Dogen

Honorary Members

View Profile See their activity

Posts
21
Joined
March 25, 2009
Last visited
June 14, 2011

Reputation

0 Neutral

FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Nope - no dice. Chrome and Firefox will connect, but not IE.
- June 12, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Chris, I found out that I cannot uninstall IE8 after installing Service Pack 3. I have to uninstall SP3 and then uninstall IE.... is that safe? I tried reinstalling IE8 over the existing version but it made no difference. Thanks.
- June 7, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Chris, No joy - still not working. Sometimes when I type a URL directly into the address bar, instead of a connection error, I get a bad address error and the URL I typed is replaced by "http:///" (three slashes). Not sure if that is much of a clue. When the connection error appears, IE brings up the internet connection diagnostic. When performed, the diagnostic has no connectivity problems. Thanks!
- June 1, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Screen, I've done everything below including upgrading to Service Pack 3. IE will still not connect to anything. Anything else you can think of? Thanks!
- May 29, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

After rebooting, IE will still fails to connect to any websites.... not sure why. Chrome and Firefox work fine.
- May 27, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Screen, Thanks again for all the help. I got the ESET scanner to work in Firefox. I've included the two logs below: ===== ESET ===== ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=336445a3f900aa4b8c1dcd92b955adb8 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-05-26 10:41:38 # local_time=2011-05-26 03:41:38 (-0800, Pacific Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 68515933 68515933 0 0 # compatibility_mode=5121 16777189 100 75 359039 35586577 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=422244 # found=6 # cleaned=6 # scan_time=6460 C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-57d33cc4 Java/Exploit.CVE-2010-4452.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{610FE075-DDAE-42AC-B5BF-7DA883F061F2}\RP815\A0074664.exe a variant of Win32/Keygen.AD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\123.js JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C D:\Download\BS226.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C D:\My Music\programs\BS226.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C ===== Checkup.Txt ===== Results of screen317's Security Check version 0.99.12 Windows XP Service Pack 2 Out of date service pack!! Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 McAfee AntiVirus Plus McAfee Virtual Technician ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 Java 6 Update 18 Java 6 Update 5 Java 6 Update 7 Out of date Java installed! Flash Player Out of Date! Adobe Flash Player 10.0.32.18 Mozilla Firefox (3.6.17) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log````````````
- May 27, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Screen - Internet Explorer isn't working yet, so I can't use the scan. Any tips on how to get IE working again? Thanks
- May 26, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Thanks for the help Screen. Ran combofix. It found a rootkit and some more. Now my start folder is populated again with programs. The only noticeable problem is that Internet Explorer won't connect to any websites. Firefox and Chrome are good. No link hijacking. I am a bit worried, however, when using Chrome or Internet Explorer, two processes start even if only one tab or window is started. Here are the ComboFix and DDS Logs: ===== COMBOFIX ===== ComboFix 11-05-23.02 - John 05/24/2011 22:19:47.4.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2735 [GMT -7:00] Running from: c:\documents and settings\John\Desktop\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . . ADS - WINDOWS: deleted 8 bytes in 1 streams. . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\John\GoToAssistDownloadHelper.exe c:\documents and settings\John\WINDOWS c:\program files\Internet Explorer\xxiexplore.__exe c:\program files\Internet Explorer\xxxiexplore.__exe c:\windows\system32\regobj.dll . Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 ))))))))))))))))))))))))))))))) . . 2011-05-06 04:16 . 2011-05-06 04:16 -------- d-sh--w- c:\documents and settings\Aloma\PrivacIE 2011-04-26 05:19 . 2011-04-26 05:19 -------- d-----w- c:\program files\Auslogics 2011-04-26 05:10 . 2000-01-19 06:45 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-06 04:14 . 2008-06-18 13:09 1324 ----a-w- c:\documents and settings\Aloma\Local Settings\Application Data\d3d9caps.tmp 2011-04-14 21:01 . 2010-05-08 23:43 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01 . 2010-05-08 23:43 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01 . 2010-05-08 23:43 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01 . 2010-05-08 23:43 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01 . 2010-05-08 23:43 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01 . 2010-05-08 23:43 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01 . 2010-05-08 23:43 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01 . 2008-03-22 18:00 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01 . 2008-03-22 18:00 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01 . 2008-03-22 18:00 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-03-04 19:44 . 2006-09-15 00:13 133616 ------w- c:\windows\system32\PxAFS.DLL 2011-03-04 19:44 . 2006-07-24 11:00 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys 2011-03-04 19:44 . 2008-03-27 03:40 126448 ------w- c:\windows\system32\pxinsi64.exe 2011-03-04 19:44 . 2008-03-27 03:40 123888 ------w- c:\windows\system32\pxcpyi64.exe 1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL 2010-10-13 00:33 . 2010-10-13 00:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll 2010-10-13 02:15 . 2010-10-13 02:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2010-10-13 00:37 . 2010-10-13 00:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2010-10-13 00:35 . 2010-10-13 00:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2010-10-13 00:34 . 2010-10-13 00:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll 2010-10-13 00:32 . 2010-10-13 00:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2010-10-13 00:35 . 2010-10-13 00:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2010-10-13 00:34 . 2010-10-13 00:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2010-07-14 20:42 . 2010-07-14 20:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2010-10-13 00:37 . 2010-10-13 00:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll 2011-04-14 21:01 . 2010-05-08 23:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-20 68856] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-12 1961984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920] "RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608] "SBEVMON.EXE"="c:\progra~1\SAFEBO~1\SBEVMON.EXE" [2003-06-04 176128] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 55824] "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-11-18 611712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-02-22 110696] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-22 13670504] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048] "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-08-06 231888] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-21 113664] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-25 789008] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-3-28 815104] Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-01-09 19:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2010-12-08 21:11 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "c:\\Program Files\\NewsBin\\nbpro.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\GameSpy Arcade\\Aphex.exe"= "c:\\Program Files\\EA GAMES\\MOHAANetDemo\\MOHAANetDemo.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface "4151:TCP"= 4151:TCP:Akamai NetSession Interface "4158:TCP"= 4158:TCP:Akamai NetSession Interface "1279:TCP"= 1279:TCP:Akamai NetSession Interface "1464:TCP"= 1464:TCP:Akamai NetSession Interface "1472:TCP"= 1472:TCP:Akamai NetSession Interface "3257:TCP"= 3257:TCP:Akamai NetSession Interface "3162:TCP"= 3162:TCP:Akamai NetSession Interface "3176:TCP"= 3176:TCP:Akamai NetSession Interface "4273:TCP"= 4273:TCP:Akamai NetSession Interface "4316:TCP"= 4316:TCP:Akamai NetSession Interface "2656:TCP"= 2656:TCP:Akamai NetSession Interface "2678:TCP"= 2678:TCP:Akamai NetSession Interface "2691:TCP"= 2691:TCP:Akamai NetSession Interface "2934:TCP"= 2934:TCP:Akamai NetSession Interface "1426:TCP"= 1426:TCP:Akamai NetSession Interface "3182:TCP"= 3182:TCP:Akamai NetSession Interface "1294:TCP"= 1294:TCP:Akamai NetSession Interface "1628:TCP"= 1628:TCP:Akamai NetSession Interface "1109:TCP"= 1109:TCP:Akamai NetSession Interface "1150:TCP"= 1150:TCP:Akamai NetSession Interface "1554:TCP"= 1554:TCP:Akamai NetSession Interface "1782:TCP"= 1782:TCP:Akamai NetSession Interface "1791:TCP"= 1791:TCP:Akamai NetSession Interface "1989:TCP"= 1989:TCP:Akamai NetSession Interface "2248:TCP"= 2248:TCP:Akamai NetSession Interface "1110:TCP"= 1110:TCP:Akamai NetSession Interface "2260:TCP"= 2260:TCP:Akamai NetSession Interface "2981:TCP"= 2981:TCP:Akamai NetSession Interface "3169:TCP"= 3169:TCP:Akamai NetSession Interface "1048:TCP"= 1048:TCP:Akamai NetSession Interface "4100:TCP"= 4100:TCP:Akamai NetSession Interface "2817:TCP"= 2817:TCP:Akamai NetSession Interface "1719:TCP"= 1719:TCP:Akamai NetSession Interface "2081:TCP"= 2081:TCP:Akamai NetSession Interface "1705:TCP"= 1705:TCP:Akamai NetSession Interface "2919:TCP"= 2919:TCP:Akamai NetSession Interface "2176:TCP"= 2176:TCP:Akamai NetSession Interface "2448:TCP"= 2448:TCP:Akamai NetSession Interface "4670:TCP"= 4670:TCP:Akamai NetSession Interface "2121:TCP"= 2121:TCP:Akamai NetSession Interface "1720:TCP"= 1720:TCP:Akamai NetSession Interface "1094:TCP"= 1094:TCP:Akamai NetSession Interface "2278:TCP"= 2278:TCP:Akamai NetSession Interface "1051:TCP"= 1051:TCP:Akamai NetSession Interface "4283:TCP"= 4283:TCP:Akamai NetSession Interface "4677:TCP"= 4677:TCP:Akamai NetSession Interface "1663:TCP"= 1663:TCP:Akamai NetSession Interface "1437:TCP"= 1437:TCP:Akamai NetSession Interface "4509:TCP"= 4509:TCP:Akamai NetSession Interface "1471:TCP"= 1471:TCP:Akamai NetSession Interface "1030:TCP"= 1030:TCP:Akamai NetSession Interface "4614:TCP"= 4614:TCP:Akamai NetSession Interface "1105:TCP"= 1105:TCP:Akamai NetSession Interface "2590:TCP"= 2590:TCP:Akamai NetSession Interface "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server . R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2/8/2002 6:00 PM 7504] R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2/8/2002 6:00 PM 44688] R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [6/3/2003 6:00 PM 35988] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/3/2010 10:47 PM 691696] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 1:51 PM 65584] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/8/2010 4:43 PM 84200] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 4:43 PM 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/8/2010 4:43 PM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/8/2010 4:43 PM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/8/2010 4:43 PM 141792] R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [3/24/2009 10:13 AM 5365] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/8/2010 4:43 PM 56064] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/8/2010 4:43 PM 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/8/2010 4:43 PM 88736] S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 3:00 AM 14336] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 11:26 PM 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 11:26 PM 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/8/2010 4:43 PM 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/8/2010 4:43 PM 84488] S3 REVO51;REVO51;c:\windows\system32\DRIVERS\revo51.sys --> c:\windows\system32\DRIVERS\revo51.sys [?] . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai . Contents of the 'Scheduled Tasks' folder . 2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:26] . 2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:26] . 2011-05-24 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-03-20 23:31] . 2011-05-24 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-20 23:31] . 2011-05-24 c:\windows\Tasks\SyncBack Broadcast music archive.job - c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07] . 2011-05-23 c:\windows\Tasks\SyncBack Critical Data Backup.job - c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07] . 2011-05-18 c:\windows\Tasks\SyncBack Not for broadcast music archive.job - c:\program files\SyncBack\SyncBack.exe [2008-05-19 19:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://news.bbc.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1 FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\1tq31uhb.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/ FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= . - - - - ORPHANS REMOVED - - - - . WebBrowser-{71FE276A-28E3-442B-A524-B3D6530FBD78} - (no file) HKCU-Run-AdobeBridge - (no file) HKLM-Run-nwiz - nwiz.exe HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe AddRemove-AOL Emergency Connect Utility 1.0 - c:\program files\Common Files\AOL\ECU\uninst.exe AddRemove-Fund Manager - i:\fund manager\modsetup.exe AddRemove-GoldWave v5.23 - c:\program files\GoldWave\unstall.exe AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-24 22:31 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1644491937-1123561945-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FE919A6D-3E2F-4CD5-B309-A4A687CA5BE9}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iajfhfgolmkkhiplil"=hex:6a,61,6b,69,6a,65,63,70,6e,69,62,66,69,65,6c,69,66,6e, 68,6c,00,f2 "hadgnmddlcclbehe"=hex:6a,61,68,6a,65,64,70,67,6a,61,62,70,68,6e,64,68,6e,61, 65,6b,00,f2 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1200) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\windows\system32\LMIinit.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2011-05-24 22:33:27 ComboFix-quarantined-files.txt 2011-05-25 05:33 ComboFix2.txt 2009-03-27 02:15 ComboFix3.txt 2009-03-27 01:55 ComboFix4.txt 2009-03-27 01:49 . Pre-Run: 360,341,880,832 bytes free Post-Run: 361,621,204,992 bytes free . - - End Of File - - 016769F27937857081DB21310272DCF4 ===== DDS ===== . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Run by John at 23:12:45 on 2011-05-24 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2761 [GMT -7:00] . AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\nHancer\nHancerService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Citrix\ICA Client\concentr.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Citrix\ICA Client\wfcrun32.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\John\Desktop\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://news.bbc.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RTHDCPL] RTHDCPL.EXE mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312 DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/ FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ---- FIREFOX POLICIES ---- FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480] R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504] R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688] R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792] R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552] S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-05-25 05:14:04 89088 ----a-w- c:\windows\MBR.exe 2011-05-25 05:14:01 256512 ----a-w- c:\windows\PEV.exe 2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics 2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx . ==================== Find3M ==================== . 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys 2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL 2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe 2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe 1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL 1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL 1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL 1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL 1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL 1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL . ============= FINISH: 23:13:08.98 ===============
- May 25, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Also, just now see that there are two instances of iexplore.exe running when I do not have Internet Explorer open. If I launch IE then instead of one more IE process, I get two (for a total of four processes). Something is definitely wrong.
- May 23, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

As a followup to the above: My program folders in the start menu are visable, but most -- but not all -- are empty (i.e. no programs shortcuts are available). When using Google, links to Malwarebytes.org are hijacked and sent to the "StopZilla" website. Ran Mbam again and it found Rogue.WindowsRecoveryConsole in my system restore but once cleaned it now cannot find anything wrong. I also ran SpyBot Search and Destroy it found 2 Fraud.SystemRecovery keys in my registery that Mbab did not. Now SearchBot, Mbab and Mcafee all say everything is clean. But the link hijacking is still ongoing (no proxies are listed in connection settings)and the program menu is still empty of most shortcuts. LOGS: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6645 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 5/22/2011 9:22:40 PM mbam-log-2011-05-22 (21-22-40).txt Scan type: Full scan (C:\|H:\|) Objects scanned: 562087 Time elapsed: 2 hour(s), 49 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP809\A0070752.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully. c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0071807.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully. c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0073806.exe (Rogue.WindowsRecoveryConsole) -> Quarantined and deleted successfully. ==== DDS ===== . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Run by John at 7:13:13 on 2011-05-23 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2441 [GMT -7:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\nHancer\nHancerService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Citrix\ICA Client\concentr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Citrix\ICA Client\wfcrun32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Documents and Settings\John\Desktop\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://news.bbc.co.uk/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [AdobeBridge] uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe" uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RTHDCPL] RTHDCPL.EXE mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [nwiz] nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312 DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/ FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ---- FIREFOX POLICIES ---- . FF - user.js: browser.search.selectedEngine - Search FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480] R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504] R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688] R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792] R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552] S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics 2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx . ==================== Find3M ==================== . 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys 2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL 2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe 2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe 1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL 1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL 1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL 1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL 1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL 1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL . ============= FINISH: 7:14:28.23 ===============
- May 23, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Thanks for the help! I ran Mbam again with a full scan and this time it found more than just the FakeAlert. I'll include the log files below. I then restarted, ran Unhide.exe, rebooted and then DDS. I can now see my desktop icons, files on the c: drive and start menu. Didn't have a chance to fully test things out to see if everything is working as it was before, but it's a damn good start! Thanks! Here are the two log files: ===== MBAM LOG ===== Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6619 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 5/20/2011 10:22:04 AM mbam-log-2011-05-20 (10-22-04).txt Scan type: Full scan (C:\|) Objects scanned: 561324 Time elapsed: 2 hour(s), 34 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQMiuyMNARayQk (Rogue.Agent.SA) -> Value: DQMiuyMNARayQk -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\John\application data\Sun\Java\deployment\cache\6.0\40\25b9c9a8-1357ddff (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully. c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0073805.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully. c:\system volume information\_restore{610fe075-ddae-42ac-b5bf-7da883f061f2}\RP810\A0073804.exe (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully. ===== DDS LOG ===== . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Run by John at 19:46:53 on 2011-05-21 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2811 [GMT -7:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\nHancer\nHancerService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Citrix\ICA Client\concentr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Citrix\ICA Client\wfcrun32.exe C:\Documents and Settings\John\Desktop\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://news.bbc.co.uk/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [AdobeBridge] uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe" uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RTHDCPL] RTHDCPL.EXE mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [nwiz] nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312 DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/ FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ---- FIREFOX POLICIES ---- . FF - user.js: browser.search.selectedEngine - Search FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480] R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504] R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688] R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792] R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552] S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-04-26 05:19:25 -------- d-----w- c:\program files\Auslogics 2011-04-26 05:10:41 69632 ----a-w- c:\windows\system32\CrcCtrl.ocx . ==================== Find3M ==================== . 2011-04-14 21:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys 2011-03-04 19:44:14 133616 ------w- c:\windows\system32\PxAFS.DLL 2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe 2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe 1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL 1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL 1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL 1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL 1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL 1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL . ============= FINISH: 19:48:08.65 ===============
- May 22, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

And it appears that I've been locked out of Windows Task Manager.
- May 19, 2011
- 22 replies
FakeAlert Damage Cleanup

Dogen posted a topic in Resolved Malware Removal Logs

Wife infected computer with the FakeAlert! virus. Cleaned it up with MB in safe mode. Now, however, desktop is blank, startup menu is empty and even at command prompt, cannot see any files on c: drive unless I type in dir /a HELP! Here is a log produced by dds: . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Run by John at 15:40:42 on 2011-05-19 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2579 [GMT -7:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\nHancer\nHancerService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\SAFEBO~1\SBEVMON.EXE C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Citrix\ICA Client\concentr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Citrix\ICA Client\wfcrun32.exe G:\Malwarebytes' Anti-Malware\mbam.exe G:\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://news.bbc.co.uk/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110511180828.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [AdobeBridge] uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe" uRun: [Google Update] "c:\documents and settings\john\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [DQMiuyMNARayQk] c:\documents and settings\all users\application data\DQMiuyMNARayQk.exe mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RTHDCPL] RTHDCPL.EXE mRun: [sBEVMON.EXE] c:\progra~1\safebo~1\SBEVMON.EXE -WinLogon mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [setDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [nwiz] nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex uPolicies-explorer: NoDesktop = 1 (0x1) uPolicies-system: DisableTaskMgr = 1 (0x1) IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: intuit.com\ttlc Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205988890984 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205989320312 DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect.wa.gov/dana-cached/sc/JuniperSetupClient.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 192.168.1.1 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\1tq31uhb.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - prefs.js: browser.startup.homepage - hxxp://www.good.is/ FF - prefs.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ---- FIREFOX POLICIES ---- . FF - user.js: browser.search.selectedEngine - Search FF - user.js: keyword.URL - hxxp://www.gisly.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=PXdvd0RU&q= . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-22 387480] R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-2-8 7504] R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-2-8 44688] R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-6-3 35988] R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-8 84200] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-13 47640] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-8 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 141792] R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 56064] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-22 153280] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-22 52320] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 314088] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-23 38224] S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-8 88736] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 84488] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-22 34248] S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-22 40552] S3 REVO51;REVO51;c:\windows\system32\drivers\revo51.sys --> c:\windows\system32\drivers\revo51.sys [?] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2011-04-26 05:19:25 -------- d--h--w- c:\program files\Auslogics 2011-04-26 05:10:41 69632 ---ha-w- c:\windows\system32\CrcCtrl.ocx . ==================== Find3M ==================== . 2011-04-14 21:01:38 95824 ---ha-w- c:\windows\system32\drivers\mfeapfk.sys 2011-04-14 21:01:38 9344 ---ha-w- c:\windows\system32\drivers\mfeclnk.sys 2011-04-14 21:01:38 88736 ---ha-w- c:\windows\system32\drivers\mfendisk.sys 2011-04-14 21:01:38 84488 ---ha-w- c:\windows\system32\drivers\mferkdet.sys 2011-04-14 21:01:38 84200 ---ha-w- c:\windows\system32\drivers\mfetdi2k.sys 2011-04-14 21:01:38 56064 ---ha-w- c:\windows\system32\drivers\cfwids.sys 2011-04-14 21:01:38 52320 ---ha-w- c:\windows\system32\drivers\mfebopk.sys 2011-04-14 21:01:38 387480 ---ha-w- c:\windows\system32\drivers\mfehidk.sys 2011-04-14 21:01:38 314088 ---ha-w- c:\windows\system32\drivers\mfefirek.sys 2011-04-14 21:01:38 153280 ---ha-w- c:\windows\system32\drivers\mfeavfk.sys 2011-03-04 19:44:14 45648 ---h--w- c:\windows\system32\drivers\pxhelp20.sys 2011-03-04 19:44:14 133616 ---h--w- c:\windows\system32\PxAFS.DLL 2011-03-04 19:44:12 126448 ---h--w- c:\windows\system32\pxinsi64.exe 2011-03-04 19:44:12 123888 ---h--w- c:\windows\system32\pxcpyi64.exe 1998-12-09 02:53:54 99840 ---ha-w- c:\program files\common files\IRAABOUT.DLL 1998-12-09 02:53:54 70144 ---ha-w- c:\program files\common files\IRAMDMTR.DLL 1998-12-09 02:53:54 48640 ---ha-w- c:\program files\common files\IRALPTTR.DLL 1998-12-09 02:53:54 31744 ---ha-w- c:\program files\common files\IRAWEBTR.DLL 1998-12-09 02:53:54 186368 ---ha-w- c:\program files\common files\IRAREG.DLL 1998-12-09 02:53:54 17920 ---ha-w- c:\program files\common files\IRASRIAL.DLL . ============= FINISH: 15:42:59.10 ===============
- May 19, 2011
- 22 replies
MalwareBytes Unable to Delete Infected Keys/Files

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Ade, I've run ComboFix and am posting its log and the Hijack This log for your review. Thanks again. COMBOFIX: ComboFix 09-03-26.02 - John 2009-03-26 19:13:19.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2796 [GMT -7:00] Running from: c:\documents and settings\John\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) FW: McAfee Personal Firewall *disabled* . ((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 ))))))))))))))))))))))))))))))) . 2009-03-24 23:19 . 2009-03-24 23:25 <DIR> d-------- C:\autorun 2009-03-24 19:21 . 2009-03-24 19:21 552 --a------ c:\windows\system32\d3d8caps.dat 2009-03-24 19:09 . 2009-03-24 19:09 <DIR> d-------- c:\documents and settings\Administrator 2009-03-24 19:04 . 2009-03-24 19:04 <DIR> d-------- c:\program files\FileASSASSIN 2009-03-24 12:22 . 2009-03-24 12:22 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes 2009-03-23 14:44 . 2009-03-25 11:45 <DIR> d-------- c:\temp\temp virus files 2009-03-23 13:53 . 2009-03-26 18:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-23 13:53 . 2009-03-23 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-23 13:53 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-23 13:53 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-03-23 13:49 . 2009-03-23 13:49 <DIR> d-------- c:\program files\Enigma Software Group 2009-03-23 13:42 . 2009-03-23 13:42 <DIR> d-------- c:\program files\Trend Micro 2009-03-23 05:18 . 2009-03-23 05:18 127 --a------ c:\windows\system32\MRT.INI 2009-03-21 23:06 . 2009-03-21 23:12 <DIR> d-------- C:\downloads 2009-03-21 23:06 . 2009-03-23 00:17 <DIR> d-------- c:\documents and settings\John\Application Data\Orbit 2009-03-21 23:06 . 2009-03-21 23:06 <DIR> d-------- c:\documents and settings\John\Application Data\GrabPro 2009-03-18 22:08 . 2009-03-18 22:08 <DIR> d-------- c:\program files\SmartFTP Client 2009-03-18 22:08 . 2009-03-18 22:08 <DIR> d-------- c:\documents and settings\John\Application Data\SmartFTP 2009-03-18 22:07 . 2009-03-18 22:07 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files 2009-03-12 17:18 . 2009-03-12 17:19 <DIR> d-------- c:\program files\Broadcast Analyzer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-27 01:43 --------- d-----w c:\program files\Common Files\Akamai 2009-03-26 10:30 --------- d-----w c:\program files\SyncBack 2009-03-26 06:23 --------- d-----w c:\program files\nbpro 2009-03-25 01:05 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-03-24 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-23 21:12 --------- d-----w c:\program files\McAfee 2009-03-23 20:38 --------- d-----w c:\program files\BOINC 2009-03-23 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-22 20:29 --------- d-----w c:\program files\GameSpy Arcade 2009-03-09 16:38 --------- d-----w c:\program files\WinMX 2009-03-05 17:44 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-15 19:21 --------- d-----w c:\documents and settings\Guest\Application Data\Viewpoint 2009-02-15 19:20 --------- d-----w c:\documents and settings\Guest\Application Data\AOL 2009-02-15 00:51 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys 1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL 2006-12-08 02:34 8 --sha-r c:\windows\neoqaz2.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-19 68856] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "nHancer"="c:\program files\nHancer\nHancer.exe" [2007-10-31 1519616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "SBEVMON.EXE"="c:\progra~1\SAFEBO~1\SBEVMON.EXE" [2003-06-03 176128] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "HostManager"="c:\program files\Common Files\AOL\1206148340\ee\AOLSoftware.exe" [2007-05-25 42032] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152] "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "RTHDCPL"="RTHDCPL.EXE" [2007-05-28 c:\windows\RTHDCPL.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-21 113664] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-03-25 789008] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-03-28 815104] Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-01-09 12:30 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"= "c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\aol\\1206148340\\ee\\aolsoftware.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9420:TCP"= 9420:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface "4151:TCP"= 4151:TCP:Akamai NetSession Interface "4158:TCP"= 4158:TCP:Akamai NetSession Interface "1279:TCP"= 1279:TCP:Akamai NetSession Interface "1464:TCP"= 1464:TCP:Akamai NetSession Interface "1472:TCP"= 1472:TCP:Akamai NetSession Interface "3257:TCP"= 3257:TCP:Akamai NetSession Interface "3162:TCP"= 3162:TCP:Akamai NetSession Interface "3176:TCP"= 3176:TCP:Akamai NetSession Interface "4273:TCP"= 4273:TCP:Akamai NetSession Interface "4316:TCP"= 4316:TCP:Akamai NetSession Interface "2656:TCP"= 2656:TCP:Akamai NetSession Interface "2678:TCP"= 2678:TCP:Akamai NetSession Interface "2691:TCP"= 2691:TCP:Akamai NetSession Interface "2934:TCP"= 2934:TCP:Akamai NetSession Interface "1426:TCP"= 1426:TCP:Akamai NetSession Interface "3182:TCP"= 3182:TCP:Akamai NetSession Interface "1294:TCP"= 1294:TCP:Akamai NetSession Interface "1628:TCP"= 1628:TCP:Akamai NetSession Interface "1109:TCP"= 1109:TCP:Akamai NetSession Interface "1150:TCP"= 1150:TCP:Akamai NetSession Interface "1554:TCP"= 1554:TCP:Akamai NetSession Interface "1782:TCP"= 1782:TCP:Akamai NetSession Interface "1791:TCP"= 1791:TCP:Akamai NetSession Interface "1989:TCP"= 1989:TCP:Akamai NetSession Interface "2248:TCP"= 2248:TCP:Akamai NetSession Interface "1110:TCP"= 1110:TCP:Akamai NetSession Interface "2260:TCP"= 2260:TCP:Akamai NetSession Interface "2981:TCP"= 2981:TCP:Akamai NetSession Interface "3169:TCP"= 3169:TCP:Akamai NetSession Interface R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\sbalg01.sys [2002-02-08 7504] R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\sbalg12.sys [2002-02-08 44688] R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2003-06-03 35988] R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [2004-08-04 14336] S2 0071911237840933mcinstcleanup;McAfee Application Installer Cleanup (0071911237840933);c:\windows\TEMP\007191~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007191~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai . Contents of the 'Scheduled Tasks' folder 2009-03-27 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 14:17] 2009-03-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10] 2009-03-26 c:\windows\Tasks\SyncBack Broadcast music archive.job - c:\program files\SyncBack\SyncBack.exe [2006-02-24 12:07] 2009-03-23 c:\windows\Tasks\SyncBack Critical Data Backup.job - c:\program files\SyncBack\SyncBack.exe [2006-02-24 12:07] . - - - - ORPHANS REMOVED - - - - WebBrowser-{71FE276A-28E3-442B-A524-B3D6530FBD78} - (no file) . ------- Supplementary Scan ------- . uStart Page = www.cnn.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: turbotax.com TCP: {3A21731A-5BC9-427F-A29F-97AF9DD2C4B3} = 68.87.66.196,68.87.64.196 FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\1tq31uhb.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.slate.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.mcafee.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205988890984 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205989320312 O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O17 - HKLM\System\CCS\Services\Tcpip\..\{3A21731A-5BC9-427F-A29F-97AF9DD2C4B3}: NameServer = 68.87.66.196,68.87.64.196 O23 - Service: McAfee Application Installer Cleanup (0071911237840933) (0071911237840933mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007191~1.EXE (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: nHancer Support (nHancer) - KSE - Kornd
- March 27, 2009
- 11 replies
MalwareBytes Unable to Delete Infected Keys/Files

Dogen replied to Dogen's topic in Resolved Malware Removal Logs

Hi Ade, I downloaded 1899 and the scan found 5 more infected files, values and keys than it did before. After reboot, I scanned again and it's coming up clean You did it!!! (I'll do a full scan just to make sure) Now, of course, the paranoia comes into play... am I *really* clean??? Now I have to ask myself if I should backup important files, reformat, lay down the OS again and try to reinstall/reconfigure everything all over again (ugh!). At any rate, I owe you a brew mate. Great job! I can't believe you guys. I'll be purchasing the full version if for no other reason than to show my support for the good work you all do. Here is the scan log after downloading 1899: Malwarebytes' Anti-Malware 1.34 Database version: 1899 Windows 5.1.2600 Service Pack 2 3/25/2009 9:21:01 PM mbam-log-2009-03-25 (21-21-01).txt Scan type: Quick Scan Objects scanned: 102207 Time elapsed: 2 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.BHO.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{b09f6159-ea4b-49e7-a8e7-3b9995a6696b} (Trojan.BHO.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pznnpjkb (Rootkit.Sentinel) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pznnpjkb (Rootkit.Sentinel) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pznnpjkb (Rootkit.Sentinel) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\certcl.dll (Trojan.BHO.H) -> Delete on reboot. C:\WINDOWS\system32\drivers\orbbtmlf.sys (Rootkit.Sentinel) -> Delete on reboot. C:\WINDOWS\system32\drivers\pznnpjkb.sys (Rootkit.Sentinel) -> Delete on reboot. C:\RECYCLER\S-1-5-21-1644491937-1123561945-839522115-1004\Dc165.sys (Rootkit.Sentinel) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\smjgpqep.dat (Rootkit.Agent) -> Delete on reboot.
- March 26, 2009
- 11 replies

Sign In

Dogen

Posts

Joined

Last visited

Reputation

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

FakeAlert Damage Cleanup

MalwareBytes Unable to Delete Infected Keys/Files

MalwareBytes Unable to Delete Infected Keys/Files

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information