Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I want my computer to be normal again ;_;

Started by freshbread3, Dec 15 2011 07:01 PM

This topic is locked

24 replies to this topic

#1 freshbread3

New Member

Members
16 posts

Posted 15 December 2011 - 07:01 PM

I seemed to have gotten the XP 2012 virus this week even though I thought McAfee was doing its job. With help from another forum I deleted some viruses I believe. Then I came across a recommendation for Malwarebytes in yet another forum. That's when I downloaded MBAM and it helped me clear more problems out, but I noticed it kept stopping outgoing (and incoming) communication from possibly malicious IP addresses. Some of them were:

146.185.250.210
146.185.250.211
146.185.250.212
146.185.250.213
146.185.250.214
188.95.52.164
212.36.9.58
206.161.121.100
91.212.226.123
206.161.121.126
83.133.124.195

Also I noticed lag in my computer, getting redirected to nonsense websites and many new processes in the task manager, including ping.exe that seems to be very busy (so I keep stopping it, but I beleive to no avail). After searching for more help on the web I found many other people have experienced the same problems and were getting helped in this forum.

I downloaded DDS and ran it so I'm attaching the DDS and attach logs. I appreciate any help you can give me ;_;

Attached Files

dds.txt 16.08KB 30 downloads
attach.zip 4.55KB 19 downloads

#2 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 21 December 2011 - 04:07 PM

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

Chris Fistonich
Research Team

#3 freshbread3

New Member

Members
16 posts

Posted 22 December 2011 - 01:51 AM

Thank you for helping me. I updated MBAM. And ran a Quick Scan. Here is the log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122201

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/22/2011 1:14:22 AM
mbam-log-2011-12-22 (01-14-22).txt

Scan type: Quick scan
Objects scanned: 201287
Time elapsed: 19 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Then I got a new copy of DDS and ran it. Here is its log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Fresh Bread at 1:18:38 on 2011-12-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.449 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111217014104.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress]
uRun: [Google Update] "c:\documents and settings\fresh bread\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [McAfee McItInfo] c:\docume~1\freshb~1\locals~1\temp\mcitinfo_1324100587.exe /itinsfin:c:\docume~1\freshb~1\locals~1\temp\mcininfo_1324100588.ini
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
Notify: xmlproservice - xmlrpw32.dll
Notify: xmlrpw32 - xmlrpw32.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-17 64048]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-17 459728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-24 89368]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-17 366152]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-17 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-17 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-17 148520]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-17 22216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-24 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-24 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-24 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-24 83688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S2 McOobeSv;McAfee OOBE Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]
S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-24 57432]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-24 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-24 85984]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue
2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET
2011-12-17 09:29:06 -------- d-----w- c:\documents and settings\fresh bread\application data\McAfee
2011-12-17 09:00:00 -------- d-----w- c:\documents and settings\all users\application data\McAfee Anti-Theft
2011-12-17 07:38:46 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-17 07:38:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:46:12 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft
2011-12-17 06:41:02 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-17 06:39:25 118784 ----a-r- c:\windows\system32\drivers\mfeapfk.sys
2011-12-17 06:39:20 459728 ----a-r- c:\windows\system32\drivers\mfehidk.sys
2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe
2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth
2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes
2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-11-23 07:52:14 -------- d-sh--w- c:\documents and settings\fresh bread\IECompatCache
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 1:19:55.69 ===============

Besides the obvious problems I had with renewing McAfee (of which I'm pretty sure I need to contact their customer support department and at some point figure out how to uninstall it to properly renew it), it seems everything is ok, right?

The problem is that MBAM keeps blocking access to potentially malicious websites (outgoing). Here is a sample from just today when I allowed this computer to have internet access:
00:55:35 Fresh Bread IP-BLOCK 63.223.106.17 (Type: outgoing)
00:55:38 Fresh Bread IP-BLOCK 63.223.106.17 (Type: outgoing)
00:55:44 Fresh Bread IP-BLOCK 63.223.106.17 (Type: outgoing)
00:56:14 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:17 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:23 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:23 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:26 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:32 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:35 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)
00:56:38 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

(the rest of the log up to this point just continues blocking 83.133.124.250)

A few days ago I did an ESET scan which found Win32 Rootkit.Kryptik.GG trojan (in WINDOWS\system32\drivers\ipsec.sys) and multiple threats in the operating memory.

My theory is that I've been infected with a rootkit virus, like so many others. If you can help me defeat this nuisance that would be wonderful.

#4 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 27 December 2011 - 06:22 PM

Hi,

I apologize for the delay.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Chris Fistonich
Research Team

#5 freshbread3

New Member

Members
16 posts

Posted 28 December 2011 - 04:06 AM

ComboFix found Rootkit.ZeroAccess! in the tcp/ip stack. After it ran, though, I lost my internet connection. I tried to manually "repair" the connection like the instructions said at BleepingComputer but it didn't work.

So I ran ComboFix again (because ComboFix said I might need to do that if I lost my internet connection). There was still no connection and ComboFix still found Rootkit.ZeroAcess!

From Internet Explorer I did a Diagnose Connection Problems and it said "Windows has detected a problem with the Winsock provider catalog on this computer."

I thought maybe I should get a new copy of ComboFix so I used a flash drive to download it from another computer and than ran it again on my computer. Again it found Rootkit. ZeroAccess! and I couldn't get the internet to work still.

So I'm posting from a different computer now. My computer has no internet connection and probably still has Rootkit.ZeroAccess! -__- Hopefully you can see where the problem is from these logs.

ComboFix 11-12-28.02 - Fresh Bread 12/28/2011 3:21.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.664 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 04:41 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 04:41 . 2011-12-28 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 04:34 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-28 04:34 . 2011-12-28 04:34 -------- d-----w- c:\program files\McAfee Online Backup
2011-12-28 04:33 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-28 04:31 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-28 04:31 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-28 04:31 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-28 04:31 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-12-28 04:31 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-28 04:31 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-28 04:31 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-28 04:31 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-28 04:31 . 2011-12-28 04:32 -------- d-----w- c:\program files\Common Files\Mcafee
2011-12-28 04:31 . 2011-12-28 05:23 -------- d-----w- c:\program files\McAfee
2011-12-28 04:18 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-28 04:18 . 2011-12-28 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-12-28 03:32 . 2011-12-28 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\program files\Citrix
2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Citrix
2011-12-28 02:13 . 2011-12-28 05:50 -------- d-----w- c:\program files\Perfect Uninstaller
2011-12-18 06:56 . 2011-12-18 06:56 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52 . 2011-12-18 06:52 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-12-18 03:48 . 2011-12-18 03:48 -------- d-----w- c:\program files\ESET
2011-12-17 07:28 . 2011-12-17 07:28 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:45 . 2011-12-17 06:45 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\McAfee Anti-Theft
2011-12-15 05:44 . 2011-12-15 05:44 -------- d-----w- c:\program files\Common Files\Java
2011-12-15 04:58 . 2011-12-15 04:58 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\PCHealth
2011-12-14 03:43 . 2011-12-14 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-12-13 11:33 . 2011-12-13 11:33 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\Malwarebytes
2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-11 04:57 . 2011-12-11 05:34 -------- d-----w- c:\documents and settings\Administrator
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-12-07 03:54 . 2011-12-07 03:59 -------- d-----w- c:\program files\QuickTime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2009-08-01 07:34 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2010-07-01 03:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-07-01 03:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06 . 2011-05-15 18:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2009-08-01 07:34 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-08-01 07:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-08-01 07:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-08-01 07:34 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2009-08-01 07:34 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-08-01 07:34 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2009-08-01 07:34 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2009-08-01 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-12-28_05.48.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 08:20 . 2011-12-28 08:20 16384 c:\windows\Temp\Perflib_Perfdata_3a0.dat
+ 2011-12-28 08:20 . 2011-12-28 08:20 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat
+ 2009-08-01 07:34 . 2011-12-28 08:25 73368 c:\windows\system32\perfc009.dat
- 2009-08-01 07:34 . 2011-12-28 05:28 73368 c:\windows\system32\perfc009.dat
+ 2009-08-01 07:34 . 2011-12-28 08:25 445946 c:\windows\system32\perfh009.dat
- 2009-08-01 07:34 . 2011-12-28 05:28 445946 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-28 02:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\Fresh Bread\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [12/27/2011 11:33 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/27/2011 11:31 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/27/2011 11:34 PM 54776]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 11:41 PM 652872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/27/2011 11:32 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/27/2011 11:18 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 4:35 AM 237568]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/27/2011 11:31 PM 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 2:35 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 11:41 PM 20464]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/27/2011 11:31 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]
S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/1/2009 2:34 AM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 3:48 AM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 3:50 AM 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/27/2011 11:31 PM 87656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 3:43 AM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005Core.job
- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005UA.job
- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 03:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(976)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2011-12-28 03:35:07
ComboFix-quarantined-files.txt 2011-12-28 08:35
ComboFix2.txt 2011-12-28 07:29
ComboFix3.txt 2011-12-28 05:54
.
Pre-Run: 91,177,267,200 bytes free
Post-Run: 91,169,386,496 bytes free
.
- - End Of File - - AC6C9B6B1127F5CCC1294C2D48B6CF4F

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Fresh Bread at 1:03:48 on 2011-12-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.456 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227233155.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{E2030F1D-FA9E-405E-97F2-0EA8456A89F0} : DhcpNameServer = 65.32.5.111 65.32.5.112
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-27 64048]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-27 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-27 54776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-27 652872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-27 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-27 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-27 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 180816]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-27 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 59456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 87656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-28 05:09:04 -------- d-sha-r- C:\cmdcons
2011-12-28 05:05:53 98816 ----a-w- c:\windows\sed.exe
2011-12-28 05:05:53 518144 ----a-w- c:\windows\SWREG.exe
2011-12-28 05:05:53 256000 ----a-w- c:\windows\PEV.exe
2011-12-28 05:05:53 208896 ----a-w- c:\windows\MBR.exe
2011-12-28 04:41:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 04:41:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 04:34:24 -------- d-----w- c:\program files\McAfeeMOBK
2011-12-28 04:34:15 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-28 04:34:04 -------- d-----w- c:\program files\McAfee Online Backup
2011-12-28 04:33:44 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-28 04:31:55 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-28 04:31:49 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-28 04:31:49 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-28 04:31:49 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-12-28 04:31:49 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-28 04:31:49 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-28 04:31:49 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-28 04:31:49 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-28 04:31:43 -------- d-----w- c:\program files\common files\Mcafee
2011-12-28 04:31:41 -------- d-----w- c:\program files\McAfee.com
2011-12-28 04:31:25 -------- d-----w- c:\program files\McAfee
2011-12-28 04:18:56 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-28 03:32:00 -------- d-----w- c:\documents and settings\all users\application data\Citrix
2011-12-28 02:46:43 -------- d-----w- c:\program files\Citrix
2011-12-28 02:46:39 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\Citrix
2011-12-28 02:13:36 -------- d-----w- c:\program files\Perfect Uninstaller
2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue
2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET
2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft
2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe.e42d.deleteme
2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth
2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes
2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 17:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 17:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 1:05:00.26 ===============

#6 freshbread3

New Member

Members
16 posts

Posted 28 December 2011 - 04:19 AM

I have a small question too. When I went to get a new copy of ComboFix I deleted the older copy by just "delete" but ... should I have uninstalled it from the run command instead? When I tried to put the new ComboFix on my desktop it said "shortcut to ComboFix" on it ... so I was wondering if the shortcut pointed to the older version (which was in the recycling bin) or to the newer version which was on the flashdrive.

Anyways my question is ... should I do an uninstall from the run command? The instructions at Bleepingcomputer said not to uninstall until I finished getting rid of any viruses, so I am reluctant to "uninstall" at this point. ._.

#7 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 30 December 2011 - 08:06 PM

Hi,

When I say grab a fresh copy, just delete ComboFix.exe and grab a new one. No need to do anything else yet. The BleepingComputer guide is correct.

Please grab a fresh copy of ComboFix, run it, and post its log. It has been updated.

Chris Fistonich
Research Team

#8 freshbread3

New Member

Members
16 posts

Posted 31 December 2011 - 06:16 PM

Happy New Year (soon).

I got a fresh copy of ComboFix but my internet connection still isn't working. (I'm posting from a different computer)

I also did a DDS scan in case that helps.

Incidentally ComboFix said it found the Rootkit virus again ._.

COMBOFIX LOG

ComboFix 11-12-31.03 - Fresh Bread 12/31/2011 17:06:17.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.654 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-28 04:41 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 04:41 . 2011-12-28 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 04:34 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-28 04:34 . 2011-12-28 04:34 -------- d-----w- c:\program files\McAfee Online Backup
2011-12-28 04:33 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-28 04:31 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-28 04:31 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-28 04:31 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-28 04:31 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-12-28 04:31 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-28 04:31 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-28 04:31 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-28 04:31 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-28 04:31 . 2011-12-28 04:32 -------- d-----w- c:\program files\Common Files\Mcafee
2011-12-28 04:31 . 2011-12-28 05:23 -------- d-----w- c:\program files\McAfee
2011-12-28 04:18 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-28 04:18 . 2011-12-28 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-12-28 03:32 . 2011-12-28 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\program files\Citrix
2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Citrix
2011-12-28 02:13 . 2011-12-28 05:50 -------- d-----w- c:\program files\Perfect Uninstaller
2011-12-18 06:56 . 2011-12-18 06:56 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52 . 2011-12-18 06:52 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-12-18 03:48 . 2011-12-18 03:48 -------- d-----w- c:\program files\ESET
2011-12-17 07:28 . 2011-12-17 07:28 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:45 . 2011-12-17 06:45 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\McAfee Anti-Theft
2011-12-15 05:44 . 2011-12-15 05:44 -------- d-----w- c:\program files\Common Files\Java
2011-12-15 04:58 . 2011-12-15 04:58 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\PCHealth
2011-12-14 03:43 . 2011-12-14 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-12-13 11:33 . 2011-12-13 11:33 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\Malwarebytes
2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-11 04:57 . 2011-12-11 05:34 -------- d-----w- c:\documents and settings\Administrator
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-12-07 03:54 . 2011-12-07 03:59 -------- d-----w- c:\program files\QuickTime
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2009-08-01 07:34 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2010-07-01 03:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-07-01 03:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06 . 2011-05-15 18:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2009-08-01 07:34 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-08-01 07:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-08-01 07:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-08-01 07:34 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2009-08-01 07:34 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-08-01 07:34 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2009-08-01 07:34 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2009-08-01 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((((((( SnapShot@2011-12-28_05.48.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-31 22:05 . 2011-12-31 22:05 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2011-12-31 22:04 . 2011-12-31 22:04 16384 c:\windows\Temp\Perflib_Perfdata_280.dat
+ 2009-08-01 07:34 . 2011-12-31 22:09 73368 c:\windows\system32\perfc009.dat
- 2009-08-01 07:34 . 2011-12-28 05:28 73368 c:\windows\system32\perfc009.dat
+ 2009-08-01 07:34 . 2011-12-31 22:09 445946 c:\windows\system32\perfh009.dat
- 2009-08-01 07:34 . 2011-12-28 05:28 445946 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-28 02:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\Fresh Bread\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [12/27/2011 11:33 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/27/2011 11:31 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/27/2011 11:34 PM 54776]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 11:41 PM 652872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/27/2011 11:32 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/27/2011 11:18 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 4:35 AM 237568]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/27/2011 11:31 PM 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 2:35 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 11:41 PM 20464]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/27/2011 11:31 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]
S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/1/2009 2:34 AM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 3:48 AM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 3:50 AM 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/27/2011 11:31 PM 87656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 3:43 AM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005Core.job
- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005UA.job
- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-31 17:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(968)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2011-12-31 17:20:58
ComboFix-quarantined-files.txt 2011-12-31 22:20
ComboFix2.txt 2011-12-28 08:35
ComboFix3.txt 2011-12-28 07:29
ComboFix4.txt 2011-12-28 05:54
.
Pre-Run: 91,136,401,408 bytes free
Post-Run: 91,128,664,064 bytes free
.
- - End Of File - - 2D01A5BF309B9097832414772E9E40FE

DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Fresh Bread at 17:36:01 on 2011-12-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.389 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227233155.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{E2030F1D-FA9E-405E-97F2-0EA8456A89F0} : DhcpNameServer = 65.32.5.111 65.32.5.112
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-27 64048]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-27 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-27 54776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-27 652872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-27 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-27 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-27 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 180816]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-27 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 59456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 87656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-28 05:09:04 -------- d-sha-r- C:\cmdcons
2011-12-28 05:05:53 98816 ----a-w- c:\windows\sed.exe
2011-12-28 05:05:53 518144 ----a-w- c:\windows\SWREG.exe
2011-12-28 05:05:53 256000 ----a-w- c:\windows\PEV.exe
2011-12-28 05:05:53 208896 ----a-w- c:\windows\MBR.exe
2011-12-28 04:41:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 04:41:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 04:34:24 -------- d-----w- c:\program files\McAfeeMOBK
2011-12-28 04:34:15 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-28 04:34:04 -------- d-----w- c:\program files\McAfee Online Backup
2011-12-28 04:33:44 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-28 04:31:55 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-28 04:31:49 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-28 04:31:49 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-28 04:31:49 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-12-28 04:31:49 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-28 04:31:49 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-28 04:31:49 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-28 04:31:49 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-28 04:31:43 -------- d-----w- c:\program files\common files\Mcafee
2011-12-28 04:31:41 -------- d-----w- c:\program files\McAfee.com
2011-12-28 04:31:25 -------- d-----w- c:\program files\McAfee
2011-12-28 04:18:56 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-28 03:32:00 -------- d-----w- c:\documents and settings\all users\application data\Citrix
2011-12-28 02:46:43 -------- d-----w- c:\program files\Citrix
2011-12-28 02:46:39 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\Citrix
2011-12-28 02:13:36 -------- d-----w- c:\program files\Perfect Uninstaller
2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue
2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET
2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft
2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe.e42d.deleteme
2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth
2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes
2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 17:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 17:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 17:37:43.82 ===============

#9 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 04 January 2012 - 09:36 PM

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the box below into Notepad:

FCOPY::
c:\windows\system32\dllcache\ipsec.sys | c:\windows\system32\drivers\ipsec.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Chris Fistonich
Research Team

#10 freshbread3

New Member

Members
16 posts

Posted 06 January 2012 - 04:35 PM

The good news is that my computer has internet access again ^_^

. I ran ComboFix twice and the second time worked. The bad news is that ComboFix said I have the rootkit virus still. (>_<)

Here are the logs:

COMBOFIX LOG
ComboFix 12-01-06.01 - Fresh Bread 01/06/2012 16:02:08.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.640 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2011-12-28 04:41 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 04:41 . 2011-12-28 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 04:34 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-28 04:34 . 2011-12-28 04:34 -------- d-----w- c:\program files\McAfee Online Backup
2011-12-28 04:33 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-28 04:31 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-28 04:31 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-28 04:31 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-28 04:31 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-12-28 04:31 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-28 04:31 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-28 04:31 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-28 04:31 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-28 04:31 . 2011-12-28 04:32 -------- d-----w- c:\program files\Common Files\Mcafee
2011-12-28 04:31 . 2011-12-28 05:23 -------- d-----w- c:\program files\McAfee
2011-12-28 04:18 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-28 04:18 . 2011-12-28 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-12-28 03:32 . 2011-12-28 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\program files\Citrix
2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Citrix
2011-12-28 02:13 . 2011-12-28 05:50 -------- d-----w- c:\program files\Perfect Uninstaller
2011-12-18 06:56 . 2011-12-18 06:56 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52 . 2011-12-18 06:52 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-12-18 03:48 . 2011-12-18 03:48 -------- d-----w- c:\program files\ESET
2011-12-17 07:28 . 2011-12-17 07:28 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:45 . 2011-12-17 06:45 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\McAfee Anti-Theft
2011-12-15 05:44 . 2011-12-15 05:44 -------- d-----w- c:\program files\Common Files\Java
2011-12-15 04:58 . 2011-12-15 04:58 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\PCHealth
2011-12-14 03:43 . 2011-12-14 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-12-13 11:33 . 2011-12-13 11:33 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\Malwarebytes
2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-11 04:57 . 2011-12-11 05:34 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2009-08-01 07:34 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2010-07-01 03:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-07-01 03:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06 . 2011-05-15 18:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2009-08-01 07:34 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-08-01 07:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-08-01 07:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-08-01 07:34 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2009-08-01 07:34 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-08-01 07:34 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2009-08-01 07:34 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2009-08-01 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-28_05.48.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-06 21:00 . 2012-01-06 21:00 16384 c:\windows\Temp\Perflib_Perfdata_4ac.dat
+ 2012-01-06 21:00 . 2012-01-06 21:00 16384 c:\windows\Temp\Perflib_Perfdata_2fc.dat
+ 2009-08-01 07:34 . 2012-01-06 21:05 73368 c:\windows\system32\perfc009.dat
- 2009-08-01 07:34 . 2011-12-28 05:28 73368 c:\windows\system32\perfc009.dat
+ 2009-08-01 07:34 . 2012-01-06 21:05 445946 c:\windows\system32\perfh009.dat
- 2009-08-01 07:34 . 2011-12-28 05:28 445946 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-28 02:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\Fresh Bread\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [12/27/2011 11:33 PM 64048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/27/2011 11:31 PM 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/27/2011 11:34 PM 54776]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 11:41 PM 652872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/27/2011 11:32 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/27/2011 11:18 PM 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 4:35 AM 237568]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/27/2011 11:31 PM 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 2:35 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 11:41 PM 20464]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/27/2011 11:31 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]
S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/1/2009 2:34 AM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 3:48 AM 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 3:50 AM 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/27/2011 11:31 PM 87656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 3:43 AM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005Core.job
- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005UA.job
- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 16:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1384)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2012-01-06 16:16:54
ComboFix-quarantined-files.txt 2012-01-06 21:16
ComboFix2.txt 2011-12-31 22:20
ComboFix3.txt 2011-12-28 08:35
ComboFix4.txt 2011-12-28 07:29
ComboFix5.txt 2012-01-06 20:24
.
Pre-Run: 91,905,392,640 bytes free
Post-Run: 91,896,414,208 bytes free
.
- - End Of File - - 81AE3B162823FE4623BA05C550057566

DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Fresh Bread at 16:19:22 on 2012-01-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.595 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227233155.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: amtrak.com\tickets
Trusted Zone: amtrak.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{E2030F1D-FA9E-405E-97F2-0EA8456A89F0} : DhcpNameServer = 65.32.5.111 65.32.5.112
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-27 64048]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-27 89792]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-27 54776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-27 652872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-27 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 150856]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-27 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-27 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 180816]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-27 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 59456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 87656]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-28 05:09:04 -------- d-sha-r- C:\cmdcons
2011-12-28 05:05:53 98816 ----a-w- c:\windows\sed.exe
2011-12-28 05:05:53 518144 ----a-w- c:\windows\SWREG.exe
2011-12-28 05:05:53 256000 ----a-w- c:\windows\PEV.exe
2011-12-28 05:05:53 208896 ----a-w- c:\windows\MBR.exe
2011-12-28 04:41:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-28 04:41:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 04:34:24 -------- d-----w- c:\program files\McAfeeMOBK
2011-12-28 04:34:15 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-12-28 04:34:04 -------- d-----w- c:\program files\McAfee Online Backup
2011-12-28 04:33:44 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
2011-12-28 04:31:55 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-12-28 04:31:49 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-12-28 04:31:49 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-28 04:31:49 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-12-28 04:31:49 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-28 04:31:49 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-12-28 04:31:49 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-12-28 04:31:49 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-28 04:31:43 -------- d-----w- c:\program files\common files\Mcafee
2011-12-28 04:31:41 -------- d-----w- c:\program files\McAfee.com
2011-12-28 04:31:25 -------- d-----w- c:\program files\McAfee
2011-12-28 04:18:56 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-28 03:32:00 -------- d-----w- c:\documents and settings\all users\application data\Citrix
2011-12-28 02:46:43 -------- d-----w- c:\program files\Citrix
2011-12-28 02:46:39 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\Citrix
2011-12-28 02:13:36 -------- d-----w- c:\program files\Perfect Uninstaller
2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group
2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue
2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET
2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft
2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe.e42d.deleteme
2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth
2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes
2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 17:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 17:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:19:50.81 ===============

#11 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 10 January 2012 - 02:54 PM

Hi,

Download http://public.avast....erek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

Click the "Scan" button to start scan.
Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
Please post the contents of that log in your next reply.

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

Chris Fistonich
Research Team

#12 freshbread3

New Member

Members
16 posts

Posted 12 January 2012 - 04:14 PM

The forums look updated. They look nice.

aswMBR log:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-12 15:39:36
-----------------------------
15:39:36.296 OS Version: Windows 5.1.2600 Service Pack 3
15:39:36.296 Number of processors: 2 586 0x1C02
15:39:36.296 ComputerName: STRAWBERRY-CHAN UserName: Fresh Bread
15:39:40.312 Initialize success
15:44:57.156 AVAST engine defs: 12011200
15:45:04.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:45:04.390 Disk 0 Vendor: Hitachi_ PBBO Size: 152627MB BusType: 3
15:45:04.421 Disk 0 MBR read successfully
15:45:04.421 Disk 0 MBR scan
15:45:04.500 Disk 0 Windows VISTA default MBR code
15:45:04.515 Disk 0 Partition 1 00 12 Compaq diag NTFS 10244 MB offset 63
15:45:04.531 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142381 MB offset 20981760
15:45:04.562 Disk 0 scanning sectors +312578048
15:45:04.687 Disk 0 scanning C:\WINDOWS\system32\drivers
15:45:46.593 Service scanning
15:45:48.734 Modules scanning
15:45:56.890 Disk 0 trace - called modules:
15:45:56.937 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
15:45:56.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8736aab8]
15:45:56.968 3 CLASSPNP.SYS[f75fdfd7] -> nt!IofCallDriver -> \Device\00000072[0x8735c1a8]
15:45:56.984 5 ACPI.sys[f7574620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x873d3030]
15:45:57.843 AVAST engine scan C:\WINDOWS
15:46:30.421 File: C:\WINDOWS\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
15:46:46.328 AVAST engine scan C:\WINDOWS\system32
15:50:31.562 AVAST engine scan C:\WINDOWS\system32\drivers
15:50:51.234 AVAST engine scan C:\Documents and Settings\Fresh Bread
15:59:44.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Fresh Bread\Desktop\MBR.dat"
15:59:44.531 The log file has been saved successfully to "C:\Documents and Settings\Fresh Bread\Desktop\aswMBR 1-12.txt"

MBRCHECK log:

MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000004
Kernel Drivers (total 125):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7ABD000 \WINDOWS\system32\KDCOM.DLL
0xF79CD000 \WINDOWS\system32\BOOTVID.dll
0xF756E000 ACPI.sys
0xF7ABF000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF755D000 pci.sys
0xF75BD000 isapnp.sys
0xF79D1000 compbatt.sys
0xF79D5000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B85000 pciide.sys
0xF783D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75CD000 MountMgr.sys
0xF753E000 ftdisk.sys
0xF7845000 PartMgr.sys
0xF79D9000 ACPIEC.sys
0xF7B86000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF75DD000 VolSnap.sys
0xF7526000 atapi.sys
0xF7458000 iaStor.sys
0xF75ED000 disk.sys
0xF75FD000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7438000 fltMgr.sys
0xF7426000 sr.sys
0xF73B7000 mfehidk.sys
0xF760D000 PxHelp20.sys
0xF73A0000 KSecDD.sys
0xF7313000 Ntfs.sys
0xF72E6000 NDIS.sys
0xF72CC000 Mup.sys
0xF72B8000 McPvDrv.sys
0xF761D000 amdagp.sys
0xF76DD000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF54E9000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF54D5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF54AD000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF52D0000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF76ED000 \SystemRoot\system32\DRIVERS\l1c51x86.sys
0xF78ED000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF52AC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78F5000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF71CA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF76FD000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78FD000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0xF7905000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF527B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7B01000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF770D000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF51FF000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF51D4000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF2E65000 \SystemRoot\system32\drivers\mfefirek.sys
0xF789D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7274000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7CA1000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF2E52000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF763D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7270000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF2D9B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF764D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF769D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78B5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF2B7A000 \SystemRoot\system32\DRIVERS\psched.sys
0xF455C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78C5000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78CD000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF454C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B51000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF2B57000 \SystemRoot\system32\DRIVERS\ks.sys
0xF2AF9000 \SystemRoot\system32\DRIVERS\update.sys
0xF71D2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF453C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF2C4E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA9EE2000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA9EBE000 \SystemRoot\system32\drivers\portcls.sys
0xF2C3E000 \SystemRoot\system32\drivers\drmk.sys
0xA6BD6000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA5AE5000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xA6C20000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA5DFD000 \SystemRoot\System32\Drivers\Null.SYS
0xA6C1E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA60B8000 \SystemRoot\System32\drivers\vga.sys
0xA6C1C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA6C1A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA60B0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA60A8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA5D96000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA5AB2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA5A59000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA5A44000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xA5A1E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA59F6000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA5D82000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA59D4000 \SystemRoot\System32\drivers\afd.sys
0xA61DA000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA59A9000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA5911000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA5D72000 \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
0xA61AA000 \SystemRoot\System32\Drivers\Fips.SYS
0xA1458000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA233C000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xA8F39000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0x9F4EC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9CF4E000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9DADE000 \SystemRoot\System32\drivers\Dxapi.sys
0x9E204000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0x9D01E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBF47A000 \SystemRoot\System32\ATMFD.DLL
0xA5981000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9CF21000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9CE49000 \SystemRoot\system32\DRIVERS\srv.sys
0x9CC7C000 \SystemRoot\system32\drivers\wdmaud.sys
0x9F4FC000 \SystemRoot\system32\drivers\sysaudio.sys
0x9C7FA000 \SystemRoot\system32\drivers\mfeapfk.sys
0x9E4EB000 \SystemRoot\system32\drivers\mfebopk.sys
0x9C592000 \SystemRoot\System32\Drivers\HTTP.sys
0x9C392000 \SystemRoot\system32\drivers\cfwids.sys
0x9BDD2000 \??\C:\DOCUME~1\FRESHB~1\LOCALS~1\Temp\aswMBR.sys
0x9BCA8000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 53):
0 System Idle Process
4 System
1308 C:\WINDOWS\system32\smss.exe
1360 csrss.exe
1384 C:\WINDOWS\system32\winlogon.exe
1428 C:\WINDOWS\system32\services.exe
1440 C:\WINDOWS\system32\lsass.exe
1600 C:\WINDOWS\system32\svchost.exe
1672 svchost.exe
1712 C:\WINDOWS\system32\svchost.exe
1868 svchost.exe
1896 svchost.exe
444 C:\WINDOWS\system32\spoolsv.exe
596 svchost.exe
632 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
652 C:\Program Files\Bonjour\mDNSResponder.exe
744 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
756 C:\Program Files\Java\jre6\bin\jqs.exe
788 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
916 C:\WINDOWS\system32\mfevtps.exe
964 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
1112 C:\Program Files\Acer\Acer VCM\RS_Service.exe
1136 C:\WINDOWS\system32\svchost.exe
1924 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
1252 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
2560 C:\WINDOWS\explorer.exe
2664 C:\WINDOWS\system32\rundll32.exe
2732 C:\WINDOWS\system32\ctfmon.exe
2396 alg.exe
1952 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
2744 C:\PROGRA~1\LAUNCH~1\LManager.exe
3036 C:\WINDOWS\system32\hkcmd.exe
3064 C:\WINDOWS\system32\igfxpers.exe
3136 C:\WINDOWS\PLFSetL.exe
3156 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
396 C:\WINDOWS\RTHDCPL.EXE
3196 C:\WINDOWS\system32\igfxsrvc.exe
3240 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
3716 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3796 C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe
3976 C:\Program Files\iTunes\iTunesHelper.exe
436 C:\Program Files\Common Files\Java\Java Update\jusched.exe
364 C:\Program Files\McAfee.com\Agent\mcagent.exe
952 C:\Program Files\McAfee\MAT\McPvTray.exe
1300 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2480 C:\Program Files\Acer\Acer VCM\AcerVCM.exe
700 C:\Program Files\iPod\bin\iPodService.exe
3932 C:\WINDOWS\system32\igfxext.exe
2884 C:\WINDOWS\system32\svchost.exe
2168 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
2948 C:\Program Files\Internet Explorer\iexplore.exe
608 C:\Program Files\Internet Explorer\iexplore.exe
3140 C:\Documents and Settings\Fresh Bread\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80500000 (NTFS)
PhysicalDrive0 Model Number: HitachiHTS545016B9A300, Rev: PBBOC60F
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

Attached Files

MBR.zip 554bytes 9 downloads

#13 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 16 January 2012 - 02:47 AM

Hi,

Are you currently experiencing any symptoms of infection?

Run TFC by OldTimer to clear temporary files:

Please download TFC from here and save it to your desktop.
Close any open programs and Internet browsers.
Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Chris Fistonich
Research Team

#14 freshbread3

New Member

Members
16 posts

Posted 18 January 2012 - 02:08 PM

Well my computer doesn't act like it has a virus, but I don't trust it anymore after what I've read about what a rootkit virus does. Basically I've heard that I should reformat my entire computer. I want to back stuff up somehow, but I've been told (not in this forum, but through word of mouth) that anything I backup (files and even the flash drive I use) could be infected and then carry the rootkit virus with it to reinfect me in the future. >_< What is true here? What would you recommend?

Beforehand the only way I knew something was strange was because Malwarebytes kept blocking IP addresses. I was getting tons of those every minute. Somehow I mixed up the trial and the free version of Malwarebytes, so since I'm on the free version now I'm wondering if that is why I don't get any blocking anymore ... or is it because Malwarebytes doesn't have to block anything anymore (ie, the virus is gone)? Also ping.exe was working overtime it seemed and making my computer run slower and I don't see that running anymore.

I had used ESET before and it had detected the rootkit before but it couldn't delete it. This time it didn't see the rootkit but according to the log it did find and clean the Kryptik trojan.I wanted to know if I should "delete quarantined files" before I click "finish"

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a026f5220618744b78c860282050675
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-18 05:47:13
# local_time=2011-12-18 12:47:13 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=93498
# found=2
# cleaned=0
# scan_time=5898
C:\WINDOWS\system32\drivers\ipsec.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I
${Memory} multiple threats 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a026f5220618744b78c860282050675
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-18 02:31:41
# local_time=2012-01-18 09:31:41 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 75 914478 27259126 0 0
# compatibility_mode=8192 67108863 100 0 1781136 1781136 0 0
# scanned=73619
# found=12
# cleaned=12
# scan_time=17840
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ReactivateIE.exe.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\Toolbar32.dll.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarBroker.exe.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP303\A0093378.exe a variant of Win32/Kryptik.XKR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP308\A0095344.exe a variant of Win32/PerfectUninstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP308\A0095358.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP308\A0095364.exe a variant of Win32/PerfectUninstaller application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095578.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095580.dll a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095581.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095582.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

The thing I noticed in the security check was that it said Windows Firewall is disabled. Since I have a firewall through McAfee I wanted to ask if I should run two firewalls together (in other words should I turn on the Windows Firewall too)? I have heard that it isn't good to have two virus programs running together. Is that the same with firewalls?

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
McAfee Total Protection
McAfee Online Backup
```````````````````````````````
Anti-malware/Other Utilities Check:
Java™ 6 Update 30
````````````````````````````````
Process Check:
objlist.exe by Laurent
ESET ESET Online Scanner OnlineCmdLineScanner.exe
McAfee Online Backup MOBKbackup.exe
``````````End of Log````````````

#15 freshbread3

New Member

Members
16 posts

Posted 18 January 2012 - 02:14 PM

I had one more concern. I was looking in the application data folder and I noticed a strange folder. It says it was modifyed around the time I got the virus in fact. It is named "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" (what a long name for a folder!). The Adobe folder also has the same modification date. I'm wondering if I should delete these folders (and would that matter since it doesn't delete register files). The strange com.adobe.mauby folder seems empty, so maybe one of the cleaners already cleaned out the important bad files? What do you suggest? I could always redownload Adobe I'm sure.

#16 freshbread3

New Member

Members
16 posts

Posted 18 January 2012 - 02:23 PM

Ok ... I don't like posting so many times in a row, but I noticed something else strange in the application data folder and maybe the "root" of all the problems in the first place. There is another folder that shouldn't be there. It is named "utorrent" which I had deleted from computer I thought (it doesn't exist in the program files folder anymore as far as I can tell). Well, it doesn't have any application in it but some files that seem to be unable to run (you know how they get that funny look to them when a program doesn't exist for them anymore). What bothers me the most is the date and time of the last modification of the folder ... I'm pretty sure it is the exact date and time of when I got the initial XP Antivirus 2012 virus! So I want to get rid of this folder for sure! But again how can I make sure that I'm also deleting the registry files associated with it? Or is it ok to just delete this rogue folder?

#17 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 31 January 2012 - 02:52 PM

Hi,

I apologize for the extended delay. The new forum software made finding my topics difficult, and yours slipped through.

You didn't have a file infector, so while yes, formatting is the best option here, backing up documents and images should be fine.

Yes click Delete Quarantined Files.

Do not run two firewalls together.

Delete the com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 folder.

Delete the uTorrent folder.

Reboot.

Update MBAM, run a Quick Scan, and post its log.

If you don't think your computer is safe (I wouldn't either), formatting your hard drive and reinstalling Windows is definitely the best option.

Chris Fistonich
Research Team

#18 freshbread3

New Member

Members
16 posts

Posted 06 February 2012 - 06:11 PM

Thank you very much for answering all my questions (sorry I had so many). I thought maybe since I posted so many times in a row is why you couldn't respond back to me sooner (in other words the system put me at the bottom of the list)

I feel better to know that it wasn't a "file infector" so I can back up my data now. I guess I have to look into that before I go through the inevitable process of reformatting ... Do you have any suggestions?

The scan doesn't show any problems by the way:

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192864
Time elapsed: 17 minute(s), 24 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

#19 screen317

MBAM Sentinel

Moderators
19,467 posts

Gender:Male
Location:New Haven, CT

Posted 14 February 2012 - 04:21 PM

Hi,

Sorry I missed your post.

Quote

I guess I have to look into that before I go through the inevitable process of reformatting ... Do you have any suggestions?

Not sure I understand you here. Look into what, specifically?

Chris Fistonich
Research Team

#20 freshbread3

New Member

Members
16 posts

Posted 15 February 2012 - 03:12 AM

Sorry. I need to "back up" data. I have heard of online systems for this and then there is the old fashioned manual method using an external hard drive I guess. I am going to google it.