Trogan.BHO

[cucm]

Hi All,

It seems my PC is infected with this Virus. Spy-bot, McAfee does not detect it but everytime I run Malware Bytes it detects it. If removes it but bang it comes back again. I tried deleting the entry manually without any luck

I have attached the log . Any help will be greatly appreciated

Malwarebytes' Anti-Malware 1.31

Database version: 1594

Windows 5.1.2600 Service Pack 3

02/01/2009 09:31:22

mbam-log-2009-01-02 (09-31-22).txt

Scan type: Full Scan (C:\|)

Objects scanned: 37286

Time elapsed: 16 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[sjb007]

Howdy there cucm

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

============================

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply along with the combofix log.

[cucm]

Hi there

I followed the instructions but the PC showed me Blue Screen while Combi was dumping the log. I am copying both files as requested.. Your help is much appreciated

1) Add-Remove Programs.txt-------------->

**********************************************************************

2007 Microsoft Office Suite Service Pack 1 (SP1)

3CDaemon

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player ActiveX

Adobe Flash Player Plugin

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Adobe Shockwave Player 11

Apple Mobile Device Support

Apple Software Update

AutoUpdate

Belkin All-in-One Print Server

Boson Utilities\Calc

Boson Utilities\SubnetCalc

Broadcom Management Programs

ChmDecompiler v 3.40 Build 535

Cisco ASDM Launcher

Cisco CallManager Serviceability Real-Time Monitoring Tool

Cisco CRS Editor

Cisco IP Communicator

Cisco Systems VPN Client 5.0.01.0600

Cisco Unified Communications Manager Attendant Console

Collaboration Data Objects 1.2.1

Conexant HDA D110 MDC V.92 Modem

Corel Paint Shop Pro Photo XI

Corel Snapfire Plus

Creative Photo Manager

Creative WebCam Center

Creative WebCam Instant Driver (1.03.02.0425)

Creative WebCam Instant User's Guide (English)

Dell Driver Reset Tool

Dell Network Assistant

Dell Support 3.2.1

Dell System Restore

Dell Wireless WLAN Card

Desktop Publisher

Digital Line Detect

DivX Codec

DivX Content Uploader

DivX Converter

DivX Player

DivX Web Player

DIY DataRecovery iRecover 3

Dynagen 0.11.0

EPSON Printer Software

ERUNT 1.1j

Ethereal 0.99.0

Express Burn

Express Rip

FileOpen Plug-in for Adobe Acrobat

[sjb007]

Hi there cucm

Combofix found and deleted quite a few files, there is still a little more to do yet though.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.

* Double-click ResetTeaTimer.zip

* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

================================================

Once done..

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   

   http://www.malwarebytes.org/forums/index.php?showtopic=9240
   Collect::C:\WINDOWS\system32\ltvoypej.exe
   Files::C:\WINDOWS\SwSys2.bmpC:\WINDOWS\SwSys1.bmp
   Folder::C:\26ef3f82c3a146be4dfd0de24c50ee
   Registry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"fesedanuka"=-"CPM1f702583"=-

   
   Save this as CFScript.txt
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   

3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

[*]Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

=================================================

Next I want you to run a rootkit check

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
  
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
    
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    

  [*] Then click the Scan button & wait for it to finish.

  [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  [*]Save it where you can easily find it, such as your desktop and add this to your next post as an attachment

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

=================================================

Now I want you to scan at kaspersky online, first let delete any unwanted system junk....

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
  

This animation will guide you through the process:

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with:

The new combofix log

The GMER log

The kaspersky scan log

[cucm]

Good Morning,

Copying the log as suggested......many thanks for continued support

ComboFix 09-01-01.02 - ati 2009-01-03 9:46:51.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1560 [GMT 0:00]

Running from: c:\documents and settings\ati\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\ati\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\26ef3f82c3a146be4dfd0de24c50ee

c:\26ef3f82c3a146be4dfd0de24c50ee\atl80.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\cert.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\conflictingappmodule.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\de-at\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\de-at\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\de-ch\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\de-ch\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\de-de\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\de-de\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-au\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-au\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-ca\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-ca\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-gb\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-gb\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-hk\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-hk\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-ie\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-ie\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-in\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-in\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-nz\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-nz\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\en-sg\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\en-sg\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\es-es\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\es-es\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\es-mx\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\es-mx\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\es-us\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\es-us\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-be\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-be\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-ca\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-ca\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-ch\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-ch\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-fr\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\fr-fr\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\it-it\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\it-it\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\ja-jp-psloc\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\ja-jp-psloc\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\ja-jp\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\ja-jp\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\ko-kr\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\ko-kr\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\microsoft.vc80.atl.manifest

c:\26ef3f82c3a146be4dfd0de24c50ee\microsoft.vc80.crt.manifest

c:\26ef3f82c3a146be4dfd0de24c50ee\msvcp80.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\msvcr80.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\nl-be\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\nl-be\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\nl-nl\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\nl-nl\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\ochelpagent.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\ocsetup.exe

c:\26ef3f82c3a146be4dfd0de24c50ee\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\pt-br\eula.rtf

c:\26ef3f82c3a146be4dfd0de24c50ee\pt-br\ocsetupro.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\service.xml

c:\26ef3f82c3a146be4dfd0de24c50ee\winsscommon.dll

c:\26ef3f82c3a146be4dfd0de24c50ee\winssplatform.dll

c:\windows\system32\ltvoypej.exe

.

---- Previous Run -------

.

c:\windows\system32\_003284_.tmp.dll

c:\windows\system32\_003285_.tmp.dll

c:\windows\system32\_003286_.tmp.dll

c:\windows\system32\_003287_.tmp.dll

c:\windows\system32\_003292_.tmp.dll

c:\windows\system32\_003293_.tmp.dll

c:\windows\system32\_003294_.tmp.dll

c:\windows\system32\_003295_.tmp.dll

c:\windows\system32\_003296_.tmp.dll

c:\windows\system32\_003297_.tmp.dll

c:\windows\system32\_003298_.tmp.dll

c:\windows\system32\_003299_.tmp.dll

c:\windows\system32\_003300_.tmp.dll

c:\windows\system32\_003301_.tmp.dll

c:\windows\system32\_003302_.tmp.dll

c:\windows\system32\_003303_.tmp.dll

c:\windows\system32\_003304_.tmp.dll

c:\windows\system32\_003305_.tmp.dll

c:\windows\system32\_003306_.tmp.dll

c:\windows\system32\_003307_.tmp.dll

c:\windows\system32\_003308_.tmp.dll

c:\windows\system32\_003309_.tmp.dll

c:\windows\system32\_003310_.tmp.dll

c:\windows\system32\_003311_.tmp.dll

c:\windows\system32\_003313_.tmp.dll

c:\windows\system32\_003314_.tmp.dll

c:\windows\system32\_003316_.tmp.dll

c:\windows\system32\_003317_.tmp.dll

c:\windows\system32\_003318_.tmp.dll

c:\windows\system32\_003319_.tmp.dll

c:\windows\system32\_003320_.tmp.dll

c:\windows\system32\_003321_.tmp.dll

c:\windows\system32\_003323_.tmp.dll

c:\windows\system32\_003324_.tmp.dll

c:\windows\system32\_003325_.tmp.dll

c:\windows\system32\_003326_.tmp.dll

c:\windows\system32\_003327_.tmp.dll

c:\windows\system32\_003328_.tmp.dll

c:\windows\system32\_003329_.tmp.dll

c:\windows\system32\_003330_.tmp.dll

c:\windows\system32\_003333_.tmp.dll

c:\windows\system32\_003334_.tmp.dll

c:\windows\system32\_003335_.tmp.dll

c:\windows\system32\_003336_.tmp.dll

c:\windows\system32\_003337_.tmp.dll

c:\windows\system32\_003338_.tmp.dll

c:\windows\system32\_003339_.tmp.dll

c:\windows\system32\_003341_.tmp.dll

c:\windows\system32\_003342_.tmp.dll

c:\windows\system32\_003343_.tmp.dll

c:\windows\system32\_003344_.tmp.dll

c:\windows\system32\_003345_.tmp.dll

c:\windows\system32\_003346_.tmp.dll

c:\windows\system32\_003347_.tmp.dll

c:\windows\system32\_003348_.tmp.dll

c:\windows\system32\_003349_.tmp.dll

c:\windows\system32\_003350_.tmp.dll

c:\windows\system32\_003351_.tmp.dll

c:\windows\system32\_003352_.tmp.dll

c:\windows\system32\_003354_.tmp.dll

c:\windows\system32\_003355_.tmp.dll

c:\windows\system32\_003356_.tmp.dll

c:\windows\system32\_003357_.tmp.dll

c:\windows\system32\_003359_.tmp.dll

c:\windows\system32\_003361_.tmp.dll

c:\windows\system32\_003362_.tmp.dll

c:\windows\system32\_003363_.tmp.dll

c:\windows\system32\_003364_.tmp.dll

c:\windows\system32\_003365_.tmp.dll

c:\windows\system32\_003366_.tmp.dll

c:\windows\system32\_003367_.tmp.dll

c:\windows\system32\_003369_.tmp.dll

c:\windows\system32\_003370_.tmp.dll

c:\windows\system32\_003371_.tmp.dll

c:\windows\system32\_003372_.tmp.dll

c:\windows\system32\_003373_.tmp.dll

c:\windows\system32\_003374_.tmp.dll

c:\windows\system32\_003375_.tmp.dll

c:\windows\system32\_003376_.tmp.dll

c:\windows\system32\_003378_.tmp.dll

c:\windows\system32\_003379_.tmp.dll

c:\windows\system32\_003381_.tmp.dll

c:\windows\system32\_003382_.tmp.dll

c:\windows\system32\_003384_.tmp.dll

c:\windows\system32\_003385_.tmp.dll

c:\windows\system32\_003389_.tmp.dll

c:\windows\system32\_003390_.tmp.dll

c:\windows\system32\_003392_.tmp.dll

c:\windows\system32\_003395_.tmp.dll

c:\windows\system32\_003397_.tmp.dll

c:\windows\system32\_003398_.tmp.dll

c:\windows\system32\_003399_.tmp.dll

c:\windows\system32\_003400_.tmp.dll

c:\windows\system32\_003403_.tmp.dll

c:\windows\system32\_003404_.tmp.dll

c:\windows\system32\_003405_.tmp.dll

c:\windows\system32\_003406_.tmp.dll

c:\windows\system32\_003407_.tmp.dll

c:\windows\system32\_003412_.tmp.dll

c:\windows\system32\_003414_.tmp.dll

c:\windows\system32\_003415_.tmp.dll

c:\windows\system32\Config.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PACKET

-------\Service_Packet

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))

.

2009-01-02 15:09 . 2009-01-02 16:15 <DIR> d-------- c:\program files\Enigma Software Group

2009-01-02 11:13 . 2009-01-02 11:25 <DIR> d-------- c:\documents and settings\ati\DoctorWeb

2009-01-02 10:17 . 2009-01-02 10:17 250 --a------ c:\windows\gmer.ini

2009-01-02 09:35 . 2009-01-02 09:35 <DIR> d-------- c:\program files\ERUNT

2009-01-02 09:02 . 2004-06-11 15:33 290,304 --a------ c:\windows\system32\subinacl.exe

2009-01-01 23:01 . 2009-01-03 09:43 8,677 --a------ c:\windows\system32\Config.MPF

2009-01-01 22:59 . 2009-01-01 22:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-01-01 22:56 . 2008-06-02 14:55 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-01-01 22:56 . 2008-06-27 06:08 79,240 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-01-01 22:56 . 2008-06-27 06:08 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-01-01 22:56 . 2008-06-27 06:08 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-01-01 22:55 . 2009-01-01 22:55 <DIR> d-------- c:\program files\McAfee.com

2009-01-01 22:55 . 2009-01-02 23:07 <DIR> d-------- c:\program files\McAfee

2009-01-01 22:55 . 2009-01-01 22:56 <DIR> d-------- c:\program files\Common Files\McAfee

2009-01-01 22:52 . 2008-06-20 05:41 34,152 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-01-01 22:47 . 2009-01-01 23:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

2009-01-01 22:19 . 2009-01-01 22:19 <DIR> d-------- C:\VundoFix Backups

2009-01-01 13:25 . 2009-01-01 14:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

2008-12-31 12:32 . 2008-12-31 12:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-31 12:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-31 12:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-30 12:20 . 2008-12-30 12:20 <DIR> d-------- c:\windows\system32\IOSUBSYS

2008-12-18 15:28 . 2008-12-18 15:28 754 --a------ c:\windows\WORDPAD.INI

2008-12-17 18:33 . 2008-12-17 18:33 0 --ah----- c:\windows\SwSys2.bmp

2008-12-17 18:33 . 2008-12-17 18:33 0 --ah----- c:\windows\SwSys1.bmp

2008-12-17 01:20 . 2008-12-17 01:20 <DIR> d-------- c:\program files\Common Files\xing shared

2008-12-16 10:26 . 2008-12-16 10:26 <DIR> d-------- c:\program files\RealVNC

2008-12-15 01:11 . 2008-12-15 01:11 <DIR> d-------- c:\program files\VoIP Integration Tools

2008-12-14 21:38 . 2008-12-14 21:38 <DIR> d-------- c:\program files\Windows Defender

2008-12-08 19:37 . 2008-12-08 19:37 <DIR> d-------- c:\program files\Windows Installer Clean Up

2008-12-08 17:36 . 2009-01-01 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-07 11:05 . 2008-12-07 12:34 <DIR> d-------- C:\AVG

2008-12-06 23:11 . 2008-12-06 23:11 <DIR> d-------- c:\documents and settings\ati\Application Data\Malwarebytes

2008-12-06 23:11 . 2008-12-06 23:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-06 21:45 . 2008-12-06 21:45 <DIR> d-------- c:\documents and settings\ati\Application Data\InfraRecorder

2008-12-06 21:44 . 2008-12-06 21:44 <DIR> d-------- c:\program files\InfraRecorder

2008-12-06 10:46 . 2008-12-31 18:11 <DIR> d-------- c:\program files\Windows Live Safety Center

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 09:39 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware

2009-01-03 09:39 --------- d-----w c:\documents and settings\All Users\Application Data\VMware

2009-01-01 22:45 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-01 22:15 --------- d-----w c:\program files\SUPERAntiSpyware

2009-01-01 22:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-01 22:15 --------- d-----w c:\documents and settings\ati\Application Data\SUPERAntiSpyware.com

2009-01-01 18:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-01 13:25 --------- d-----w c:\program files\Google

2008-12-31 16:56 --------- d-----w c:\program files\MSECache

2008-12-31 09:20 --------- d-----w c:\documents and settings\ati\Application Data\VMware

2008-12-17 12:19 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore

2008-12-17 01:20 --------- d-----w c:\program files\Common Files\Real

2008-12-16 23:44 5,642 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-10 09:30 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-11-27 08:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-27 07:02 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-23 21:46 --------- d-----w c:\program files\Network Associates

2008-11-22 11:25 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr

2008-11-16 20:33 --------- d-----w c:\program files\wfavvid

2008-11-13 15:22 --------- d-----w c:\documents and settings\ati\Application Data\Corel

2008-11-13 14:20 --------- d-----w c:\program files\Alcohol Soft

2008-11-13 14:13 639,224 ----a-w c:\windows\system32\drivers\sptd.sys

2008-11-12 10:13 --------- d-----w c:\documents and settings\ati\Application Data\OpenOffice.org2

2008-11-07 16:45 2,174,976 ----a-w c:\windows\system32\dllcache\WMVCore.dll

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll

2008-04-12 22:06 290 -c--a-w c:\documents and settings\ati\Application Data\wklnhst.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-03_ 0.11.48.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-03\ERDNT.EXE

+ 2009-01-03 00:08:59 12,435,456 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-03\Users\00000001\NTUSER.DAT

+ 2009-01-03 00:09:00 364,544 ----a-w c:\windows\ERDNT\AutoBackup\2009-01-03\Users\00000002\UsrClass.dat

- 2009-01-02 23:04:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-03 09:31:16 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-02 23:04:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-01-03 09:31:16 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-02 23:04:37 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-03 09:31:16 49,152 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-03 09:38:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat

+ 2009-01-03 09:38:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Google Update"="c:\documents and settings\ati\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-31 1392640]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-17 185896]

"Claritel-i750"="c:\program files\Clarisys\Claritel-i750\Ipnappgw.exe" [2003-09-25 471040]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\ati\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

OneNote Table Of Contents.onetoc2 [2008-07-29 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Cisco Systems\\ASDM\\asdm-launcher.exe"=

"c:\\Program Files\\Belkin\\All-in-One Print Server\\MFPAgent.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Dynamips\\dynamips.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\IP blue\\VTGO\\bin\\VTGOhttpServer.exe"=

"c:\\Program Files\\IP blue\\VTGO\\Media\\BlueMedia.exe"=

"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\AudioTuningWizard.exe"=

"c:\\Documents and Settings\\ati\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\ati\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=

"c:\\Program Files\\3Com\\3CDaemon\\3CDaemon.EXE"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\DRIVERS\CdpPacket.sys [2008-01-24 35692]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2009-01-01 206096]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

R3 WUSBVBus;MFP Server Detector;c:\windows\system32\DRIVERS\mfpvbus.sys [2007-06-24 9472]

S2 0085111230937697mcinstcleanup;McAfee Application Installer Cleanup (0085111230937697);c:\windows\TEMP\008511~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []

S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\Drivers\mfpec.sys [2007-06-24 53152]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]

.

Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2009-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2751221988-1012368364-2767497333-1006.job

- c:\documents and settings\ati\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-03 09:39]

2009-01-01 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-12-28 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-07-27 c:\windows\Tasks\Uniblue SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

.

- - - - ORPHANS REMOVED - - - -

BHO-{1787b124-49fa-442f-84cf-e66ec75db118} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5070509

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Dial with VT&GO - file:///c:\program files\IP blue\VTGO\Scripts\dialer.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\ati\Application Data\Mozilla\Firefox\Profiles\48ll4z22.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\ati\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\ati\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-03 09:49:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-01-03 9:51:49

ComboFix-quarantined-files.txt 2009-01-03 09:50:47

Pre-Run: 12,429,676,544 bytes free

Post-Run: 12,406,583,296 bytes free

438 --- E O F --- 2009-01-03 00:13:52

[cucm]

Hi,

Posting Gmer.txt...will post Kaspersky once completed. It seems it is going to take a while to finish

cheers

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-03 10:17:59

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xB9ED10B0]

SSDT sptd.sys ZwEnumerateKey [0xB9ED684C]

SSDT sptd.sys ZwEnumerateValueKey [0xB9ED6BEC]

SSDT sptd.sys ZwOpenKey [0xB9ED1090]

SSDT sptd.sys ZwQueryKey [0xB9ED6CC4]

SSDT sptd.sys ZwQueryValueKey [0xB9ED6B44]

SSDT sptd.sys ZwSetValueKey [0xB9ED6D56]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA92039CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9203978]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA920398C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9203A7B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9203AA7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9203A0A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA9203B41]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9203950]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9203964]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA92039DE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA9203AE9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9203A91]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA9203B69]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA9203B55]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA92039B6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA92039A2]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9203A39]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA9203B2B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9203A20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA92039F4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A88B1D8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A82A5A0

Device \Driver\usbuhci \Device\USBPDO-1 8A82A5A0

Device \Driver\usbuhci \Device\USBPDO-2 8A82A5A0

Device \Driver\usbehci \Device\USBPDO-3 8A7671D8

Device \Driver\usbuhci \Device\USBPDO-4 8A82A5A0

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8FE1D8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8FE1D8

Device \Driver\Cdrom \Device\CdRom0 8A728708

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8FE1D8

Device \Driver\Ftdisk \Device\HarddiskVolume4 8A8FE1D8

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A02E1D8

Device \Driver\usbhub \Device\00000090 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\NetBT \Device\NetbiosSmb 8A02E1D8

Device \Driver\usbhub \Device\00000092 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbhub \Device\00000094 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{A930F8A5-06FF-401D-B4D9-B90BE5F818DD} 8A02E1D8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbhub \Device\00000096 hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbhub \Device\00000098 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A82A5A0

Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBFDO-1 8A82A5A0

Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBFDO-2 8A82A5A0

Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A02B1D8

Device \Driver\usbuhci \Device\USBFDO-3 8A82A5A0

Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A02B1D8

Device \Driver\usbehci \Device\USBFDO-4 8A7671D8

Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\Ftdisk \Device\FtControl 8A8FE1D8

Device \Driver\NetBT \Device\NetBT_Tcpip_{97356776-AC10-4A3C-B1B7-7E501BFC9CC0} 8A02E1D8

Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbehci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

Device \FileSystem\Fastfat \Fat 89B9D1D8

Device \FileSystem\Fastfat \Fat A79F6297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 8A0231D8

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1021613300

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 2042680831

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5F 0xFF 0x27 0x67 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5F 0xFF 0x27 0x67 ...

---- EOF - GMER 1.0.14 ----

[cucm]

Hi

Posting the last log from Kas......took a while

cheers

cucm

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Saturday, January 3, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, January 03, 2009 10:03:19

Records in database: 1553339

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 111511

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 03:19:26

No malware has been detected. The scan area is clean.

The selected area was scanned.

[sjb007]

Hi there

All is looking good from my side of things, how are things running now.

Let just re-run MBAM to see how things looks now....

• Start MalwareBytes AntiMalware
  
• Update Malwarebytes' Anti-Malware
  
• Select the Update tab
  
• Click Update
  
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
• If you accidently close it, the log file is saved here and will be named like this:
  
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  

[cucm]

Hello Mate.....

yes things are looking better.....nothing reported in latest MBAM scan. I still have spy-bot disabled ........pls let me know what you think. Your help over WE is highly appreciated ....

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.31

Database version: 1603

Windows 5.1.2600 Service Pack 3

03/01/2009 20:04:07

mbam-log-2009-01-03 (20-04-07).txt

Scan type: Quick Scan

Objects scanned: 68798

Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[sjb007]

Howdy there

Glad to hear all is better. you may re-enable spybot's tea timer once you have removed combofix which we shall do in these next steps. Just make sure that you have run the tea timer fix that I mentioned in post number 4 prior to turning it back on.

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.

Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing

Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.

Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser

Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance

Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein

-> How to prevent Malware - By miekiemoes

-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

[cucm]

Hi There,

Its all looking good .great start of 2009 . Many thanks for your kind help

cucm