCP"= 1719:TCP:Akamai NetSession Interface

"2081:TCP"= 2081:TCP:Akamai NetSession Interface

"1705:TCP"= 1705:TCP:Akamai NetSession Interface

"2919:TCP"= 2919:TCP:Akamai NetSession Interface

"2176:TCP"= 2176:TCP:Akamai NetSession Interface

"2448:TCP"= 2448:TCP:Akamai NetSession Interface

"4670:TCP"= 4670:TCP:Akamai NetSession Interface

"2121:TCP"= 2121:TCP:Akamai NetSession Interface

"1720:TCP"= 1720:TCP:Akamai NetSession Interface

"1094:TCP"= 1094:TCP:Akamai NetSession Interface

"2278:TCP"= 2278:TCP:Akamai NetSession Interface

"1051:TCP"= 1051:TCP:Akamai NetSession Interface

"4283:TCP"= 4283:TCP:Akamai NetSession Interface

"4677:TCP"= 4677:TCP:Akamai NetSession Interface

"1663:TCP"= 1663:TCP:Akamai NetSession Interface

"1437:TCP"= 1437:TCP:Akamai NetSession Interface

"4509:TCP"= 4509:TCP:Akamai NetSession Interface

"1471:TCP"= 1471:TCP:Akamai NetSession Interface

"1030:TCP"= 1030:TCP:Akamai NetSession Interface

"4614:TCP"= 4614:TCP:Akamai NetSession Interface

"1105:TCP"= 1105:TCP:Akamai NetSession Interface

"2590:TCP"= 2590:TCP:Akamai NetSession Interface

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

.

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2/8/2002 6:00 PM 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2/8/2002 6:00 PM 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [6/3/2003 6:00 PM 35988]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/3/2010 10:47 PM 691696]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 1:51 PM 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/8/2010 4:43 PM 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 4:43 PM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 4:43 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/8/2010 4:43 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/8/2010 4:43 PM 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [3/24/2009 10:13 AM 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/8/2010 4:43 PM 56064]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/8/2010 4:43 PM 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/8/2010 4:43 PM 88736]

S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 3:00 AM 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 11:26 PM 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 11:26 PM 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/8/2010 4:43 PM 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/8/2010 4:43 PM 84488]

S3 REVO51;REVO51;c:\windows\system32\DRIVERS\revo51.sys --> c:\windows\system32\DRIVERS\revo51.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:26]

.

2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:26]

.

2011-05-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-03-20 23:31]

.

2011-05-24 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-20 23:31]

.

2011-05-24 c:\windows\Tasks\SyncBack Broadcast music archive.job

- c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07]

.

2011-05-23 c:\windows\Tasks\SyncBack Critical Data Backup.job

- c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07]

.

2011-05-18 c:\windows\Tasks\SyncBack Not for broadcast music archive.job

- c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://news.bbc.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\1tq31uhb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{71FE276A-28E3-442B-A524-B3D6530FBD78} - (no file)

HKCU-Run-AdobeBridge - (no file)

HKLM-Run-nwiz - nwiz.exe

HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe

AddRemove-AOL Emergency Connect Utility 1.0 - c:\program files\Common Files\AOL\ECU\uninst.exe

AddRemove-Fund Manager - i:\fund manager\modsetup.exe

AddRemove-GoldWave v5.23 - c:\program files\GoldWave\unstall.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-24 22:31

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1644491937-1123561945-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FE919A6D-3E2F-4CD5-B309-A4A687CA5BE9}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iajfhfgolmkkhiplil"=hex:6a,61,6b,69,6a,65,63,70,6e,69,62,66,69,65,6c,69,66,6e,

68,6c,00,f2

"hadgnmddlcclbehe"=hex:6a,61,68,6a,65,64,70,67,6a,61,62,70,68,6e,64,68,6e,61,

65,6b,00,f2

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1200)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\windows\system32\LMIinit.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2011-05-24 22:33:27

ComboFix-quarantined-files.txt 2011-05-25 05:33

ComboFix2.txt 2009-03-27 02:15

ComboFix3.txt 2009-03-27 01:55

ComboFix4.txt 2009-03-27 01:49

.

Pre-Run: 360,341,880,832 bytes free

Post-Run: 361,621,204,992 bytes free

.

- - End Of File - - 016769F27937857081DB21310272DCF4

===== DDS =====

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Run by John at 23:12:45 on 2011-05-24

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2761 [GMT -7:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\nHancer\nHancerService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\John\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.bbc.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/

FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q=

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480]

R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504]

R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688]

R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792]

R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552]

S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-05-25 05:14:04 89088 ----a-w- c:\windows\MBR.exe

2011-05-25 05:14:01 256512 ----a-w- c:\windows\PEV.exe

2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics

2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx

.

==================== Find3M ====================

.

2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL

2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe

2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe

1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL

1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL

1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL

1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL

1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

.

============= FINISH: 23:13:08.98 ===============

Link to post
Share on other sites

Hi Screen,

Thanks again for all the help. I got the ESET scanner to work in Firefox. I've included the two logs below:

===== ESET =====

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=336445a3f900aa4b8c1dcd92b955adb8

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-26 10:41:38

# local_time=2011-05-26 03:41:38 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 68515933 68515933 0 0

# compatibility_mode=5121 16777189 100 75 359039 35586577 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=422244

# found=6

# cleaned=6

# scan_time=6460

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-57d33cc4 Java/Exploit.CVE-2010-4452.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{610FE075-DDAE-42AC-B5BF-7DA883F061F2}\RP815\A0074664.exe a variant of Win32/Keygen.AD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\123.js JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Download\BS226.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

D:\My Music\programs\BS226.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

===== Checkup.Txt =====

Results of screen317's Security Check version 0.99.12

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee AntiVirus Plus

McAfee Virtual Technician

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 18

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.0.32.18

Mozilla Firefox (3.6.17) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Hi,

This is normal.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

HijackThis 2.0.2

Java

Link to post
Share on other sites

Hi Screen,

I've done everything below including upgrading to Service Pack 3. IE will still not connect to anything.

Anything else you can think of?

Thanks!

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

HijackThis 2.0.2

Java

Link to post
Share on other sites

Hi Chris,

No joy - still not working. Sometimes when I type a URL directly into the address bar, instead of a connection error, I get a bad address error and the URL I typed is replaced by "http:///" (three slashes). Not sure if that is much of a clue. When the connection error appears, IE brings up the internet connection diagnostic. When performed, the diagnostic has no connectivity problems.

Thanks!

In Internet Explorer, click:

Tools --> Internet Options --> restore Advanced Settings and Reset Internet Explorer settings.

Restart your computer and see if you can connect now.

Link to post
Share on other sites

Hi Chris,

I found out that I cannot uninstall IE8 after installing Service Pack 3. I have to uninstall SP3 and then uninstall IE.... is that safe? I tried reinstalling IE8 over the existing version but it made no difference.

Thanks.

Hi Chris,

No joy - still not working. Sometimes when I type a URL directly into the address bar, instead of a connection error, I get a bad address error and the URL I typed is replaced by "http:///" (three slashes). Not sure if that is much of a clue. When the connection error appears, IE brings up the internet connection diagnostic. When performed, the diagnostic has no connectivity problems.

Thanks!

Link to post
Share on other sites

  • Staff

Hi,

I would like you to temporarily uninstall McAfee to troubleshoot.

After uninstalling, download the McAfee Removal Tool.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.

See if IE can connect now.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.