Jump to content

Recommended Posts

Thank you so much in advance for helping me through this.

Symptoms: Obviously clicked on a link that I probably should not have. Pop ups to an obviously fake antivirus software site informing me of a critical virus infection. I recognized this immediately, shutdown, system-restored, ran MBAM from safe mode and achieved partial improvement. Now: iexplorer.exe runs without IE8 open and google redirects. Sysfader errors re: IE8 basically crash IE8 within 2 minutes of opening it. Ran MBAM several times over last 24 hrs and each time multiple Trojans removed. Have disabled network connection and unplugged internet cable. McAfee’s real-time protection can’t be turned on, although firewall seems to be active.

Background: previously infected with a similar set of symptoms 18 months ago. 2 weeks unassisted I managed to eradicated the problem but ultimately did a repair-install of XP SP2. Since then, windows update has not worked despite microsoft’s crew working for 3 wks on it. 3 months ago McAfee’s real-time protection stopped working after an update. Managed to get that back but since then have not been updating definitions (same problem).

Any help that you could provide in this would be so greatly appreciated. Thanks again in advance for the assistance.

Here are the DDS logs.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Amir at 23:38:43 on 2011-11-06

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.423 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

svchost.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\igfxsrvc.exe

c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111106000438.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://prodquickplace.thc.local/qp2.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://corp.cvh.on.ca/tsweb/msrdp.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Filter: text/html - {aa2455d1-e961-40ee-86eb-e94eb124e31d} -

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = :\windows\system32\srrstr.dll cecli

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 461864]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-30 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-30 166024]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-30 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-30 148520]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-30 57432]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-30 180072]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-30 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-30 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-1-2 33792]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-30 87808]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-3 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-3 40552]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-2-4 176896]

.

=============== Created Last 30 ================

.

2011-11-06 03:43:49 -------- d-----w- c:\documents and settings\amir\application data\McAfee

2011-11-06 02:21:36 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-11-06 02:21:36 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-30 19:10:10 -------- d-----w- C:\PSEP_P1

2011-10-24 23:43:24 -------- d-----w- c:\program files\iPod

2011-10-24 23:43:21 -------- d-----w- c:\program files\iTunes

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-10-24 23:34:43 -------- d-----w- c:\program files\Bonjour

2011-10-08 14:50:14 -------- d-----w- c:\windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP

.

==================== Find3M ====================

.

2011-09-05 19:12:56 0 ----a-w- c:\documents and settings\all users\application data\ISx17B.tmp

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 03:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-31 03:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-08-31 03:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-08-31 03:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-08-15 14:00:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-08-15 14:00:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-08-15 14:00:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-08-15 14:00:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-08-15 14:00:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-08-15 14:00:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-08-15 14:00:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-08-15 14:00:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-08-15 14:00:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-08-15 14:00:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

.

============= FINISH: 23:45:32.76 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 22/10/2010 8:24:04 PM

System Uptime: 06/11/2011 11:29:52 PM (0 hours ago)

.

Motherboard: Intel Corporation | | D945GTP

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 233 GiB total, 36.106 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Intel® PRO/100 VE Network Connection

Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_308D8086&REV_01\4&1E46F438&0&40F0

Manufacturer: Intel

Name: Intel® PRO/100 VE Network Connection

PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_308D8086&REV_01\4&1E46F438&0&40F0

Service: E100B

.

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}

Description: CD-ROM Drive

Device ID: IDE\CDROMLITE-ON_DVDRW_SOHW-1693S________________KS0A____\5&18E2B769&0&0.0.0

Manufacturer: (Standard CD-ROM drives)

Name: LITE-ON DVDRW SOHW-1693S

PNP Device ID: IDE\CDROMLITE-ON_DVDRW_SOHW-1693S________________KS0A____\5&18E2B769&0&0.0.0

Service: cdrom

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

.

==== System Restore Points ===================

.

RP345: 08/08/2011 10:42:54 PM - System Checkpoint

RP346: 09/08/2011 11:25:44 PM - System Checkpoint

RP347: 11/08/2011 4:16:53 PM - System Checkpoint

RP348: 12/08/2011 4:40:38 PM - System Checkpoint

RP349: 13/08/2011 5:39:33 PM - System Checkpoint

RP350: 14/08/2011 6:29:35 PM - System Checkpoint

RP351: 15/08/2011 7:05:00 PM - System Checkpoint

RP352: 16/08/2011 8:04:49 PM - System Checkpoint

RP353: 17/08/2011 10:56:01 PM - System Checkpoint

RP354: 19/08/2011 4:14:11 PM - System Checkpoint

RP355: 20/08/2011 4:23:26 PM - System Checkpoint

RP356: 21/08/2011 7:53:38 PM - System Checkpoint

RP357: 22/08/2011 9:47:19 PM - System Checkpoint

RP358: 23/08/2011 10:36:33 PM - System Checkpoint

RP359: 25/08/2011 12:52:47 PM - System Checkpoint

RP360: 26/08/2011 1:40:11 PM - System Checkpoint

RP361: 27/08/2011 3:13:44 PM - System Checkpoint

RP362: 28/08/2011 3:47:02 PM - System Checkpoint

RP363: 29/08/2011 4:36:12 PM - System Checkpoint

RP364: 30/08/2011 4:37:16 PM - System Checkpoint

RP365: 31/08/2011 5:52:06 PM - System Checkpoint

RP366: 01/09/2011 6:36:14 PM - System Checkpoint

RP367: 02/09/2011 10:03:46 PM - System Checkpoint

RP368: 04/09/2011 2:15:12 PM - System Checkpoint

RP369: 05/09/2011 4:27:21 PM - System Checkpoint

RP370: 06/09/2011 4:30:39 PM - System Checkpoint

RP371: 07/09/2011 5:07:26 PM - System Checkpoint

RP372: 08/09/2011 6:42:15 PM - System Checkpoint

RP373: 09/09/2011 7:03:10 PM - System Checkpoint

RP374: 10/09/2011 7:51:02 PM - System Checkpoint

RP375: 11/09/2011 9:02:39 PM - System Checkpoint

RP376: 12/09/2011 9:39:07 PM - System Checkpoint

RP377: 13/09/2011 11:00:29 PM - System Checkpoint

RP378: 15/09/2011 2:43:12 PM - System Checkpoint

RP379: 16/09/2011 2:57:56 PM - System Checkpoint

RP380: 17/09/2011 3:00:54 PM - System Checkpoint

RP381: 18/09/2011 3:41:42 PM - System Checkpoint

RP382: 19/09/2011 5:16:39 PM - System Checkpoint

RP383: 20/09/2011 6:38:43 PM - System Checkpoint

RP384: 21/09/2011 7:16:03 PM - System Checkpoint

RP385: 22/09/2011 8:03:41 PM - System Checkpoint

RP386: 23/09/2011 9:04:43 PM - System Checkpoint

RP387: 24/09/2011 10:04:43 PM - System Checkpoint

RP388: 25/09/2011 10:13:10 PM - System Checkpoint

RP389: 26/09/2011 11:12:01 PM - System Checkpoint

RP390: 28/09/2011 2:31:25 PM - System Checkpoint

RP391: 29/09/2011 2:50:33 PM - System Checkpoint

RP392: 30/09/2011 3:38:14 PM - System Checkpoint

RP393: 01/10/2011 3:54:08 PM - System Checkpoint

RP394: 02/10/2011 4:20:57 PM - System Checkpoint

RP395: 03/10/2011 4:59:03 PM - System Checkpoint

RP396: 04/10/2011 5:29:15 PM - System Checkpoint

RP397: 05/10/2011 6:28:54 PM - System Checkpoint

RP398: 06/10/2011 6:46:42 PM - System Checkpoint

RP399: 07/10/2011 8:19:41 PM - System Checkpoint

RP400: 08/10/2011 10:50:34 AM - Removed LeapFrog Connect

RP401: 08/10/2011 10:52:28 AM - Removed LeapFrog Leapster Explorer Plugin

RP402: 09/10/2011 11:51:21 AM - System Checkpoint

RP403: 10/10/2011 5:48:23 PM - System Checkpoint

RP404: 11/10/2011 5:50:43 PM - System Checkpoint

RP405: 12/10/2011 6:33:03 PM - System Checkpoint

RP406: 13/10/2011 8:34:21 PM - System Checkpoint

RP407: 14/10/2011 9:30:39 PM - System Checkpoint

RP408: 15/10/2011 10:30:39 PM - System Checkpoint

RP409: 16/10/2011 10:31:44 PM - System Checkpoint

RP410: 18/10/2011 3:40:37 PM - System Checkpoint

RP411: 19/10/2011 5:00:08 PM - System Checkpoint

RP412: 20/10/2011 6:53:57 PM - System Checkpoint

RP413: 21/10/2011 7:08:11 PM - System Checkpoint

RP414: 22/10/2011 7:28:31 PM - System Checkpoint

RP415: 23/10/2011 7:50:05 PM - System Checkpoint

RP416: 24/10/2011 7:33:56 PM - Removed Apple Application Support

RP417: 24/10/2011 7:39:30 PM - Removed Apple Mobile Device Support

RP418: 25/10/2011 7:49:57 PM - System Checkpoint

RP419: 26/10/2011 9:24:55 PM - System Checkpoint

RP420: 28/10/2011 8:41:17 AM - System Checkpoint

RP421: 29/10/2011 9:23:40 AM - System Checkpoint

RP422: 30/10/2011 9:49:39 AM - System Checkpoint

RP423: 31/10/2011 10:49:42 AM - System Checkpoint

RP424: 01/11/2011 11:47:24 AM - System Checkpoint

RP425: 02/11/2011 11:48:37 AM - System Checkpoint

RP426: 03/11/2011 1:19:32 PM - System Checkpoint

RP427: 04/11/2011 1:24:46 PM - System Checkpoint

RP428: 05/11/2011 2:23:41 PM - System Checkpoint

RP429: 05/11/2011 9:20:44 PM - Restore Operation

RP430: 06/11/2011 9:35:03 PM - System Checkpoint

.

==== Installed Programs ======================

.

µTorrent

2600

2600_Help

2600Trb

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.3.1

AiO_Scan

AiOSoftware

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

Bonjour

BufferChm

Compatibility Pack for the 2007 Office system

Copy

CP_AtenaShokunin1Config

cp_dwShrek2Albums1

cp_dwShrek2Cards1

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Director

DivX Setup

DocProc

Documents To Go

DocumentViewer

Epocrates Essentials

Fax

Football Menus Template Pack

Freez FLV to AVI/MPEG/WMV Converter

GdiplusUpgrade

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Extended Capabilities 4.7

HP Image Zone 4.7

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Update

HPSystemDiagnostics

InstantShare

Intel Audio Studio 2.0

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections

iTunes

Java 2 Runtime Environment, SE v1.4.2_05

Java 6 Update 2

LeapFrog Connect

LeapFrog Leapster Explorer Plugin

Logitech Camera Driver

Logitech Desktop Messenger

Logitech QuickCam Software

Malwarebytes' Anti-Malware version 1.51.2.1300

MarketResearch

McAfee AntiVirus Plus

McAfee Virtual Technician

MEDITECH Workstation3.x (Incomplete Install)

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft IntelliPoint 5.3

Microsoft IntelliType Pro 5.3

Microsoft Office Professional Edition 2003

MobileMe Control Panel

MotionDV STUDIO 5.3E LE for DV

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero Suite

Palm Desktop

PanoStandAlone

PhotoGallery

PowerDirector

PowerDVD

ProductContext

QFolder

QuickTime

Readme

Safari

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

SigmaTel Audio

SkinsHP1

Skype™ 5.3

SmartSound Quicktracks Plugin

SoftV90 Data Fax Voice Modem

TrayApp

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB932823-v3)

Update Rollup 2 for Windows XP Media Center Edition 2005

Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster Explorer Plugin)

Vacation Menus Template Pack

Valentine Menus Template Pack

VC80CRTRedist - 8.0.50727.6195

VPN Client

WebFldrs XP

WebReg

Windows Defender

Windows Defender Signatures

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live installer

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 11

WinRAR archiver

WinZip

.

==== Event Viewer Messages From Past Week ========

.

06/11/2011 1:41:50 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cdrom Fips Imapi intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The Cisco Systems, Inc. VPN Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:50 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

06/11/2011 1:41:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

05/11/2011 9:46:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}

05/11/2011 9:36:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

05/11/2011 9:33:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

05/11/2011 9:24:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

05/11/2011 7:00:00 AM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

05/11/2011 11:34:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

05/11/2011 11:33:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Fips Imapi intelppm

05/11/2011 10:52:45 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.

05/11/2011 10:52:45 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

05/11/2011 10:51:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi

05/11/2011 10:50:51 PM, error: Service Control Manager [7024] - The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

05/11/2011 10:50:51 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

05/11/2011 10:50:51 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

05/11/2011 10:50:51 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

05/11/2011 10:50:42 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

05/11/2011 10:47:18 PM, error: Service Control Manager [7000] - The McShield service failed to start due to the following error: The system cannot find the file specified.

05/11/2011 10:37:46 PM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

05/11/2011 10:10:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

05/11/2011 10:01:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Fips Imapi intelppm ohci1394

05/11/2011 10:00:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Apologies -- was away for last 10 days and was not able to monitor my post nor its replies. I really appreciate you getting back to me. I will implement suggestions today and will post logs tonight.

Many many thanks again.

Link to post
Share on other sites

Thanks for your patience during my absence.

Steps performed:

1. MBAM updated, quickscan performed, log attached.

2. Combofix attempt #1: ran from safe mode. *** Rootkit virus found ***, unfortunately I can't tell you which or where -- I had assumed it would all have been logged. Combofix requested permission to reboot; permission given. Reboot done and rebooted into normal environment (not safe mode) -- I didn't have the foresight to push it into safe mode on reboot. Combofix stalled / hung, amidst almost continuous requests to connect to mevio.com (likely malware activated) -- thankfully network cable unplugged. Waited 4 hrs for combofix to do anything and then gave up.

3. Combofix attempt #2: ran from safe mode. Uneventful (although a few more files deleted by combofix) until combofix rebooted into normal environment, then stalled again. No fake security warnings displayed on this run. Waited 2 hrs for log to be generated then abandoned attempt.

4. Combofix attempt #3: ran from safe mode. Uneventful (although a few more files deleted by combofix). Rebooted, but this time I pushed it into safe mode for the reboot. Log finally generated, but likely devoid of useful information from attempt #1. Log attached. I also found a combofix quarantined file list / log which did capture a fair chunk of combofix's activities from all 3 attempts. Not sure if it will be useful, but I attached it here as well.

5. DDS performed, 2 logs attached.

I have not yet tested the system in the normal environment, let alone with the network cable plugged back in.

Please advise what next steps to take or if you feel that the system should be wiped clean on account of a rootkit infection.

Again, many thanks for your assistance.

---MBAM LOG---

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8210

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

21/11/2011 2:36:34 PM

mbam-log-2011-11-21 (14-36-34).txt

Scan type: Quick scan

Objects scanned: 190912

Time elapsed: 9 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--- End MBAM log ---

--- Combofix log ---

ComboFix 11-11-21.01 - Administrator 21/11/2011 19:46:03.3.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.732 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Amir\Local Settings\Temp\IadHide5.dll

c:\windows\CSC\d6

.

---- Previous Run -------

.

c:\documents and settings\Amir\Local Settings\Temp\{5624c000-b109-11d4-9db4-00e0290fcac5}\isrt.dll

c:\documents and settings\Amir\Local Settings\Temp\175.dir\InstallFlashPlayer.exe

c:\documents and settings\Amir\Local Settings\Temp\1C.dir\InstallFlashPlayer.exe

c:\documents and settings\Amir\Local Settings\Temp\AC.dir\InstallFlashPlayer.exe

c:\documents and settings\Amir\Local Settings\Temp\AdobeUpdater12345.exe

c:\documents and settings\Amir\Local Settings\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll

c:\documents and settings\Amir\Local Settings\Temp\ctm276.tmp

c:\documents and settings\Amir\Local Settings\Temp\div321.tmp\div322.tmp

c:\documents and settings\Amir\Local Settings\Temp\hpdj00.exe

c:\documents and settings\Amir\Local Settings\Temp\HPSUPUD7.9R9\hpusetup.exe

c:\documents and settings\Amir\Local Settings\Temp\HpUpdate\9636\CIT248813-HPU-REDBOX-v4.exe

c:\documents and settings\Amir\Local Settings\Temp\IadHide5.dll

c:\documents and settings\Amir\Local Settings\Temp\ins1.tmp\LDMClient.exe

c:\documents and settings\Amir\Local Settings\Temp\PRE257.tmp\x64\McShield.DLL

.

-- Previous Run --

.

Infected copy of c:\windows\system32\drivers\fltmgr.sys was found and disinfected

Restored copy from - The cat found it :)

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\system volume information\_restore{9C35F2CB-3C94-4996-B38E-D25671C88286}\RP429\A0058447.sys

.

--------

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_USNJSVC

-------\Service_usnjsvc

.

.

((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))

.

.

2011-11-21 21:34 . 2004-08-10 12:00 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-11-21 20:06 . 2006-08-21 09:43 128768 -c--a-w- c:\windows\system32\dllcache\fltmgr.sys

2011-11-21 20:06 . 2006-08-21 09:43 128768 ----a-w- c:\windows\system32\drivers\fltmgr.sys

2011-11-21 19:20 . 2011-11-21 19:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-11-06 02:34 . 2011-11-06 02:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-11-06 02:21 . 2011-11-06 02:21 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-30 19:10 . 2011-10-31 05:22 -------- d-----w- C:\PSEP_P1

2011-10-24 23:45 . 2011-10-24 23:45 -------- d-----w- c:\program files\Safari

2011-10-24 23:43 . 2011-10-24 23:43 -------- d-----w- c:\program files\iPod

2011-10-24 23:43 . 2011-10-24 23:44 -------- d-----w- c:\program files\iTunes

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2011-10-24 23:37 . 2011-10-24 23:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2011-10-24 23:34 . 2011-10-24 23:34 -------- d-----w- c:\program files\Bonjour

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-31 21:00 . 2010-07-27 11:34 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\system32\dnssdX.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-23 8740864]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]

"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]

"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 11:39 73728]

"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-2-4 1454143]

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2003-4-22 299008]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-12-26 450560]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Palm\\HOTSYNC.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/07/2010 10:41 PM 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/07/2010 10:41 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/07/2010 10:52 PM 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/07/2010 10:41 PM 148520]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/07/2010 10:41 PM 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/07/2010 10:41 PM 83688]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/07/2010 10:41 PM 214904]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/07/2010 10:41 PM 57432]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [02/01/2011 11:17 AM 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/07/2010 10:41 PM 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/07/2010 10:41 PM 87808]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - NDISRD

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-22 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2011-11-21 c:\windows\Tasks\User_Feed_Synchronization-{9C5A5677-056A-41FB-9AE1-8522FF3CAC11}.job

- c:\windows\system32\msfeedssync.exe [2009-06-30 08:31]

.

.

------- Supplementary Scan -------

.

Trusted Zone: internet

Trusted Zone: mcafee.com

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SigmatelSysTrayApp - sttray.exe

AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-21 20:27

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1453689397-414440772-572454927-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1252)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1188)

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2011-11-21 20:47:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-22 01:46

.

Pre-Run: 38,842,785,792 bytes free

Post-Run: 38,771,400,704 bytes free

.

- - End Of File - - 2B938326CF44143FD181525A801FBA89

--- End Combofix Log ---

--- Combofix Quarantined Files Log ---

2011-11-22 01:45:06 . 2011-11-22 01:45:06 924 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-uTorrent.reg.dat

2011-11-22 01:38:10 . 2011-11-22 01:38:11 115 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SigmatelSysTrayApp.reg.dat

2011-11-21 23:52:50 . 2010-12-26 22:17:43 24,613 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\IadHide5.dll.vir

2011-11-21 21:04:20 . 2011-11-21 21:04:20 6,924 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_usnjsvc.reg.dat

2011-11-21 21:04:15 . 2011-11-21 21:04:15 888 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_USNJSVC.reg.dat

2011-11-21 21:01:55 . 2011-11-22 01:12:51 12,240 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-11-21 20:04:18 . 2011-11-21 20:04:18 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\_3786385426_.zip

2011-11-21 19:50:17 . 2011-11-22 00:39:04 530 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-11-06 03:44:19 . 2011-11-06 03:44:19 329,320 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\ctm276.tmp.vir

2011-11-06 02:25:18 . 2011-11-06 02:25:25 0 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\keywords.vir

2011-11-06 02:23:13 . 2011-11-06 02:23:13 208,896 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\kwrd.dll.vir

2011-11-06 02:23:07 . 2011-11-06 02:33:16 176 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\cfg.ini.vir

2011-11-06 02:22:40 . 2011-11-06 02:22:40 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\Desktop.ini.vir

2011-11-06 02:16:32 . 2011-11-06 02:33:17 781 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\bckfg.tmp.vir

2011-11-06 02:15:53 . 2011-11-06 02:15:53 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\@.vir

2011-11-06 02:15:53 . 2011-11-06 02:15:53 49,536 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\L\zhqtfihm.vir

2011-11-04 03:27:45 . 2011-11-06 02:16:26 75,776 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\U\80000032.@.vir

2011-11-03 19:16:52 . 2011-11-06 02:16:19 1,536 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\U\00000001.@.vir

2011-11-02 17:48:14 . 2011-11-06 02:16:21 1,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\U\00000004.@.vir

2011-10-30 09:29:18 . 2011-11-06 02:16:23 12,800 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\U\80000004.@.vir

2011-10-08 20:07:58 . 2001-09-05 08:20:54 331,776 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\{5624c000-b109-11d4-9db4-00e0290fcac5}\isrt.dll.vir

2011-10-05 18:18:45 . 2011-11-06 02:16:22 209,920 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\U\00000002.@.vir

2011-09-23 16:33:05 . 2011-11-06 02:16:22 1,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB5408$\4016110144\U\80000000.@.vir

2011-09-05 19:12:56 . 2011-09-05 19:12:56 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ISx17B.tmp.vir

2011-09-02 01:02:37 . 2011-09-02 01:02:39 1,709,936 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\div321.tmp\div322.tmp.vir

2011-07-04 00:01:59 . 2009-05-06 12:48:45 413,276 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll.vir

2011-04-13 23:54:58 . 2011-04-13 23:54:58 2,872,992 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\AC.dir\InstallFlashPlayer.exe.vir

2011-04-09 00:21:50 . 2011-04-09 00:21:50 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ISx175.tmp.vir

2011-04-09 00:20:39 . 2011-04-09 00:20:39 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ISx172.tmp.vir

2011-01-02 16:25:46 . 2011-01-02 16:25:46 2,827,728 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\1C.dir\InstallFlashPlayer.exe.vir

2010-12-26 22:28:56 . 2010-12-26 22:28:56 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ISx3B.tmp.vir

2010-12-26 22:17:45 . 2010-12-26 22:17:43 118,784 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\bwUnin-7.2.0.137-8876480SL.exe.vir

2010-12-26 22:17:40 . 2004-12-08 19:35:54 6,527,199 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\ins1.tmp\LDMClient.exe.vir

2010-11-25 02:28:08 . 2004-09-30 23:49:18 274,432 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\hpdj00.exe.vir

2010-11-04 04:15:27 . 2004-08-10 12:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004665_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004663_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004658_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004655_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004656_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004657_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004649_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004648_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004640_.tmp.dll.vir

2010-11-04 04:13:05 . 2004-08-10 12:00:00 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004635_.tmp.dll.vir

2010-11-04 04:13:04 . 2004-08-10 12:00:00 708,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004632_.tmp.dll.vir

2010-11-04 04:13:04 . 2004-08-10 12:00:00 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004623_.tmp.dll.vir

2010-11-04 04:13:04 . 2004-08-10 12:00:00 34,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004616_.tmp.dll.vir

2010-11-04 04:13:03 . 2004-08-10 12:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004610_.tmp.dll.vir

2010-11-04 04:13:02 . 2004-08-10 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004599_.tmp.dll.vir

2010-11-04 04:13:02 . 2004-08-10 12:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004581_.tmp.dll.vir

2010-11-04 04:13:02 . 2004-08-10 12:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004579_.tmp.dll.vir

2010-11-04 04:13:02 . 2004-08-10 12:00:00 144,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004566_.tmp.dll.vir

2010-11-04 04:13:02 . 2004-08-10 12:00:00 108,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004556_.tmp.dll.vir

2010-11-04 04:13:01 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004545_.tmp.dll.vir

2010-11-04 04:13:01 . 2004-08-10 12:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004539_.tmp.dll.vir

2010-11-04 04:12:59 . 2004-08-10 12:00:00 1,835,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004518_.tmp.dll.vir

2010-11-04 04:12:58 . 2004-08-10 12:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004516_.tmp.dll.vir

2010-10-28 23:42:41 . 2004-08-10 12:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004653_.tmp.dll.vir

2010-10-28 23:40:22 . 2004-08-10 12:00:00 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004651_.tmp.dll.vir

2010-10-28 23:40:22 . 2004-08-10 12:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004646_.tmp.dll.vir

2010-10-28 23:40:22 . 2004-08-10 12:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004645_.tmp.dll.vir

2010-10-28 23:40:21 . 2004-08-10 12:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004644_.tmp.dll.vir

2010-10-28 23:40:21 . 2004-08-10 12:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004643_.tmp.dll.vir

2010-10-28 23:40:21 . 2004-08-10 12:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004639_.tmp.dll.vir

2010-10-28 23:40:21 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004638_.tmp.dll.vir

2010-10-28 23:40:21 . 2004-08-10 12:00:00 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004634_.tmp.dll.vir

2010-10-28 23:40:21 . 2004-08-10 12:00:00 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004631_.tmp.dll.vir

2010-10-28 23:40:20 . 2004-08-10 12:00:00 708,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004629_.tmp.dll.vir

2010-10-28 23:40:20 . 2004-08-10 12:00:00 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004622_.tmp.dll.vir

2010-10-28 23:40:19 . 2004-08-10 12:00:00 34,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004621_.tmp.dll.vir

2010-10-28 23:40:19 . 2004-08-10 12:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004614_.tmp.dll.vir

2010-10-28 23:40:18 . 2004-08-10 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004609_.tmp.dll.vir

2010-10-28 23:40:18 . 2004-08-10 12:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004604_.tmp.dll.vir

2010-10-28 23:40:18 . 2004-08-10 12:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004601_.tmp.dll.vir

2010-10-28 23:40:18 . 2004-08-10 12:00:00 144,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004597_.tmp.dll.vir

2010-10-28 23:40:18 . 2004-08-10 12:00:00 108,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004590_.tmp.dll.vir

2010-10-28 23:40:17 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004585_.tmp.dll.vir

2010-10-28 23:40:17 . 2004-08-10 12:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004584_.tmp.dll.vir

2010-10-28 23:40:13 . 2004-08-10 12:00:00 1,835,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004550_.tmp.dll.vir

2010-10-28 23:40:13 . 2004-08-10 12:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004540_.tmp.dll.vir

2010-10-28 00:59:27 . 2004-08-10 12:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004627_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004625_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004620_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004619_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004618_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004617_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004613_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004612_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004608_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004605_.tmp.dll.vir

2010-10-28 00:57:16 . 2004-08-10 12:00:00 708,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004603_.tmp.dll.vir

2010-10-28 00:57:15 . 2004-08-10 12:00:00 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004596_.tmp.dll.vir

2010-10-28 00:57:15 . 2004-08-10 12:00:00 34,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004591_.tmp.dll.vir

2010-10-28 00:57:14 . 2004-08-10 12:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004586_.tmp.dll.vir

2010-10-28 00:57:14 . 2004-08-10 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004582_.tmp.dll.vir

2010-10-28 00:57:13 . 2004-08-10 12:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004577_.tmp.dll.vir

2010-10-28 00:57:13 . 2004-08-10 12:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004576_.tmp.dll.vir

2010-10-28 00:57:13 . 2004-08-10 12:00:00 144,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004569_.tmp.dll.vir

2010-10-28 00:57:13 . 2004-08-10 12:00:00 108,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004568_.tmp.dll.vir

2010-10-28 00:57:12 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004561_.tmp.dll.vir

2010-10-28 00:57:12 . 2004-08-10 12:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004559_.tmp.dll.vir

2010-10-28 00:57:10 . 2004-08-10 12:00:00 1,835,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004536_.tmp.dll.vir

2010-10-28 00:57:10 . 2004-08-10 12:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004533_.tmp.dll.vir

2010-10-26 02:02:36 . 2004-08-10 12:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004602_.tmp.dll.vir

2010-10-26 02:00:20 . 2004-08-10 12:00:00 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004600_.tmp.dll.vir

2010-10-26 02:00:20 . 2004-08-10 12:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004595_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004594_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004593_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004592_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004588_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004587_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004583_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004580_.tmp.dll.vir

2010-10-26 02:00:19 . 2004-08-10 12:00:00 708,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004578_.tmp.dll.vir

2010-10-26 02:00:18 . 2004-08-10 12:00:00 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004573_.tmp.dll.vir

2010-10-26 02:00:18 . 2004-08-10 12:00:00 34,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004571_.tmp.dll.vir

2010-10-26 02:00:17 . 2004-08-10 12:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004567_.tmp.dll.vir

2010-10-26 02:00:17 . 2004-08-10 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004560_.tmp.dll.vir

2010-10-26 02:00:16 . 2004-08-10 12:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004554_.tmp.dll.vir

2010-10-26 02:00:16 . 2004-08-10 12:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004553_.tmp.dll.vir

2010-10-26 02:00:16 . 2004-08-10 12:00:00 144,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004548_.tmp.dll.vir

2010-10-26 02:00:16 . 2004-08-10 12:00:00 108,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004546_.tmp.dll.vir

2010-10-26 02:00:15 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004544_.tmp.dll.vir

2010-10-26 02:00:15 . 2004-08-10 12:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004543_.tmp.dll.vir

2010-10-26 02:00:12 . 2004-08-10 12:00:00 1,835,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004529_.tmp.dll.vir

2010-10-26 02:00:12 . 2004-08-10 12:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004522_.tmp.dll.vir

2010-08-17 12:34:57 . 2010-08-17 12:34:58 2,826,192 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\175.dir\InstallFlashPlayer.exe.vir

2010-07-30 22:50:43 . 2010-07-30 22:50:46 2,603,032 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\HPSUPUD7.9R9\hpusetup.exe.vir

2010-01-14 03:20:17 . 2008-09-26 16:02:04 2,356,088 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\AdobeUpdater12345.exe.vir

2009-07-24 16:42:42 . 2009-05-14 09:58:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ndisapi.dll.vir

2008-10-27 22:24:46 . 2008-10-27 22:24:46 4,505,744 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\HpUpdate\9636\CIT248813-HPU-REDBOX-v4.exe.vir

2007-07-24 17:01:38 . 2007-07-24 17:01:38 24,384 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Amir\Local Settings\Temp\PRE257.tmp\x64\McShield.DLL.vir

2006-04-27 21:25:25 . 2006-03-21 03:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir

2005-12-18 17:24:11 . 2008-04-13 18:32:59 129,792 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\fltmgr.sys.vir

2005-12-18 17:24:11 . 2006-08-21 09:43:32 128,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\fltmgr.sys.vir_

2004-08-10 12:00:00 . 2004-08-10 12:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004513_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 1,835,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004515_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 22,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004523_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004524_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004525_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 108,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004527_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 144,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004528_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004531_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004532_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004535_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004538_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 34,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004541_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004542_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 708,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004547_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004549_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004552_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 249,270 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004555_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004557_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004558_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004562_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004563_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004564_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004565_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004570_.tmp.dll.vir

2004-08-10 12:00:00 . 2004-08-10 12:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004572_.tmp.dll.vir

2002-03-17 00:00:00 . 2002-03-17 00:00:00 7,420 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\UA000035.DLL.vir

--- End Combofix Quarantined Files Log ---

--- DDS log ---

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Amir at 19:26:48 on 2011-11-21

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.493 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111106000438.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://prodquickplace.thc.local/qp2.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://corp.cvh.on.ca/tsweb/msrdp.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 461864]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-30 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-30 166024]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-30 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-30 148520]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-30 57432]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-30 180072]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-30 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-30 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-1-2 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-30 87808]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-3 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-3 40552]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-2-4 176896]

.

=============== Created Last 30 ================

.

2011-11-21 23:02:48 -------- d-s---w- C:\ComboFix

2011-11-21 21:34:37 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-11-21 20:06:50 128768 -c--a-w- c:\windows\system32\dllcache\fltmgr.sys

2011-11-21 20:06:50 128768 ----a-w- c:\windows\system32\drivers\fltmgr.sys

2011-11-21 19:56:45 -------- d-sha-r- C:\cmdcons

2011-11-21 19:51:25 98816 ----a-w- c:\windows\sed.exe

2011-11-21 19:51:25 518144 ----a-w- c:\windows\SWREG.exe

2011-11-21 19:51:25 256000 ----a-w- c:\windows\PEV.exe

2011-11-21 19:51:25 208896 ----a-w- c:\windows\MBR.exe

2011-11-06 03:43:49 -------- d-----w- c:\documents and settings\amir\application data\McAfee

2011-11-06 02:21:36 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-11-06 02:21:36 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-30 19:10:10 -------- d-----w- C:\PSEP_P1

2011-10-24 23:43:24 -------- d-----w- c:\program files\iPod

2011-10-24 23:43:21 -------- d-----w- c:\program files\iTunes

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-10-24 23:37:44 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-10-24 23:34:43 -------- d-----w- c:\program files\Bonjour

.

==================== Find3M ====================

.

2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 03:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-31 03:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-08-31 03:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-08-31 03:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll

.

============= FINISH: 19:33:27.57 ===============

--- End DDS log ---

--- 'Attach' log ---

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 22/10/2010 8:24:04 PM

System Uptime: 21/11/2011 6:51:08 PM (1 hours ago)

.

Motherboard: Intel Corporation | | D945GTP

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 233 GiB total, 36.162 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

.

==== System Restore Points ===================

.

RP358: 23/08/2011 10:36:33 PM - System Checkpoint

RP359: 25/08/2011 12:52:47 PM - System Checkpoint

RP360: 26/08/2011 1:40:11 PM - System Checkpoint

RP361: 27/08/2011 3:13:44 PM - System Checkpoint

RP362: 28/08/2011 3:47:02 PM - System Checkpoint

RP363: 29/08/2011 4:36:12 PM - System Checkpoint

RP364: 30/08/2011 4:37:16 PM - System Checkpoint

RP365: 31/08/2011 5:52:06 PM - System Checkpoint

RP366: 01/09/2011 6:36:14 PM - System Checkpoint

RP367: 02/09/2011 10:03:46 PM - System Checkpoint

RP368: 04/09/2011 2:15:12 PM - System Checkpoint

RP369: 05/09/2011 4:27:21 PM - System Checkpoint

RP370: 06/09/2011 4:30:39 PM - System Checkpoint

RP371: 07/09/2011 5:07:26 PM - System Checkpoint

RP372: 08/09/2011 6:42:15 PM - System Checkpoint

RP373: 09/09/2011 7:03:10 PM - System Checkpoint

RP374: 10/09/2011 7:51:02 PM - System Checkpoint

RP375: 11/09/2011 9:02:39 PM - System Checkpoint

RP376: 12/09/2011 9:39:07 PM - System Checkpoint

RP377: 13/09/2011 11:00:29 PM - System Checkpoint

RP378: 15/09/2011 2:43:12 PM - System Checkpoint

RP379: 16/09/2011 2:57:56 PM - System Checkpoint

RP380: 17/09/2011 3:00:54 PM - System Checkpoint

RP381: 18/09/2011 3:41:42 PM - System Checkpoint

RP382: 19/09/2011 5:16:39 PM - System Checkpoint

RP383: 20/09/2011 6:38:43 PM - System Checkpoint

RP384: 21/09/2011 7:16:03 PM - System Checkpoint

RP385: 22/09/2011 8:03:41 PM - System Checkpoint

RP386: 23/09/2011 9:04:43 PM - System Checkpoint

RP387: 24/09/2011 10:04:43 PM - System Checkpoint

RP388: 25/09/2011 10:13:10 PM - System Checkpoint

RP389: 26/09/2011 11:12:01 PM - System Checkpoint

RP390: 28/09/2011 2:31:25 PM - System Checkpoint

RP391: 29/09/2011 2:50:33 PM - System Checkpoint

RP392: 30/09/2011 3:38:14 PM - System Checkpoint

RP393: 01/10/2011 3:54:08 PM - System Checkpoint

RP394: 02/10/2011 4:20:57 PM - System Checkpoint

RP395: 03/10/2011 4:59:03 PM - System Checkpoint

RP396: 04/10/2011 5:29:15 PM - System Checkpoint

RP397: 05/10/2011 6:28:54 PM - System Checkpoint

RP398: 06/10/2011 6:46:42 PM - System Checkpoint

RP399: 07/10/2011 8:19:41 PM - System Checkpoint

RP400: 08/10/2011 10:50:34 AM - Removed LeapFrog Connect

RP401: 08/10/2011 10:52:28 AM - Removed LeapFrog Leapster Explorer Plugin

RP402: 09/10/2011 11:51:21 AM - System Checkpoint

RP403: 10/10/2011 5:48:23 PM - System Checkpoint

RP404: 11/10/2011 5:50:43 PM - System Checkpoint

RP405: 12/10/2011 6:33:03 PM - System Checkpoint

RP406: 13/10/2011 8:34:21 PM - System Checkpoint

RP407: 14/10/2011 9:30:39 PM - System Checkpoint

RP408: 15/10/2011 10:30:39 PM - System Checkpoint

RP409: 16/10/2011 10:31:44 PM - System Checkpoint

RP410: 18/10/2011 3:40:37 PM - System Checkpoint

RP411: 19/10/2011 5:00:08 PM - System Checkpoint

RP412: 20/10/2011 6:53:57 PM - System Checkpoint

RP413: 21/10/2011 7:08:11 PM - System Checkpoint

RP414: 22/10/2011 7:28:31 PM - System Checkpoint

RP415: 23/10/2011 7:50:05 PM - System Checkpoint

RP416: 24/10/2011 7:33:56 PM - Removed Apple Application Support

RP417: 24/10/2011 7:39:30 PM - Removed Apple Mobile Device Support

RP418: 25/10/2011 7:49:57 PM - System Checkpoint

RP419: 26/10/2011 9:24:55 PM - System Checkpoint

RP420: 28/10/2011 8:41:17 AM - System Checkpoint

RP421: 29/10/2011 9:23:40 AM - System Checkpoint

RP422: 30/10/2011 9:49:39 AM - System Checkpoint

RP423: 31/10/2011 10:49:42 AM - System Checkpoint

RP424: 01/11/2011 11:47:24 AM - System Checkpoint

RP425: 02/11/2011 11:48:37 AM - System Checkpoint

RP426: 03/11/2011 1:19:32 PM - System Checkpoint

RP427: 04/11/2011 1:24:46 PM - System Checkpoint

RP428: 05/11/2011 2:23:41 PM - System Checkpoint

RP429: 05/11/2011 9:20:44 PM - Restore Operation

RP430: 06/11/2011 9:35:03 PM - System Checkpoint

RP431: 08/11/2011 2:08:18 PM - System Checkpoint

RP432: 09/11/2011 2:18:30 PM - System Checkpoint

RP433: 21/11/2011 5:43:24 PM - System Checkpoint

.

==== Installed Programs ======================

.

µTorrent

2600

2600_Help

2600Trb

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.3.1

AiO_Scan

AiOSoftware

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

Bonjour

BufferChm

Compatibility Pack for the 2007 Office system

Copy

CP_AtenaShokunin1Config

cp_dwShrek2Albums1

cp_dwShrek2Cards1

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Director

DivX Setup

DocProc

Documents To Go

DocumentViewer

Epocrates Essentials

Fax

Football Menus Template Pack

Freez FLV to AVI/MPEG/WMV Converter

GdiplusUpgrade

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Extended Capabilities 4.7

HP Image Zone 4.7

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Update

HPSystemDiagnostics

InstantShare

Intel Audio Studio 2.0

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections

iTunes

Java 2 Runtime Environment, SE v1.4.2_05

Java 6 Update 2

LeapFrog Connect

LeapFrog Leapster Explorer Plugin

Logitech Camera Driver

Logitech Desktop Messenger

Logitech QuickCam Software

Malwarebytes' Anti-Malware version 1.51.2.1300

MarketResearch

McAfee AntiVirus Plus

McAfee Virtual Technician

MEDITECH Workstation3.x (Incomplete Install)

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft IntelliPoint 5.3

Microsoft IntelliType Pro 5.3

Microsoft Office Professional Edition 2003

MobileMe Control Panel

MotionDV STUDIO 5.3E LE for DV

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero Suite

Palm Desktop

PanoStandAlone

PhotoGallery

PowerDirector

PowerDVD

ProductContext

QFolder

QuickTime

Readme

Safari

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

SigmaTel Audio

SkinsHP1

Skype™ 5.3

SmartSound Quicktracks Plugin

SoftV90 Data Fax Voice Modem

TrayApp

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB932823-v3)

Update Rollup 2 for Windows XP Media Center Edition 2005

Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster Explorer Plugin)

Vacation Menus Template Pack

Valentine Menus Template Pack

VC80CRTRedist - 8.0.50727.6195

VPN Client

WebFldrs XP

WebReg

Windows Defender

Windows Defender Signatures

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live installer

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 11

WinRAR archiver

WinZip

.

==== Event Viewer Messages From Past Week ========

.

21/11/2011 6:00:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

21/11/2011 5:01:08 PM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

21/11/2011 3:29:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

21/11/2011 3:28:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cdrom Fips Imapi intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The Cisco Systems, Inc. VPN Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:34 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

21/11/2011 3:28:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

21/11/2011 3:27:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

21/11/2011 3:11:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi

21/11/2011 3:11:47 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

21/11/2011 3:11:46 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.

21/11/2011 3:11:45 PM, error: Service Control Manager [7024] - The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

21/11/2011 3:11:45 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

21/11/2011 3:11:45 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

21/11/2011 3:11:45 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

21/11/2011 3:11:40 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

21/11/2011 2:49:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

21/11/2011 2:15:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Fips Imapi intelppm

21/11/2011 2:07:15 PM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

.

==== End Of File ===========================

--- End 'Attach log ---

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Please see:

HijackThis Forum Policy

We will not assist users that are obviously using illegal software.

If any such evidence is found you will be given the benefit of the doubt and the opportunity to completely uninstall and delete any such data from your system.

During the scanning process if any further evidence shows up your topic will be closed and no further assistance will be provided.

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

It's likely why your issue began in the first place.

Link to post
Share on other sites

Hi,

My apologies for the delay.

Please see:

HijackThis Forum Policy

We will not assist users that are obviously using illegal software.

If any such evidence is found you will be given the benefit of the doubt and the opportunity to completely uninstall and delete any such data from your system.

During the scanning process if any further evidence shows up your topic will be closed and no further assistance will be provided.

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

It's likely why your issue began in the first place.

Apologies, I thouguht I had uninstalled uTorrent 18 months ago with my last malware escapade requiring repair install of windows. I will attempt to uninstall again. Please advise if a repeat DDS log will be sufficient as evidence of uninstall and will allow ongoing support in this forum.

Again, with thanks.

Link to post
Share on other sites

Combofix created the following on Nov 21:

C:\Qoobox\Quarantine\Registry_backups\AddRemove-uTorrent.reg.dat

The script from the file is as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\uTorrent]

"DisplayIcon"="C:\\Program Files\\uTorrent\\uTorrent.exe,0"

"DisplayName"="uTorrent"

"DisplayVersion"="2.2.0"

"UnistallString"="\"C:\\Prgram Files\\uTorrent\\uTorrent.exe\" /UNINSTALL"

"InstallLocation"="C:\\Prgram Files\\uTorrent"

"NoModify"=dword:00000001

"NoRepair"=dword:00000001

"URLInfoAbout"="http://www.utorrent.com"

As such, I believe that combofix already executed removal of uTorrent since I could not find any application folder or uninstall command anywhere on the system. I did however find an application data folder with a few application data files and this has now been deleted.

If you could please advise if a repeat DDS and Attach log would be sufficient to confirm removal and thereby allow me to continue to receive your expert advise?

Many thanks again.

Link to post
Share on other sites

Yes it appears to be gone. :)

Please grab a fresh copy of ComboFix, run it, and post its log along with another DDS log.

New combofix obtained and ran without incident. Log file below. Outstanding questions from previous logs: (i) a rootkit virus was found -- does this mean I should consider wiping the drive clean and reinstalling OS? (ii) I still have not tested the system in the normal environment post-combofix -- please advise if/when this should be done.

Combofix and DDS logs below. Thanks for ongoing support -- very helpful and appreciated immensely.

******* COMBOFIX LOG *********

ComboFix 11-12-02.02 - Administrator 02/12/2011 20:20:54.4.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.734 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\CSC\d6

c:\windows\EventSystem.log

.

.

((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))

.

.

2011-11-21 21:34 . 2004-08-10 12:00 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-11-21 20:06 . 2006-08-21 09:43 128768 -c--a-w- c:\windows\system32\dllcache\fltmgr.sys

2011-11-21 20:06 . 2006-08-21 09:43 128768 ----a-w- c:\windows\system32\drivers\fltmgr.sys

2011-11-21 19:20 . 2011-11-21 19:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-11-06 02:34 . 2011-11-06 02:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-11-06 02:21 . 2011-11-06 02:21 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-23 8740864]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]

"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]

"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 11:39 73728]

"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-2-4 1454143]

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2003-4-22 299008]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-12-26 450560]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Palm\\HOTSYNC.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/07/2010 10:41 PM 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/07/2010 10:41 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/07/2010 10:52 PM 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/07/2010 10:41 PM 148520]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/07/2010 10:41 PM 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/07/2010 10:41 PM 83688]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/07/2010 10:41 PM 214904]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/07/2010 10:41 PM 57432]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [02/01/2011 11:17 AM 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/07/2010 10:41 PM 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/07/2010 10:41 PM 87808]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - NDISRD

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2011-11-27 c:\windows\Tasks\User_Feed_Synchronization-{9C5A5677-056A-41FB-9AE1-8522FF3CAC11}.job

- c:\windows\system32\msfeedssync.exe [2009-06-30 08:31]

.

.

------- Supplementary Scan -------

.

Trusted Zone: internet

Trusted Zone: mcafee.com

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-02 21:02

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1453689397-414440772-572454927-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1256)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1152)

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2011-12-02 21:18:14 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-03 02:17

ComboFix2.txt 2011-11-22 01:47

.

Pre-Run: 41,539,887,104 bytes free

Post-Run: 41,648,680,960 bytes free

.

- - End Of File - - C37FAAE6884EA60BF3A1233F0CB0F444

*********** END OF COMBOFIX LOG ************

*********** DDS LOG BEGINS ****************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Amir at 21:47:05 on 2011-12-02

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.325 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Windows Defender\MSASCui.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111106000438.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://prodquickplace.thc.local/qp2.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://corp.cvh.on.ca/tsweb/msrdp.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 461864]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-30 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-30 166024]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-30 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-30 148520]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-30 57432]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-30 180072]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-30 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-30 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-1-2 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-30 87808]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-3 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-3 40552]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-2-4 176896]

.

=============== Created Last 30 ================

.

2011-12-03 01:11:33 208896 ----a-w- c:\windows\MBR.exe

2011-12-03 01:11:32 98816 ----a-w- c:\windows\sed.exe

2011-12-03 01:11:32 518144 ----a-w- c:\windows\SWREG.exe

2011-12-03 01:11:32 256000 ----a-w- c:\windows\PEV.exe

2011-12-03 01:10:09 -------- d-----w- C:\ComboFix

2011-11-21 21:34:37 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-11-21 20:06:50 128768 -c--a-w- c:\windows\system32\dllcache\fltmgr.sys

2011-11-21 20:06:50 128768 ----a-w- c:\windows\system32\drivers\fltmgr.sys

2011-11-21 19:56:45 -------- d-sha-r- C:\cmdcons

2011-11-06 03:43:49 -------- d-----w- c:\documents and settings\amir\application data\McAfee

2011-11-06 02:21:36 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-11-06 02:21:36 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

.

============= FINISH: 21:53:56.06 ===============

*********** DDS LOG ENDS ****************

*********** ATTACH LOG BEGINS ****************

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 22/10/2010 8:24:04 PM

System Uptime: 02/12/2011 9:44:19 PM (0 hours ago)

.

Motherboard: Intel Corporation | | D945GTP

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 233 GiB total, 38.832 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

2600

2600_Help

2600Trb

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.3.1

AiO_Scan

AiOSoftware

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

Bonjour

BufferChm

Compatibility Pack for the 2007 Office system

Copy

CP_AtenaShokunin1Config

cp_dwShrek2Albums1

cp_dwShrek2Cards1

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Director

DivX Setup

DocProc

Documents To Go

DocumentViewer

Epocrates Essentials

Fax

Football Menus Template Pack

Freez FLV to AVI/MPEG/WMV Converter

GdiplusUpgrade

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Extended Capabilities 4.7

HP Image Zone 4.7

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Update

HPSystemDiagnostics

InstantShare

Intel Audio Studio 2.0

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections

iTunes

Java 2 Runtime Environment, SE v1.4.2_05

Java 6 Update 2

LeapFrog Connect

LeapFrog Leapster Explorer Plugin

Logitech Camera Driver

Logitech Desktop Messenger

Logitech QuickCam Software

Malwarebytes' Anti-Malware version 1.51.2.1300

MarketResearch

McAfee AntiVirus Plus

McAfee Virtual Technician

MEDITECH Workstation3.x (Incomplete Install)

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft IntelliPoint 5.3

Microsoft IntelliType Pro 5.3

Microsoft Office Professional Edition 2003

MobileMe Control Panel

MotionDV STUDIO 5.3E LE for DV

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero Suite

Palm Desktop

PanoStandAlone

PhotoGallery

PowerDirector

PowerDVD

ProductContext

QFolder

QuickTime

Readme

Safari

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

SigmaTel Audio

SkinsHP1

Skype™ 5.3

SmartSound Quicktracks Plugin

SoftV90 Data Fax Voice Modem

TrayApp

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB932823-v3)

Update Rollup 2 for Windows XP Media Center Edition 2005

Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster Explorer Plugin)

Vacation Menus Template Pack

Valentine Menus Template Pack

VC80CRTRedist - 8.0.50727.6195

VPN Client

WebFldrs XP

WebReg

Windows Defender

Windows Defender Signatures

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live installer

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 11

WinRAR archiver

WinZip

.

==== Event Viewer Messages From Past Week ========

.

27/11/2011 11:35:08 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

27/11/2011 11:35:08 AM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

27/11/2011 11:26:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.

27/11/2011 11:26:56 AM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

27/11/2011 11:26:56 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

27/11/2011 11:26:56 AM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

27/11/2011 11:26:51 AM, error: Service Control Manager [7024] - The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

27/11/2011 11:26:51 AM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

27/11/2011 11:26:31 AM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

02/12/2011 9:41:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

02/12/2011 9:37:30 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).

02/12/2011 8:11:14 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.

02/12/2011 8:11:13 PM, error: SRService [104] - The System Restore initialization process failed.

02/12/2011 8:05:35 PM, error: Dhcp [1002] - The IP address lease 99.238.124.156 for the Network Card with network address 001320AB4FA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

02/12/2011 7:45:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

02/12/2011 7:45:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

02/12/2011 7:44:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

.

==== End Of File ===========================

*********** ATTACH LOG ENDS ****************

Link to post
Share on other sites

  • Staff

Yes I would recommend a format and reinstallation of Windows.

Here is my general speech related to that:

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Thanks for the advice. On the balance of risks, general usage, and the intended temporary use of the infected computer (a new one is coming in 2-3 months), I would like to proceed with any further instructions / advice you can provide to complete disinfection, understanding that the computer may never be trustworthy in the future. In the future I do intend to reformat and have the computer available as a backup / secondary use by others in the household.

I do understand the risks involved and value your advice.

If you wouldn't mind, I'd like to proceed with next steps.

Thanks again!

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Here are the attached logs.

Please advise re: next steps.

Thanks again. Help is appreciated.

--- MBAM log ---

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8383

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

16/12/2011 9:02:09 PM

mbam-log-2011-12-16 (21-02-09).txt

Scan type: Quick scan

Objects scanned: 189770

Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--- End MBAM log ---

--- ComboFix log ---

ComboFix 11-12-17.05 - Administrator 17/12/2011 22:24:22.5.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.702 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))

.

.

2011-11-21 21:34 . 2004-08-10 12:00 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-11-21 20:06 . 2006-08-21 09:43 128768 -c--a-w- c:\windows\system32\dllcache\fltmgr.sys

2011-11-21 20:06 . 2006-08-21 09:43 128768 ----a-w- c:\windows\system32\drivers\fltmgr.sys

2011-11-21 19:20 . 2011-11-21 19:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-23 8740864]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]

"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]

"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 11:39 73728]

"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-2-4 1454143]

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2003-4-22 299008]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-12-26 450560]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Palm\\HOTSYNC.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/07/2010 10:41 PM 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/07/2010 10:41 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/07/2010 10:52 PM 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/07/2010 10:41 PM 148520]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/07/2010 10:41 PM 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/07/2010 10:41 PM 83688]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/07/2010 10:41 PM 214904]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/07/2010 10:41 PM 57432]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [02/01/2011 11:17 AM 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/07/2010 10:41 PM 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/07/2010 10:41 PM 87808]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - NDISRD

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-18 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2011-12-03 c:\windows\Tasks\User_Feed_Synchronization-{9C5A5677-056A-41FB-9AE1-8522FF3CAC11}.job

- c:\windows\system32\msfeedssync.exe [2009-06-30 08:31]

.

.

------- Supplementary Scan -------

.

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 64.71.255.198

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-17 22:58

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1453689397-414440772-572454927-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1240)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(696)

c:\windows\system32\ieframe.dll

c:\windows\system32\msls31.dll

c:\windows\system32\Macromed\Flash\Flash10o.ocx

c:\windows\system32\iepeers.dll

c:\windows\system32\Dxtrans.dll

c:\windows\system32\ImgUtil.dll

c:\windows\system32\Dxtmsft.dll

c:\windows\system32\pngfilt.dll

c:\program files\Common Files\Microsoft Shared\VGX\vgx.dll

.

Completion time: 2011-12-17 23:13:33

ComboFix-quarantined-files.txt 2011-12-18 04:13

ComboFix2.txt 2011-12-03 02:18

ComboFix3.txt 2011-11-22 01:47

.

Pre-Run: 41,635,676,160 bytes free

Post-Run: 41,614,221,312 bytes free

.

- - End Of File - - 84F0DE634A3808F389D32E3F2B9F2ADD

--- End Combofix log ---

--- DDS log ---

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Amir at 23:29:03 on 2011-12-17

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.396 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\McAfee\VirusScan\mcods.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://gmail.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111106000438.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxp://prodquickplace.thc.local/qp2.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://corp.cvh.on.ca/tsweb/msrdp.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 461864]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-30 89624]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-7-30 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-30 166024]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-30 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-30 148520]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-30 57432]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-30 180072]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-30 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-30 338040]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-1-2 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-30 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-30 87808]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-3 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-3 40552]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-2-4 176896]

.

=============== Created Last 30 ================

.

2011-12-18 03:13:56 -------- d-----w- C:\ComboFix

2011-12-03 01:11:33 208896 ----a-w- c:\windows\MBR.exe

2011-12-03 01:11:32 98816 ----a-w- c:\windows\sed.exe

2011-12-03 01:11:32 518144 ----a-w- c:\windows\SWREG.exe

2011-12-03 01:11:32 256000 ----a-w- c:\windows\PEV.exe

2011-11-21 21:34:37 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-11-21 20:06:50 128768 -c--a-w- c:\windows\system32\dllcache\fltmgr.sys

2011-11-21 20:06:50 128768 ----a-w- c:\windows\system32\drivers\fltmgr.sys

2011-11-21 19:56:45 -------- d-sha-r- C:\cmdcons

.

==================== Find3M ====================

.

.

============= FINISH: 23:35:53.29 ===============

--- End DDS log ---

--- Attach Log ---

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 22/10/2010 8:24:04 PM

System Uptime: 17/12/2011 11:23:21 PM (0 hours ago)

.

Motherboard: Intel Corporation | | D945GTP

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 233 GiB total, 38.764 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

2600

2600_Help

2600Trb

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.3.1

AiO_Scan

AiOSoftware

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

Bonjour

BufferChm

Compatibility Pack for the 2007 Office system

Copy

CP_AtenaShokunin1Config

cp_dwShrek2Albums1

cp_dwShrek2Cards1

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Director

DivX Setup

DocProc

Documents To Go

DocumentViewer

Epocrates Essentials

Fax

Football Menus Template Pack

Freez FLV to AVI/MPEG/WMV Converter

GdiplusUpgrade

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Extended Capabilities 4.7

HP Image Zone 4.7

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Update

HPSystemDiagnostics

InstantShare

Intel Audio Studio 2.0

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections

iTunes

Java 2 Runtime Environment, SE v1.4.2_05

Java 6 Update 2

LeapFrog Connect

LeapFrog Leapster Explorer Plugin

Logitech Camera Driver

Logitech Desktop Messenger

Logitech QuickCam Software

Malwarebytes' Anti-Malware version 1.51.2.1300

MarketResearch

McAfee AntiVirus Plus

McAfee Virtual Technician

MEDITECH Workstation3.x (Incomplete Install)

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft IntelliPoint 5.3

Microsoft IntelliType Pro 5.3

Microsoft Office Professional Edition 2003

MobileMe Control Panel

MotionDV STUDIO 5.3E LE for DV

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero Suite

Palm Desktop

PanoStandAlone

PhotoGallery

PowerDirector

PowerDVD

ProductContext

QFolder

QuickTime

Readme

Safari

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

SigmaTel Audio

SkinsHP1

Skype™ 5.3

SmartSound Quicktracks Plugin

SoftV90 Data Fax Voice Modem

TrayApp

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB932823-v3)

Update Rollup 2 for Windows XP Media Center Edition 2005

Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster Explorer Plugin)

Vacation Menus Template Pack

Valentine Menus Template Pack

VC80CRTRedist - 8.0.50727.6195

VPN Client

WebFldrs XP

WebReg

Windows Defender

Windows Defender Signatures

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live installer

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Connect

Windows Media Format 11 runtime

Windows Media Format Runtime

Windows Media Player 11

WinRAR archiver

WinZip

.

==== Event Viewer Messages From Past Week ========

.

17/12/2011 11:24:04 PM, error: DCOM [10005] - DCOM got error "%1083" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

17/12/2011 11:23:57 PM, error: Service Control Manager [7024] - The Media Center Extender Service service terminated with service-specific error 2147500037 (0x80004005).

17/12/2011 11:23:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.

17/12/2011 11:23:57 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

17/12/2011 11:23:57 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

17/12/2011 11:23:57 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

17/12/2011 11:23:57 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

16/12/2011 8:50:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

16/12/2011 8:50:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

16/12/2011 8:49:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The Cisco Systems, Inc. VPN Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:49:17 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

16/12/2011 8:48:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

16/12/2011 8:45:41 PM, error: Dhcp [1002] - The IP address lease 99.238.124.156 for the Network Card with network address 001320AB4FA3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

16/12/2011 8:44:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

16/12/2011 8:42:40 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

16/12/2011 11:37:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

.

==== End Of File ===========================

--- End Attach Log ---

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

So progress made, but still some symptoms.

Update: ESET found nothing. SecurityCheck (nice program!) remind me that I have a lot of out of date software (Java, Acrobat, etc.). Re-installed McAfee (at some point I'll need your formal advice on what to actually use as this software package seems to be more trouble than it's worth).

What's no longer happening: iexplorer.exe is not running autonomously.

What continues to happen: search engine redirects (google and yahoo are all that I tried), despite re-install of ie8.

Logs attached.

Any next steps? I'm concerned that other household members may not be able to abort the google redirects efficiently. Have not tried using Chrome as of yet...

Thanks for your support. Recognize that there might be a delay in your response over the holiday period. Happy holidays!

Thanks again!

--- ESET log ---

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=3d41bec9d6a53649b8bbcfc419e01345

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-12-23 05:44:58

# local_time=2011-12-23 12:44:58 (-0500, Eastern Standard Time)

# country="Canada"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=5121 16777190 100 75 11699408 53769906 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=127446

# found=0

# cleaned=0

# scan_time=3314

--- End ESET log ---

--- SecurityCheck log ---

Results of screen317's Security Check version 0.99.30

Windows XP Service Pack 2 x86

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee AntiVirus Plus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 30

Java 6 Update 2

Java 2 Runtime Environment, SE v1.4.2_05

Java version out of date!

Adobe Flash Player 10.1.102.64 Flash Player out of Date!

Adobe Reader X (10.1.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

--- End SecurityCheck log ---

Link to post
Share on other sites

Update:

MBAM found a couple of registry items -- log indicates no action taken but I subsequently deleted them.

Again had to run combofix 3 times. First 2 attempts: no log report would generate following reboot although each time a bunch of files were deleted (cannot find catchme log of this unfortunately). Third time from safe mode did the trick, log below.

However, following successful completion of combofix, here are the symptoms:

1. Popup window informing me the iexplorer needs to connect to mevio.com (this was one of the initial symptoms way back when we started all this).

2. Googe redirects continue.

3. Some programs (e.g., skype and sometimes IE8) crash or don't load at all, with a memory error coming up -- The instruction at "0x005e0767" referenced memory at "0x00001720" The memory could not be "read". Of course, delete and re-installation of these software did not result in any change.

Interim action: internet cable disconnected (again)...

Consequences:

Unless there are additional cleanup tricks up your sleaves, I think I might soon call it quits and seek general instructions (if you have any to provide) regarding reformatting and re-install of windows XP from those old 2003 or so original disks...

Let me know what you think. Your help has been that of a high level expert. Having said that, I'm starting to feel a little hopeless...

Thanks again!

--- MBAM log ---

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2011.12.30.01

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.18702

Amir :: HOMEOFFICE [administrator]

29/12/2011 7:46:34 PM

mbam-log-2011-12-29 (20-12-34).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 196478

Time elapsed: 25 minute(s), 30 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 2

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

--- End MBAM log ---

--- Combofix log ---

ComboFix 11-12-29.05 - Administrator 30/12/2011 8:51.8.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.591 [GMT -5:00]

Running from: c:\documents and settings\Amir\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))

.

.

2011-12-24 02:52 . 2011-12-24 02:52 -------- d-----w- c:\program files\Common Files\Skype

2011-12-24 02:52 . 2011-12-24 02:52 -------- d-----r- c:\program files\Skype

2011-12-24 02:19 . 2011-12-24 02:19 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-12-24 01:59 . 2011-12-24 01:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-24 01:50 . 2011-12-24 01:53 -------- dc-h--w- c:\windows\ie8

2011-12-24 01:14 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-24 01:14 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-24 01:14 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-24 01:14 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-24 01:14 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-24 01:14 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-24 01:14 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-24 01:14 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-24 01:13 . 2011-12-24 01:14 -------- d-----w- c:\program files\Common Files\Mcafee

2011-12-24 01:13 . 2011-12-24 01:46 -------- d-----w- c:\program files\McAfee

2011-12-24 01:07 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-24 01:06 . 2011-12-30 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-12-23 04:46 . 2011-12-23 04:46 -------- d-----w- c:\program files\ESET

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-24 02:19 . 2007-08-15 01:15 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-12-10 20:24 . 2010-07-27 11:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

.

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-23 8740864]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]

"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]

"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 11:39 73728]

"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2004-08-10 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-2-4 1454143]

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2003-4-22 299008]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-12-26 450560]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Palm\\HOTSYNC.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [23/12/2011 8:14 PM 89792]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [23/12/2011 8:13 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [23/12/2011 8:14 PM 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [23/12/2011 8:07 PM 150856]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [23/12/2011 8:14 PM 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [23/12/2011 8:14 PM 83856]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [23/12/2011 8:13 PM 214904]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [23/12/2011 8:14 PM 57600]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [02/01/2011 11:17 AM 33792]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [23/12/2011 8:14 PM 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [23/12/2011 8:14 PM 87656]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - NDISRD

.

.

------- Supplementary Scan -------

.

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 64.71.255.198

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-30 09:23

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1453689397-414440772-572454927-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,6f,d4,3a,83,95,76,41,a4,d6,58,\

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1276)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(276)

c:\windows\system32\ieframe.dll

c:\windows\system32\msls31.dll

c:\windows\system32\Macromed\Flash\Flash11e.ocx

.

Completion time: 2011-12-30 09:38:16

ComboFix-quarantined-files.txt 2011-12-30 14:37

.

Pre-Run: 40,690,155,520 bytes free

Post-Run: 40,689,418,240 bytes free

.

- - End Of File - - 97A5C80D3F1439317446CBB5D37FB98C

--- End Combofix Log ---

Link to post
Share on other sites

Thanks for the link to the article. Likely the last question: What software combination do you use and/or recommend for anti-malware? I'd like to set up my new machine and the wipe of my current one in the best possible and secure way. Have not been a fan of McAfee and the headaches that it brings to the table. Thanks again for the advice.

Link to post
Share on other sites

  • Staff

I use Microsoft Security Essentials (free) and the PRO version of MBAM (1 time fee for lifetime protection), and I have never experienced an issue.

Here are my general prevention tips:

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.