Jump to content

FirefoxForNow

Members
  • Posts

    20
  • Joined

  • Last visited

Everything posted by FirefoxForNow

  1. Hello- sorry I've been a couple of days without replying. Finally had some free time to deal with it- the GooredFix seems to have worked- the firefox redirect problem is gone. Excellent! Log is below. I imagine that it already took care of everything but I thought I'd check if there is anything further that should be done... Thanks again for all your help- you have been very cooperative and effective. If I ever need any future help, I'll be sure to come here. Gracias, and may you continue to be victorious in all your future malware battles. GooredFix v1.92 by jpshortstuff Log created at 20:11 on 11/03/2009 running Option #2 (Marcus) Firefox version 3.0.7 (en-US) =====Goored Deletions===== C:\Program Files\Mozilla Firefox\extensions\{DC850E77-604F-498A-BF47-A171D66E9AA1} ->Backing up folder... Done. ->Emptying folder... Done. ->Deleting folder... Done. =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
  2. I guess my main question at this point then is... how do I go about dealing with the re-route issue with Firefox web searches? should I just try reinstalling firefox? might deleting the old system restore points help with this firefox redirect issue? Thanks again
  3. GMER found some stuff. The System volume info system restore thing sounds familiar... I think that McAfee reported a system volume info infection around a month ago. Possible infected restore points? Thanks for the prompt responses. GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-03-04 22:39:34 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT sptd.sys ZwCreateKey [0xB9ED9AC8] SSDT sptd.sys ZwEnumerateKey [0xB9ED9C22] SSDT sptd.sys ZwEnumerateValueKey [0xB9ED9F9A] SSDT sptd.sys ZwOpenKey [0xB9ED998E] SSDT sptd.sys ZwQueryKey [0xB9EDA064] SSDT sptd.sys ZwQueryValueKey [0xB9ED9EFC] SSDT sptd.sys ZwSetValueKey [0xB9EDA0EC] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. ? C:\WINDOWS\System32\Drivers\SPTD8701.SYS The process cannot access the file because it is being used by another process. .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B8FA54F0 16 Bytes [ FA, B2, 91, 10, AD, 3B, 4F, ... ] .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 B8FA5501 31 Bytes [ 40, FA, B8, C6, 8C, 8F, B5, ... ] ? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process. ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9ED5AD2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9ED5C0E] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9ED5B96] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9ED676C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9ED6642] sptd.sys ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 8AC0EBF8 Device \FileSystem\Udfs \UdfsCdRom 8A9AF8E8 Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Udfs \UdfsDisk 8A9AF8E8 Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \Driver\NetBT \Device\NetBT_Tcpip_{585841F7-1DD4-4AC7-A6D6-364A1534A3BF} 89D47748 AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ABC1410 Device \Driver\dmio \Device\DmControl\DmConfig 8ABC1410 Device \Driver\dmio \Device\DmControl\DmPnP 8ABC1410 Device \Driver\dmio \Device\DmControl\DmInfo 8ABC1410 Device \Driver\00000073 \Device\00000053 sptd.sys AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\prodrv06 \Device\ProDrv06 E1EC23F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8ABC16C8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8ABC16C8 Device \Driver\Cdrom \Device\CdRom0 8A9E6830 Device \FileSystem\Rdbss \Device\FsWrap 89D333C0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\Ftdisk \Device\HarddiskVolume3 8ABC16C8 Device \Driver\prohlp02 \Device\ProHlp02 E189D338 Device \Driver\NetBT \Device\NetBt_Wins_Export 89D47748 Device \Driver\NetBT \Device\NetbiosSmb 89D47748 AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\Disk \Device\Harddisk0\DR0 8AC0EE30 AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) Device \Driver\NetBT \Device\NetBT_Tcpip_{45DA8E86-FDFA-4A7D-B4F1-16F25E484B3B} 89D47748 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D31548 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D31548 Device \FileSystem\Npfs \Device\NamedPipe 8A52E258 Device \Driver\Ftdisk \Device\FtControl 8ABC16C8 Device \FileSystem\Msfs \Device\Mailslot 89D989F8 Device \Driver\dtscsi \Device\Scsi\dtscsi1 8A8D09F8 Device \FileSystem\Fastfat \Fat 89D3E840 Device \FileSystem\Fastfat \Fat AC54D297 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1353520082 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1871465379 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1571322080 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x90 0xB8 0xA0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0xD2 0xA5 0x3A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEB 0xAE 0x27 0xA4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x64 0xDC 0x93 0x47 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xBB 0xCE 0x6F 0x4C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0xE4 0x4B 0x74 ... ---- Files - GMER 1.0.14 ---- ADS C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP46\A0004733.exe:mian.nest.9.10 18944 bytes executable ---- EOF - GMER 1.0.14 ----
  4. Tigger- Thanks for responding despite the hiatus. Deleted the qoobox folder and downloaded a new Combofix file. Ran scan. Your help is appreciated. ComboFix 09-03-03.01 - Marcus 2009-03-04 17:48:48.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1806 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 ))))))))))))))))))))))))))))))) . 2009-02-24 15:20 . 2009-02-24 15:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-24 23:19 --------- d-----w c:\program files\Common Files\Adobe 2009-02-24 07:36 --------- d-----w c:\program files\HP 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] --- Other Services/Drivers In Memory --- *NewlyCreated* - ENTDRV51 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-04 17:51:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\MrvGINA.dll - - - - - - - > 'lsass.exe'(924) c:\windows\system32\EntApi.dll . Completion time: 2009-03-04 17:53:07 ComboFix-quarantined-files.txt 2009-03-05 01:53:04 ComboFix2.txt 2009-02-24 20:34:34 Pre-Run: 17,573,416,960 bytes free Post-Run: 17,623,048,192 bytes free 128 --- E O F --- 2009-02-24 22:53:47
  5. Hello. This is a continuation of a previous thread located here http://www.malwarebytes.org/forums/index.php?showtopic=11604 I flaked out for a while and the thread was closed. My fault- your previous proficiency and eliminating the major problems and personal frustration with kaspersky delayed my response. I haven't installed/uninstalled any software since last post. No symptoms have appeared/disappeared. I can post a fresh HJT log if you wish. The Kapersky prompts didn't coordinate perfectly with your instructions but I think I worked it out and ran the scan as you asked. It's possible that I am just crummy at interpreting your instructions (my bad) Here's the results- seems that something was found. Long scan time! Again, sorry for the flakeyness. You have been very successful and proficient at disinfecting my machine so far- I'd be bummed to loose your help now. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, March 3, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, March 04, 2009 01:14:06 Records in database: 1866833 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ I:\ Scan statistics: Files scanned: 89601 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 01:08:17 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir Infected: Trojan.Win32.Monder.bdnr 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.ahob 1 The selected area was scanned.
  6. One more item- All my system restore points from before infection are still absent. I was hoping that after disinfection, these might be accessible again. I guess it is possible that they were actually deleted/wiped, but I figured I'd let you know.
  7. Things are looking good. I'm still getting some signs of infection. IE is running fine, but google searches on firefox result in random (not consistent) redirects. McAfee is also still disabled on startup, which doesn't seem right. MWBAM scan still coming up with nothing. Any ideas what is causing the firefox bug? should I try uninstalling/reinstalling it? Again, thanks for all your help tigger. +1 to your karma stash.
  8. Okay. Combofix ran the script without event. No reboot necessary. Can't tell if any infection signs have left.. I will post back after reboot/further PC use to tell you if any have been dealt with. ComboFix 09-02-19.01 - Marcus 2009-02-24 12:30:06.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2036 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt * Created a new restore point FILE :: C:\backup.reg C:\cleanup.bat C:\cleanup.exe c:\windows\ccddawrp C:\zip.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\backup.reg C:\cleanup.bat C:\cleanup.exe c:\windows\ccddawrp C:\zip.exe . ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-24 12:23 . 2009-02-24 12:23 <DIR> d-------- c:\windows\LastGood 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-24 07:36 --------- d-----w c:\program files\HP 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-24 20:25:55 46,924 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 20:25:55 367,980 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 20:21:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] --- Other Services/Drivers In Memory --- *NewlyCreated* - ENTDRV51 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-24 12:32:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\MrvGINA.dll - - - - - - - > 'lsass.exe'(924) c:\windows\system32\EntApi.dll . Completion time: 2009-02-24 12:34:32 ComboFix-quarantined-files.txt 2009-02-24 20:34:30 ComboFix2.txt 2009-02-24 07:17:52 ComboFix3.txt 2009-02-23 02:02:40 ComboFix4.txt 2009-02-22 19:54:11 ComboFix5.txt 2009-02-24 20:29:31 Pre-Run: 19,575,681,024 bytes free Post-Run: 19,568,209,920 bytes free 154 --- E O F --- 2009-02-11 11:02:51 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:35:29 PM, on 2/24/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\Explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Unknown owner - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe (file missing) O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 7774 bytes
  9. Ran avenger a second time. Here is the "services" prompt that popped up between the "sure you want to execute.." and "reboot.." prompts. "It is dangerous to edit services registry keys directly, if...." sorry, that's all I jotted down.. It's probably irrelevant, but after the 1st run and reboot, the internal speaker in my tower bleeped at me. It's never done that before. Strangely, after the second running of avenger, there was no .txt log report that popped up. maybe it knew that the log would be redundant and identical to the last it produced. I don't know. So I generated another Combofix log... thought it might be more helpful than the avenger log. What's the next plan of attack? ComboFix 09-02-19.01 - Marcus 2009-02-23 23:13:13.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2091 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-23 22:59 . 2009-02-23 22:59 135,168 --a------ C:\zip.exe 2009-02-23 22:59 . 2009-02-23 22:59 19,286 --a------ C:\cleanup.exe 2009-02-23 22:59 . 2009-02-23 22:59 574 --a------ C:\cleanup.bat 2009-02-23 22:59 . 2009-02-23 22:59 0 --a------ C:\backup.reg 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-24 07:06:55 54,280 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 07:06:55 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-24 07:02:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-23 23:16:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\windows\system32\MrvGINA.dll . Completion time: 2009-02-23 23:17:50 ComboFix-quarantined-files.txt 2009-02-24 07:17:48 ComboFix2.txt 2009-02-23 02:02:40 ComboFix3.txt 2009-02-22 19:54:11 ComboFix4.txt 2009-02-22 03:53:00 Pre-Run: 19,319,517,184 bytes free Post-Run: 19,302,203,392 bytes free 139 --- E O F --- 2009-02-11 11:02:51
  10. Bummer. It seems that the Avenger process was unsuccessful. I executed the script as asked.. there was a confirmation screen (not included in instructions) asking me if I was sure I wanted to run despite the "delete services" command.. I think. Anyways, nothing appears to have changed upon reboot.. infection signs still present. No second reboot was necessary. Here's the log. I'll try running the Avenger script again, see if it returns the same result. I'll post if it does. What's next? Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\windows\system32\drivers\tdssserv.sys" not found! Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found! Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found! Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist
  11. SpyBot did come up with two HKEY Internet explorer issues, but they are probably not responsible for the firefox redirects. (there were no redirect issues with IE)
  12. Okay- Things seem to be improved, but not perfect. McAfee antivirus is still disabled on startup initialization, even though the "enable on startup" option is selected. There are no more IE popups, but seemingly random searches on firefox redirect to strange sites which instigate popups claiming that my PC is infected and I need to click.. etc I doesn't seem to be any huge"parasitic load" on my PC performance from malware, but you could convince me that my system was compromised and only running at 80%-90% I'm running scans with all my malware software. MWBAM returned zero results. Ad-Aware running now, then SpyBot. I'll let you know if they return anything. Do you know what is causing the antivirus disenable and firefox redirects? Cheers- progress has been made. Things are improving.
  13. Alright. Ran the combofix script. It asked to reboot. I did, and signs of infection are still present (McAfee disabled on startup.) What's next? And thanks again. ComboFix 09-02-19.01 - Marcus 2009-02-22 17:53:44.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2029 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt * Created a new restore point FILE :: c:\documents and settings\Marcus\Application Data\axepub.bin c:\documents and settings\Marcus\Application Data\ubywuxy.com c:\documents and settings\Marcus\Application Data\ycexim.reg c:\program files\Common Files\ahupebykiw.dl c:\program files\Common Files\efucu.ban c:\program files\Common Files\melo.com c:\program files\Common Files\mudohoc.bat c:\windows\system32\drivers\zkiefzrs.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Marcus\Application Data\axepub.bin c:\documents and settings\Marcus\Application Data\ubywuxy.com c:\documents and settings\Marcus\Application Data\ycexim.reg c:\program files\Common Files\ahupebykiw.dl c:\program files\Common Files\efucu.ban c:\program files\Common Files\melo.com c:\program files\Common Files\mudohoc.bat c:\windows\ccddawrp\ . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_skbgfqnd ((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 ))))))))))))))))))))))))))))))) . 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-23 01:52:53 54,280 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-23 01:52:53 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-23 01:58:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_790.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Page_URL = hxxp://www.dell4me.com/myway mDefault_Page_URL = hxxp://www.dell4me.com/myway mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-22 17:59:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(868) c:\windows\system32\MrvGINA.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe c:\windows\system32\ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\ehome\ehRecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Network Associates\Common Framework\FrameworkService.exe c:\program files\Network Associates\VirusScan\vstskmgr.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\dllhost.exe c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\ehome\ehmsas.exe c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe c:\documents and settings\Marcus\Desktop\iPod\bin\iPodService.exe c:\program files\NETGEAR\WG311v3\wlancfg5.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************** . Completion time: 2009-02-22 18:02:39 - machine was rebooted [Marcus] ComboFix-quarantined-files.txt 2009-02-23 02:02:36 ComboFix2.txt 2009-02-22 19:54:11 ComboFix3.txt 2009-02-22 03:53:00 Pre-Run: 19,675,172,864 bytes free Post-Run: 19,662,004,224 bytes free 187 --- E O F --- 2009-02-11 11:02:51 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:05:53 PM, on 2/22/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 8499 bytes
  14. Oops- thought I grabbed the whole thing last time. Sorry. Must have gotten impatient with my copy-paste. Here ya go. Thanks! ComboFix 09-02-19.01 - Marcus 2009-02-22 11:49:05.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1915 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 ))))))))))))))))))))))))))))))) . 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com 2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg 2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat 2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl 2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban 2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com 2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys 2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat + 2009-02-22 19:47:07 54,280 ----a-w c:\windows\system32\perfc009.dat - 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-22 19:47:07 384,596 ----a-w c:\windows\system32\perfh009.dat + 2009-02-22 19:43:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=mvoqas.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "%windir%\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:UDP"= 12345:UDP:dc++ R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048] S0 skbgfqnd;skbgfqnd;c:\windows\system32\drivers\zkiefzrs.sys --> c:\windows\system32\drivers\zkiefzrs.sys [?] S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-22 11:52:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(860) c:\windows\system32\MrvGINA.dll - - - - - - - > 'lsass.exe'(920) c:\windows\system32\EntApi.dll . Completion time: 2009-02-22 11:54:08 ComboFix-quarantined-files.txt 2009-02-22 19:54:05 ComboFix2.txt 2009-02-22 03:53:00 Pre-Run: 19,710,701,568 bytes free Post-Run: 19,695,915,008 bytes free 149 --- E O F --- 2009-02-11 11:02:51
  15. Alright! Sorry I've been slow in responding- I had to go into work early this morning and was away from my (home) PC. I ran ComboFix with no major issues. While it was running, Spybot SD resident (initialized on bootup) alerted me that my homepage and websearch setting were being changed... but I don't think spybot interfered with the scan. Also, after the scan a windows security alert has popped up in the tray saying that my windows firewall was disabled (probably part of combofix) Strangely, during the scan my clock changed to military time, then reverted after the reboot. weird. Again- Thanks for your ongoing support. ComboFix 09-02-19.01 - Marcus 2009-02-21 19:44:45.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1859 [GMT -8:00] Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ADS - explorer.exe: deleted 7454 bytes in 4 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Marcus\Cookies\wolehyf.ban c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\avezubu.db c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\dibil.pif c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\epyfigug.dat c:\windows\IE4 Error Log.txt c:\windows\system32\998.exe c:\windows\system32\init32.exe c:\windows\system32\TDSSmtvd.dat c:\windows\system32\uniq.tll c:\windows\system32\win32hlp.cnf c:\windows\Tasks\mfwpraie.job c:\windows\wiaserviv.log c:\windows\wiaservv.log Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_seneka -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 ))))))))))))))))))))))))))))))) . 2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD 2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro 2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-21 05:20 --------- d-----w c:\program files\LucasArts 2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-02-20 00:49 --------- d-----w c:\program files\Creative 2009-02-20 00:47 --------- d-----w c:\program files\GemMaster 2009-02-19 09:04 --------- d-----w c:\program files\Java 2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent 2009-02-19 08:17 --------- d-----w c:\program files\uTorrent 2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe 2009-01-24 04:09 --------- d-----w c:\program files\Activision 2008-12-31 06:33 --------- d-----w c:\program files\GTR2 2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com 2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg 2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat 2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl 2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban 2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com 2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin 2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys 2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys 2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264] NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:53:50 PM, on 2/21/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O20 - AppInit_DLLs: mvoqas.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 8532 bytes
  16. Tigger- Thanks for sticking it out with me. I removed the "crack" files that had been on my hard drive. The three files that LOP S&D is still identifying are all actual .mp3s that I uploaded from CD and actively listen to. The files which LOP had previously identified under "cracks and keygens" I had acquired over two ago. Also, they were acquired directly in 1st person from a friend via USB key, not through any p2p service. Therefore, I'd be surprised if they were related to my recent infection. Unless its a really crafty infection. Note for MBAM community: Any "crack" files previously displayed in diagnostic results were NOT related to the infringement of copyrighted or trademarked data. Piracy is illegal and should not be practiced by MBAM users. It is an easy way to contract malware. Don't do it! Here's the new Lop log. Other than deleting the indicated files, I have preformed no other actions since last post. Thanks, cheers, and hope your weekend is starting off better than mine. --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz ) BIOS : Phoenix ROM BIOS PLUS Version 1.10 A01 USER : Marcus ( Administrator ) BOOT : Normal boot C:\ (Local Disk) - NTFS - Total:144 Go (Free:18 Go) D:\ (CD or DVD) I:\ (Local Disk) - NTFS - Total:372 Go (Free:174 Go) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Fri 02/20/2009|21:23 ) --------------------\\ Listing folders in APPLIC~1 [09/10/2005|12:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative [08/19/2004|01:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities [09/10/2005|11:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Jasc Software Inc [09/10/2005|11:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft [09/10/2005|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun [09/10/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec [04/23/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe [04/23/2006|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems [09/14/2005|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL [01/24/2007|07:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer [05/26/2007|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software [03/29/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell [04/11/2008|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek [10/02/2005|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP [09/10/2005|11:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield [09/10/2005|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit [12/19/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft [12/20/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes [11/04/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft [09/14/2005|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates [09/10/2005|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime [08/19/2004|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI [12/20/2008|05:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy [09/14/2005|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec [05/28/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage [09/10/2005|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative [08/19/2004|01:14] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities [09/10/2005|11:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc [08/19/2004|12:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft [09/10/2005|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun [09/10/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec [03/10/2006|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft [12/04/2008|10:11] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Adobe [02/25/2006|06:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> AdobeUM [03/07/2006|09:36] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Apple Computer [05/03/2008|11:08] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> BitZipper [03/04/2008|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Creative [09/25/2005|11:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> CyberLink [12/09/2005|06:53] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Google [04/14/2007|02:59] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Gtek [12/20/2008|12:51] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Help [06/28/2007|06:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> HP [08/19/2004|01:14] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Identities [05/26/2007|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> InstallShield [09/26/2005|03:41] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Jasc Software Inc [12/19/2008|01:00] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Lavasoft [10/11/2005|07:55] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Leadertech [03/28/2006|08:35] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Macromedia [12/20/2008|02:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Malwarebytes [02/06/2008|09:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Microsoft [12/20/2008|12:30] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Mozilla [04/25/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Opera [04/30/2008|10:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Real [10/11/2005|07:56] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sonic [09/10/2005|11:42] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sun [09/10/2005|11:57] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Symantec [02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Talkback [02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Thunderbird [02/19/2009|12:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> uTorrent [08/19/2004|12:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [02/20/2009 08:00 PM][--a------] C:\WINDOWS\tasks\mfwpraie.job [02/20/2009 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/10/2004 02:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [01/23/2009|08:09] C:\Program Files\<DIR> Activision [04/23/2006|09:51] C:\Program Files\<DIR> Adobe [09/10/2005|11:47] C:\Program Files\<DIR> ATI Technologies [05/26/2007|06:34] C:\Program Files\<DIR> Avanquest update [05/03/2008|11:25] C:\Program Files\<DIR> BitZipper [12/28/2005|08:22] C:\Program Files\<DIR> Canon [09/16/2007|01:33] C:\Program Files\<DIR> CDex_150 [02/19/2009|01:02] C:\Program Files\<DIR> Common Files [08/19/2004|01:02] C:\Program Files\<DIR> ComPlus Applications [02/19/2009|04:49] C:\Program Files\<DIR> Creative [12/22/2007|03:41] C:\Program Files\<DIR> Crystal Player [03/02/2006|01:50] C:\Program Files\<DIR> CureROM [09/10/2005|11:49] C:\Program Files\<DIR> CyberLink [12/10/2005|06:52] C:\Program Files\<DIR> DAEMON Tools [10/24/2006|08:11] C:\Program Files\<DIR> DC++ [09/10/2005|12:01] C:\Program Files\<DIR> Dell [09/10/2005|11:52] C:\Program Files\<DIR> Dell Inc [04/14/2007|02:48] C:\Program Files\<DIR> DellSupport [10/22/2008|12:23] C:\Program Files\<DIR> DivX [08/19/2004|01:16] C:\Program Files\<DIR> EnglishOtto [04/20/2006|05:25] C:\Program Files\<DIR> Fargo [02/19/2009|04:47] C:\Program Files\<DIR> GemMaster [12/09/2005|06:53] C:\Program Files\<DIR> Google [12/30/2008|10:33] C:\Program Files\<DIR> GTR2 [10/02/2005|07:02] C:\Program Files\<DIR> Hewlett-Packard [10/02/2005|07:03] C:\Program Files\<DIR> HP [02/20/2009|09:20] C:\Program Files\<DIR> InstallShield Installation Information [09/10/2005|11:48] C:\Program Files\<DIR> Intel [11/02/2008|02:18] C:\Program Files\<DIR> Internet Explorer [09/10/2005|11:54] C:\Program Files\<DIR> Intuit [01/24/2007|07:07] C:\Program Files\<DIR> iTunes [09/26/2005|03:41] C:\Program Files\<DIR> Jasc Software Inc [02/19/2009|01:04] C:\Program Files\<DIR> Java [10/13/2008|09:25] C:\Program Files\<DIR> K-Lite Codec Pack [12/19/2008|01:00] C:\Program Files\<DIR> Lavasoft [02/20/2009|09:20] C:\Program Files\<DIR> LucasArts [02/20/2009|06:52] C:\Program Files\<DIR> Malwarebytes' Anti-Malware [11/02/2008|02:24] C:\Program Files\<DIR> Messenger [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft ActiveSync [08/19/2004|01:07] C:\Program Files\<DIR> microsoft frontpage [12/20/2007|05:45] C:\Program Files\<DIR> Microsoft Games [09/14/2005|09:27] C:\Program Files\<DIR> Microsoft IntelliPoint [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Office [09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition [09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Visual Studio [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Works [09/14/2005|08:53] C:\Program Files\<DIR> Microsoft.NET [09/10/2005|11:48] C:\Program Files\<DIR> Modem Helper [09/10/2005|11:48] C:\Program Files\<DIR> Modem On Hold [05/26/2007|06:43] C:\Program Files\<DIR> Motorola Phone Tools [11/02/2008|02:18] C:\Program Files\<DIR> Movie Maker [02/20/2009|08:50] C:\Program Files\<DIR> Mozilla Firefox [08/19/2004|01:01] C:\Program Files\<DIR> MSN [08/19/2004|01:01] C:\Program Files\<DIR> MSN Gaming Zone [11/15/2006|03:01] C:\Program Files\<DIR> MSXML 4.0 [09/10/2005|11:50] C:\Program Files\<DIR> MUSICMATCH [11/27/2006|09:30] C:\Program Files\<DIR> NETGEAR [11/02/2008|02:15] C:\Program Files\<DIR> NetMeeting [09/14/2005|08:22] C:\Program Files\<DIR> Network Associates [08/19/2004|01:02] C:\Program Files\<DIR> Online Services [11/02/2008|02:15] C:\Program Files\<DIR> Outlook Express [05/10/2006|02:55] C:\Program Files\<DIR> PC-Pine [01/24/2007|07:06] C:\Program Files\<DIR> QuickTime [09/10/2005|11:53] C:\Program Files\<DIR> Real [08/19/2004|01:20] C:\Program Files\<DIR> RGB [12/10/2005|08:47] C:\Program Files\<DIR> Rockstar Games [04/14/2008|06:08] C:\Program Files\<DIR> SCi Games [06/26/2007|09:40] C:\Program Files\<DIR> Soldier of Fortune II - Double Helix MP TEST [09/10/2005|11:56] C:\Program Files\<DIR> Sonic [12/20/2008|05:58] C:\Program Files\<DIR> Spybot - Search & Destroy [09/14/2005|08:18] C:\Program Files\<DIR> Symantec [02/20/2009|05:52] C:\Program Files\<DIR> Trend Micro [08/19/2004|01:14] C:\Program Files\<DIR> Uninstall Information [02/19/2009|12:17] C:\Program Files\<DIR> uTorrent [04/11/2008|10:50] C:\Program Files\<DIR> VideoLAN [09/10/2005|11:50] C:\Program Files\<DIR> Windows Media Player [11/02/2008|02:15] C:\Program Files\<DIR> Windows NT [08/19/2004|01:02] C:\Program Files\<DIR> Windows Plus [08/19/2004|01:05] C:\Program Files\<DIR> WindowsUpdate [08/19/2004|01:07] C:\Program Files\<DIR> xerox [04/14/2006|03:25] C:\Program Files\<DIR> Xilisoft [09/10/2005|11:52] C:\Program Files\<DIR> Your Company Name --------------------\\ Listing Folders in C:\Program Files\Common Files [04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe [04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe Systems Shared [09/14/2005|08:33] C:\Program Files\Common Files\<DIR> AOL [09/14/2005|08:22] C:\Program Files\Common Files\<DIR> Cisco Systems [09/14/2005|08:55] C:\Program Files\Common Files\<DIR> DESIGNER [02/04/2008|01:44] C:\Program Files\Common Files\<DIR> DirectX [10/02/2005|07:04] C:\Program Files\Common Files\<DIR> HP [09/10/2005|12:01] C:\Program Files\Common Files\<DIR> InstallShield [09/14/2005|08:46] C:\Program Files\Common Files\<DIR> Intuit [09/14/2005|08:55] C:\Program Files\Common Files\<DIR> L&H [09/14/2005|08:56] C:\Program Files\Common Files\<DIR> Microsoft Shared [08/19/2004|01:04] C:\Program Files\Common Files\<DIR> MSSoap [09/14/2005|08:21] C:\Program Files\Common Files\<DIR> Network Associates [09/10/2005|11:53] C:\Program Files\Common Files\<DIR> Nullsoft [08/19/2004|12:57] C:\Program Files\Common Files\<DIR> ODBC [03/10/2006|07:28] C:\Program Files\Common Files\<DIR> Real [08/19/2004|01:04] C:\Program Files\Common Files\<DIR> Services [09/10/2005|11:56] C:\Program Files\Common Files\<DIR> Sonic Shared [08/19/2004|12:57] C:\Program Files\Common Files\<DIR> SpeechEngines [09/14/2005|08:24] C:\Program Files\Common Files\<DIR> SWF Studio [09/14/2005|08:16] C:\Program Files\Common Files\<DIR> Symantec Shared [11/02/2008|02:14] C:\Program Files\Common Files\<DIR> System [09/10/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared [12/19/2008|12:58] C:\Program Files\Common Files\<DIR> Wise Installation Wizard [03/10/2006|07:28] C:\Program Files\Common Files\<DIR> xing shared --------------------\\ Process ( 56 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\Marcus\Cookies\marcus@divavillage.advertserve[1].txt C:\DOCUME~1\Marcus\Cookies\marcus@imagevenue.advertserve[2].txt C:\DOCUME~1\Marcus\Cookies\marcus@advertising[1].txt C:\DOCUME~1\Marcus\Cookies\marcus@advertising[2].txt C:\DOCUME~1\Marcus\Cookies\marcus@adopt.euroclick[2].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-20 21:24:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections --------------------\\ ROOTKIT !! Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] --------------------\\ Suspect .. C:\WINDOWS\system32\TDSSmtvd.dat --------------------\\ Cracks & Keygens .. C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Jay Z\In My Lifetime, Volume 1\12 - Jay-Z - Rap Game Crack Game.mp3 C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Kanye West\Late Registration\08-Crack Music featuring Game.mp3 C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Notorious BIG\Ten Crack Commandments.mp3 [F:99][D:16]-> C:\DOCUME~1\Marcus\LOCALS~1\Temp [F:479][D:0]-> C:\DOCUME~1\Marcus\Cookies [F:237][D:8]-> C:\DOCUME~1\Marcus\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - Fri 02/20/2009|19:10 - Option : [1] 2 - "C:\Lop SD\LopR_2.txt" - Fri 02/20/2009|21:25 - Option : [1] --------------------\\ Scan completed at 21:25:46
  17. Tigger- Thanks for what help you were able to provide. I didn't intend to insult your diagnostic tools- I'm just a little apprehensive of installing more software at this point. The french-as-a-primary language aspect made me think twice. I'm sorry that you cannot help me any further. The cracks and keygens in the My Documents folder I am familiar with and pose no threat- I can uninstall/delete them if that would help things. If you cannot help me any further with direct instructions, can you: (A) give me some analysis of the nature of my problem/situation from the diagnostic data provided ( suggest an attack approach or plan of addressing my situation (such as removing problematic cracks) © refer me to a different reputable security/malware forum Additionally, if any other moderators are able to help/make suggestions that would be appreciated as well.
  18. Thanks for the Help. I did as you asked. As a heads up: when I ran the updated MWB, spyware SD resident came up with an alert saying "Browser helper object value added" with a long serial number for the process that started (9cd1fd11-b323-4d7f- ......) I don't think it was a MWB process, might be related to the trojan. Not to sound ungreatful (I'm anything but)- this LOP S&D software is a little sketchy. Small and french? Please don't ask me to DL any additional tools unless absolutely necessary. I already listed my armada of installed tools, and it doesn't seem like I should need any more. Unless that's the only way. Thanks again! Updated MWB log: Malwarebytes' Anti-Malware 1.34 Database version: 1782 Windows 5.1.2600 Service Pack 3 2/20/2009 6:56:59 PM mbam-log-2009-02-20 (18-56-59).txt Scan type: Quick Scan Objects scanned: 68998 Time elapsed: 3 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\mvoqas.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\mvoqas.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\ungrdxwa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekakxmifuxf.dll (Trojan.TDSS) -> Delete on reboot. C:\WINDOWS\system32\senekaobwgwsrn.dll (Trojan.TDSS) -> Delete on reboot. C:\WINDOWS\system32\ddcYqOgh.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\senekawqdutehb.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekabgiteqot.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekamliltabd.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\senekaqatxthsm.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully. Here is the LOP SD log --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz ) BIOS : Phoenix ROM BIOS PLUS Version 1.10 A01 USER : Marcus ( Administrator ) BOOT : Normal boot C:\ (Local Disk) - NTFS - Total:144 Go (Free:11 Go) D:\ (CD or DVD) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Fri 02/20/2009|19:07 ) --------------------\\ Listing folders in APPLIC~1 [09/10/2005|12:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative [08/19/2004|01:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities [09/10/2005|11:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Jasc Software Inc [09/10/2005|11:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft [09/10/2005|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun [09/10/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec [04/23/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe [04/23/2006|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems [09/14/2005|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL [01/24/2007|07:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer [05/26/2007|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software [03/29/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell [04/11/2008|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek [10/02/2005|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP [09/10/2005|11:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield [09/10/2005|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit [12/19/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft [12/20/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes [11/04/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft [09/14/2005|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates [09/10/2005|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime [08/19/2004|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI [12/20/2008|05:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy [09/14/2005|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec [05/28/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage [09/10/2005|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative [08/19/2004|01:14] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities [09/10/2005|11:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc [08/19/2004|12:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft [09/10/2005|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun [09/10/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec [03/10/2006|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft [12/04/2008|10:11] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Adobe [02/25/2006|06:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> AdobeUM [03/07/2006|09:36] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Apple Computer [05/03/2008|11:08] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> BitZipper [03/04/2008|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Creative [09/25/2005|11:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> CyberLink [12/09/2005|06:53] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Google [04/14/2007|02:59] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Gtek [12/20/2008|12:51] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Help [06/28/2007|06:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> HP [08/19/2004|01:14] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Identities [05/26/2007|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> InstallShield [09/26/2005|03:41] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Jasc Software Inc [12/19/2008|01:00] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Lavasoft [10/11/2005|07:55] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Leadertech [03/28/2006|08:35] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Macromedia [12/20/2008|02:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Malwarebytes [02/06/2008|09:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Microsoft [12/20/2008|12:30] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Mozilla [04/25/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Opera [04/30/2008|10:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Real [10/11/2005|07:56] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sonic [09/10/2005|11:42] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sun [09/10/2005|11:57] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Symantec [02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Talkback [02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Thunderbird [02/19/2009|12:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> uTorrent [08/19/2004|12:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [02/20/2009 07:01 PM][--a------] C:\WINDOWS\tasks\mfwpraie.job [02/20/2009 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/10/2004 02:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [01/23/2009|08:09] C:\Program Files\<DIR> Activision [04/23/2006|09:51] C:\Program Files\<DIR> Adobe [09/10/2005|11:47] C:\Program Files\<DIR> ATI Technologies [05/26/2007|06:34] C:\Program Files\<DIR> Avanquest update [05/03/2008|11:25] C:\Program Files\<DIR> BitZipper [12/28/2005|08:22] C:\Program Files\<DIR> Canon [09/16/2007|01:33] C:\Program Files\<DIR> CDex_150 [02/19/2009|01:02] C:\Program Files\<DIR> Common Files [08/19/2004|01:02] C:\Program Files\<DIR> ComPlus Applications [02/19/2009|04:49] C:\Program Files\<DIR> Creative [12/22/2007|03:41] C:\Program Files\<DIR> Crystal Player [03/02/2006|01:50] C:\Program Files\<DIR> CureROM [09/10/2005|11:49] C:\Program Files\<DIR> CyberLink [12/10/2005|06:52] C:\Program Files\<DIR> DAEMON Tools [10/24/2006|08:11] C:\Program Files\<DIR> DC++ [09/10/2005|12:01] C:\Program Files\<DIR> Dell [09/10/2005|11:52] C:\Program Files\<DIR> Dell Inc [04/14/2007|02:48] C:\Program Files\<DIR> DellSupport [10/22/2008|12:23] C:\Program Files\<DIR> DivX [08/19/2004|01:16] C:\Program Files\<DIR> EnglishOtto [04/20/2006|05:25] C:\Program Files\<DIR> Fargo [02/19/2009|04:47] C:\Program Files\<DIR> GemMaster [12/09/2005|06:53] C:\Program Files\<DIR> Google [12/30/2008|10:33] C:\Program Files\<DIR> GTR2 [10/02/2005|07:02] C:\Program Files\<DIR> Hewlett-Packard [10/02/2005|07:03] C:\Program Files\<DIR> HP [02/19/2009|04:49] C:\Program Files\<DIR> InstallShield Installation Information [09/10/2005|11:48] C:\Program Files\<DIR> Intel [11/02/2008|02:18] C:\Program Files\<DIR> Internet Explorer [09/10/2005|11:54] C:\Program Files\<DIR> Intuit [01/24/2007|07:07] C:\Program Files\<DIR> iTunes [09/26/2005|03:41] C:\Program Files\<DIR> Jasc Software Inc [02/19/2009|01:04] C:\Program Files\<DIR> Java [10/13/2008|09:25] C:\Program Files\<DIR> K-Lite Codec Pack [12/19/2008|01:00] C:\Program Files\<DIR> Lavasoft [09/29/2007|01:04] C:\Program Files\<DIR> LucasArts [02/20/2009|06:52] C:\Program Files\<DIR> Malwarebytes' Anti-Malware [11/02/2008|02:24] C:\Program Files\<DIR> Messenger [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft ActiveSync [08/19/2004|01:07] C:\Program Files\<DIR> microsoft frontpage [12/20/2007|05:45] C:\Program Files\<DIR> Microsoft Games [09/14/2005|09:27] C:\Program Files\<DIR> Microsoft IntelliPoint [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Office [09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition [09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Visual Studio [09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Works [09/14/2005|08:53] C:\Program Files\<DIR> Microsoft.NET [09/10/2005|11:48] C:\Program Files\<DIR> Modem Helper [09/10/2005|11:48] C:\Program Files\<DIR> Modem On Hold [05/26/2007|06:43] C:\Program Files\<DIR> Motorola Phone Tools [11/02/2008|02:18] C:\Program Files\<DIR> Movie Maker [02/20/2009|07:02] C:\Program Files\<DIR> Mozilla Firefox [08/19/2004|01:01] C:\Program Files\<DIR> MSN [08/19/2004|01:01] C:\Program Files\<DIR> MSN Gaming Zone [11/15/2006|03:01] C:\Program Files\<DIR> MSXML 4.0 [09/10/2005|11:50] C:\Program Files\<DIR> MUSICMATCH [11/27/2006|09:30] C:\Program Files\<DIR> NETGEAR [11/02/2008|02:15] C:\Program Files\<DIR> NetMeeting [09/14/2005|08:22] C:\Program Files\<DIR> Network Associates [08/19/2004|01:02] C:\Program Files\<DIR> Online Services [11/02/2008|02:15] C:\Program Files\<DIR> Outlook Express [05/10/2006|02:55] C:\Program Files\<DIR> PC-Pine [01/24/2007|07:06] C:\Program Files\<DIR> QuickTime [09/10/2005|11:53] C:\Program Files\<DIR> Real [08/19/2004|01:20] C:\Program Files\<DIR> RGB [12/10/2005|08:47] C:\Program Files\<DIR> Rockstar Games [04/14/2008|06:08] C:\Program Files\<DIR> SCi Games [06/26/2007|09:40] C:\Program Files\<DIR> Soldier of Fortune II - Double Helix MP TEST [09/10/2005|11:56] C:\Program Files\<DIR> Sonic [12/20/2008|05:58] C:\Program Files\<DIR> Spybot - Search & Destroy [09/14/2005|08:18] C:\Program Files\<DIR> Symantec [02/20/2009|05:52] C:\Program Files\<DIR> Trend Micro [08/19/2004|01:14] C:\Program Files\<DIR> Uninstall Information [02/19/2009|12:17] C:\Program Files\<DIR> uTorrent [04/11/2008|10:50] C:\Program Files\<DIR> VideoLAN [09/10/2005|11:50] C:\Program Files\<DIR> Windows Media Player [11/02/2008|02:15] C:\Program Files\<DIR> Windows NT [08/19/2004|01:02] C:\Program Files\<DIR> Windows Plus [08/19/2004|01:05] C:\Program Files\<DIR> WindowsUpdate [08/19/2004|01:07] C:\Program Files\<DIR> xerox [04/14/2006|03:25] C:\Program Files\<DIR> Xilisoft [09/10/2005|11:52] C:\Program Files\<DIR> Your Company Name --------------------\\ Listing Folders in C:\Program Files\Common Files [04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe [04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe Systems Shared [09/14/2005|08:33] C:\Program Files\Common Files\<DIR> AOL [09/14/2005|08:22] C:\Program Files\Common Files\<DIR> Cisco Systems [09/14/2005|08:55] C:\Program Files\Common Files\<DIR> DESIGNER [02/04/2008|01:44] C:\Program Files\Common Files\<DIR> DirectX [10/02/2005|07:04] C:\Program Files\Common Files\<DIR> HP [09/10/2005|12:01] C:\Program Files\Common Files\<DIR> InstallShield [09/14/2005|08:46] C:\Program Files\Common Files\<DIR> Intuit [09/14/2005|08:55] C:\Program Files\Common Files\<DIR> L&H [09/14/2005|08:56] C:\Program Files\Common Files\<DIR> Microsoft Shared [08/19/2004|01:04] C:\Program Files\Common Files\<DIR> MSSoap [09/14/2005|08:21] C:\Program Files\Common Files\<DIR> Network Associates [09/10/2005|11:53] C:\Program Files\Common Files\<DIR> Nullsoft [08/19/2004|12:57] C:\Program Files\Common Files\<DIR> ODBC [03/10/2006|07:28] C:\Program Files\Common Files\<DIR> Real [08/19/2004|01:04] C:\Program Files\Common Files\<DIR> Services [09/10/2005|11:56] C:\Program Files\Common Files\<DIR> Sonic Shared [08/19/2004|12:57] C:\Program Files\Common Files\<DIR> SpeechEngines [09/14/2005|08:24] C:\Program Files\Common Files\<DIR> SWF Studio [09/14/2005|08:16] C:\Program Files\Common Files\<DIR> Symantec Shared [11/02/2008|02:14] C:\Program Files\Common Files\<DIR> System [09/10/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared [12/19/2008|12:58] C:\Program Files\Common Files\<DIR> Wise Installation Wizard [03/10/2006|07:28] C:\Program Files\Common Files\<DIR> xing shared --------------------\\ Process ( 55 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\Marcus\Cookies\marcus@divavillage.advertserve[1].txt C:\DOCUME~1\Marcus\Cookies\marcus@imagevenue.advertserve[2].txt C:\DOCUME~1\Marcus\Cookies\marcus@advertising[1].txt C:\DOCUME~1\Marcus\Cookies\marcus@advertising[2].txt C:\DOCUME~1\Marcus\Cookies\marcus@adopt.euroclick[2].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-20 19:08:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections --------------------\\ ROOTKIT !! Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys] Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys] --------------------\\ Suspect .. C:\WINDOWS\system32\TDSSmtvd.dat --------------------\\ Cracks & Keygens .. C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Jay Z\In My Lifetime, Volume 1\12 - Jay-Z - Rap Game Crack Game.mp3 C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Kanye West\Late Registration\08-Crack Music featuring Game.mp3 C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Notorious BIG\Ten Crack Commandments.mp3 C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Age of Empires III crack C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Acid Pro 5.0.exe C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Fix Registration.reg C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Keygen.exe C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\README.txt C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Age of Empires III crack\dev-ae33.rar C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack\swkotor2.exe C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack\swkotor2.ini [F:97][D:16]-> C:\DOCUME~1\Marcus\LOCALS~1\Temp [F:479][D:0]-> C:\DOCUME~1\Marcus\Cookies [F:237][D:8]-> C:\DOCUME~1\Marcus\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - Fri 02/20/2009|19:10 - Option : [1] --------------------\\ Scan completed at 19:10:23
  19. Here we go- Got a trojan via a WRC torrent DL with IE7. I first noticed that my McAfee had dis-enabled itself. Immedately, went to system restore but all the restore points previous to infection were deleted/hidden. I already had malwarebytes installed, and ran it straight away. It returned several results which were deleted. My comp also had installed AdAware and SpyBot (newest versions) which I ran as well. Both detected small malware, which were deleted. After restart, McAfee initialized in dis-enabled state. Firefox is working, but IE7 returns exponential numbers of popups. After startup, if I run anti-spyware, a trojan is usually detected. If I delete the trojan, there is no significant change for a few minutes, then randomly a prompt "Generic Host Process for Win32 services has encountered a problem and needs to close..." If i try to initialize a app after that message, the OS sorta crashes, where nothing will load: no task manager will pop up, no shut down window, etc. I've got my MWB and HJT logs here. I'll post my McAfee log at the end, if it helps. If you need, I can take a screenshot of active processes and post. Please help! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:57:22 PM, on 2/20/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: {e50ee11a-c2b8-2708-f7b4-323b11df1dc9} - {9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} - C:\WINDOWS\system32\mvoqas.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O20 - AppInit_DLLs: mvoqas.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 8679 bytes Malwarebytes' Anti-Malware 1.31 Database version: 1525 Windows 5.1.2600 Service Pack 3 2/20/2009 5:46:28 PM mbam-log-2009-02-20 (17-46-28).txt Scan type: Quick Scan Objects scanned: 55712 Time elapsed: 3 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\Marcus\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Marcus\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot. McAfee: 2/12/2009 2:21:35 AM Statistics: 2/12/2009 2:21:35 AM Files scanned: 19329 2/12/2009 2:21:35 AM Files detected: 1 2/12/2009 2:21:35 AM Files cleaned: 0 2/12/2009 2:21:35 AM Files deleted: 1 2/12/2009 2:21:35 AM Files moved: 0 2/12/2009 12:09:23 PM Engine version = 5.3.00 2/12/2009 12:09:23 PM DAT version = 5514 2/12/2009 12:09:23 PM Number of virus signatures in EXTRA.DAT = None 2/12/2009 12:09:23 PM Names of viruses that EXTRA.DAT can detect = None 2/12/2009 12:09:53 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\RuntimeTypeInfoSet.class (Virus) 2/12/2009 12:21:53 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\TypeInfoImpl.class (Virus) 2/12/2009 8:55:30 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan) 2/12/2009 9:03:38 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\WINDOWS\Driver Cache\i386\driver.cab\CTABCEP2.GPD (Virus) 2/12/2009 9:12:28 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Program Files\Activision\Call of Duty 2\main\iw_13.iwd\mtl_metal_chimney (Virus) 2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityFirewallOpenPorts.zip 2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityFirewallOpenPorts1.zip 2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WarezPP.zip 2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip 2/12/2009 9:45:08 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\Marcus\Desktop\Adobe Photoshop CS2 9.0 Final\Photoshop CS2\Adobe® Photoshop® CS2\commonfilesinstaller\Data1.cab\SING.DLL (Virus) 2/12/2009 9:45:23 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\Marcus\Desktop\Adobe Photoshop CS2 9.0 Final\Photoshop CS2\Adobe® Photoshop® CS2\Data1.cab\VERSIONCUEUI.DLL (Virus) 2/12/2009 9:48:57 PM Engine version = 5.3.00 2/12/2009 9:48:57 PM DAT version = 5524 2/12/2009 9:48:57 PM Number of virus signatures in EXTRA.DAT = None 2/12/2009 9:48:57 PM Names of viruses that EXTRA.DAT can detect = None 2/12/2009 9:50:19 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\Init$1.class (Virus) 2/12/2009 10:09:31 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\DTMNodeList.class (Virus) 2/13/2009 1:40:44 AM Engine version = 5.3.00 2/13/2009 1:40:44 AM DAT version = 5524 2/13/2009 1:40:44 AM Number of virus signatures in EXTRA.DAT = None 2/13/2009 1:40:44 AM Names of viruses that EXTRA.DAT can detect = None 2/13/2009 1:41:27 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\SerializerFactory.class (Virus) 2/13/2009 11:43:27 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\RegistrationDocument.class (Virus) 2/14/2009 3:05:56 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\motif_sv.class (Virus) 2/14/2009 7:11:44 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan) 2/15/2009 4:54:57 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus) 2/15/2009 8:33:53 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus) 2/15/2009 9:15:40 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan) 2/15/2009 9:24:06 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus) 2/17/2009 10:31:28 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\DigestMD5Base.class (Virus) 2/17/2009 4:19:51 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\WindowsIconFactory$CheckBoxIcon.class (Virus) 2/18/2009 10:32:13 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\NamespaceMappings.class (Virus) 2/18/2009 6:00:43 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\FuncHere.class (Virus) 2/18/2009 7:33:44 PM Statistics: 2/18/2009 7:33:44 PM Files scanned: 30376 2/18/2009 7:33:44 PM Files detected: 0 2/18/2009 7:33:44 PM Files cleaned: 0 2/18/2009 7:33:44 PM Files deleted: 0 2/18/2009 7:33:44 PM Files moved: 0 2/18/2009 9:41:44 PM Engine version = 5.3.00 2/18/2009 9:41:44 PM DAT version = 5524 2/18/2009 9:41:44 PM Number of virus signatures in EXTRA.DAT = None 2/18/2009 9:41:44 PM Names of viruses that EXTRA.DAT can detect = None 2/18/2009 9:42:17 PM Not scanned (scan timed out) GENERALLEE\Marcus WgaTray.exe C:\Program Files\Java\jre6\lib\rt.jar\XSSimpleTypeDecl$2.class (Virus) 2/18/2009 9:50:45 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\BootstrapResolver.class (Virus) 2/19/2009 12:17:23 AM Statistics: 2/19/2009 12:17:23 AM Files scanned: 2185 2/19/2009 12:17:23 AM Files detected: 0 2/19/2009 12:17:23 AM Files cleaned: 0 2/19/2009 12:17:23 AM Files deleted: 0 2/19/2009 12:17:23 AM Files moved: 0 2/19/2009 12:25:35 AM Engine version = 5.3.00 2/19/2009 12:25:35 AM DAT version = 5524 2/19/2009 12:25:35 AM Number of virus signatures in EXTRA.DAT = None 2/19/2009 12:25:35 AM Names of viruses that EXTRA.DAT can detect = None 2/19/2009 12:25:50 AM Cleaned C:\WINDOWS\system32\prunnet.exe Generic.dx (Trojan) 2/19/2009 12:29:53 AM Statistics: 2/19/2009 12:29:53 AM Files scanned: 0 2/19/2009 12:29:53 AM Files detected: 1 2/19/2009 12:29:53 AM Files cleaned: 0 2/19/2009 12:29:53 AM Files deleted: 0 2/19/2009 12:29:53 AM Files moved: 0 2/19/2009 12:31:51 AM Engine version = 5.3.00 2/19/2009 12:31:51 AM DAT version = 5524 2/19/2009 12:31:51 AM Number of virus signatures in EXTRA.DAT = None 2/19/2009 12:31:51 AM Names of viruses that EXTRA.DAT can detect = None 2/19/2009 1:51:31 AM Engine version = 5.3.00 2/19/2009 1:51:31 AM DAT version = 5524 2/19/2009 1:51:31 AM Number of virus signatures in EXTRA.DAT = None 2/19/2009 1:51:31 AM Names of viruses that EXTRA.DAT can detect = None 2/19/2009 10:04:24 AM Engine version = 5.3.00 2/19/2009 10:04:24 AM DAT version = 5524 2/19/2009 10:04:24 AM Number of virus signatures in EXTRA.DAT = None 2/19/2009 10:04:24 AM Names of viruses that EXTRA.DAT can detect = None 2/19/2009 10:08:04 AM Statistics: 2/19/2009 10:08:04 AM Files scanned: 0 2/19/2009 10:08:04 AM Files detected: 0 2/19/2009 10:08:04 AM Files cleaned: 0 2/19/2009 10:08:04 AM Files deleted: 0 2/19/2009 10:08:04 AM Files moved: 0 2/19/2009 10:10:32 AM Engine version = 5.3.00 2/19/2009 10:10:32 AM DAT version = 5524 2/19/2009 10:10:32 AM Number of virus signatures in EXTRA.DAT = None 2/19/2009 10:10:32 AM Names of viruses that EXTRA.DAT can detect = None 2/19/2009 4:33:38 PM Engine version = 5.3.00 2/19/2009 4:33:38 PM DAT version = 5524 2/19/2009 4:33:38 PM Number of virus signatures in EXTRA.DAT = None 2/19/2009 4:33:38 PM Names of viruses that EXTRA.DAT can detect = None 2/19/2009 4:49:17 PM Statistics: 2/19/2009 4:49:17 PM Files scanned: 1 2/19/2009 4:49:17 PM Files detected: 0 2/19/2009 4:49:17 PM Files cleaned: 0 2/19/2009 4:49:17 PM Files deleted: 0 2/19/2009 4:49:17 PM Files moved: 0 2/19/2009 4:52:57 PM Engine version = 5.3.00 2/19/2009 4:52:57 PM DAT version = 5524 2/19/2009 4:52:57 PM Number of virus signatures in EXTRA.DAT = None 2/19/2009 4:52:57 PM Names of viruses that EXTRA.DAT can detect = None 2/20/2009 12:45:25 AM Engine version = 5.3.00 2/20/2009 12:45:25 AM DAT version = 5524 2/20/2009 12:45:25 AM Number of virus signatures in EXTRA.DAT = None 2/20/2009 12:45:25 AM Names of viruses that EXTRA.DAT can detect = None 2/20/2009 8:45:35 AM Engine version = 5.3.00 2/20/2009 8:45:35 AM DAT version = 5524 2/20/2009 8:45:35 AM Number of virus signatures in EXTRA.DAT = None 2/20/2009 8:45:35 AM Names of viruses that EXTRA.DAT can detect = None 2/20/2009 5:18:32 PM Engine version = 5.3.00 2/20/2009 5:18:32 PM DAT version = 5524 2/20/2009 5:18:32 PM Number of virus signatures in EXTRA.DAT = None 2/20/2009 5:18:32 PM Names of viruses that EXTRA.DAT can detect = None 2/20/2009 5:41:00 PM Engine version = 5.3.00 2/20/2009 5:41:00 PM DAT version = 5524 2/20/2009 5:41:00 PM Number of virus signatures in EXTRA.DAT = None 2/20/2009 5:41:00 PM Names of viruses that EXTRA.DAT can detect = None 2/20/2009 5:47:08 PM Statistics: 2/20/2009 5:47:08 PM Files scanned: 0 2/20/2009 5:47:08 PM Files detected: 0 2/20/2009 5:47:08 PM Files cleaned: 0 2/20/2009 5:47:08 PM Files deleted: 0 2/20/2009 5:47:08 PM Files moved: 0 2/20/2009 5:49:35 PM Engine version = 5.3.00 2/20/2009 5:49:35 PM DAT version = 5524 2/20/2009 5:49:35 PM Number of virus signatures in EXTRA.DAT = None 2/20/2009 5:49:35 PM Names of viruses that EXTRA.DAT can detect = None Thanks Again!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.