freshbread3

I want my computer to be normal again ;_;

25 posts in this topic

I seemed to have gotten the XP 2012 virus this week even though I thought McAfee was doing its job. With help from another forum I deleted some viruses I believe. Then I came across a recommendation for Malwarebytes in yet another forum. That's when I downloaded MBAM and it helped me clear more problems out, but I noticed it kept stopping outgoing (and incoming) communication from possibly malicious IP addresses. Some of them were:

146.185.250.210

146.185.250.211

146.185.250.212

146.185.250.213

146.185.250.214

188.95.52.164

212.36.9.58

206.161.121.100

91.212.226.123

206.161.121.126

83.133.124.195

Also I noticed lag in my computer, getting redirected to nonsense websites and many new processes in the task manager, including ping.exe that seems to be very busy (so I keep stopping it, but I beleive to no avail). After searching for more help on the web I found many other people have experienced the same problems and were getting helped in this forum.

I downloaded DDS and ran it so I'm attaching the DDS and attach logs. I appreciate any help you can give me ;_;

dds.txt

attach.zip

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

Share this post


Link to post
Share on other sites

^_^ Thank you for helping me. I updated MBAM. And ran a Quick Scan. Here is the log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122201

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/22/2011 1:14:22 AM

mbam-log-2011-12-22 (01-14-22).txt

Scan type: Quick scan

Objects scanned: 201287

Time elapsed: 19 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Then I got a new copy of DDS and ran it. Here is its log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Fresh Bread at 1:18:38 on 2011-12-22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.449 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\PLFSetL.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee\MAT\McPvTray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111217014104.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Power2GoExpress]

uRun: [Google Update] "c:\documents and settings\fresh bread\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [McAfee McItInfo] c:\docume~1\freshb~1\locals~1\temp\mcitinfo_1324100587.exe /itinsfin:c:\docume~1\freshb~1\locals~1\temp\mcininfo_1324100588.ini

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

Notify: TPSvc - TPSvc.dll

Notify: xmlproservice - xmlrpw32.dll

Notify: xmlrpw32 - xmlrpw32.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-17 64048]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-17 459728]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-24 89368]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-17 366152]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-17 165000]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-17 159832]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-17 148520]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-17 22216]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-24 179248]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-24 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-24 337912]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-24 83688]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]

S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]

S2 McOobeSv;McAfee OOBE Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]

S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]

S2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]

S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-24 57432]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-24 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-24 85984]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

.

=============== Created Last 30 ================

.

2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue

2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET

2011-12-17 09:29:06 -------- d-----w- c:\documents and settings\fresh bread\application data\McAfee

2011-12-17 09:00:00 -------- d-----w- c:\documents and settings\all users\application data\McAfee Anti-Theft

2011-12-17 07:38:46 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-17 07:38:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:46:12 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft

2011-12-17 06:41:02 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-17 06:39:25 118784 ----a-r- c:\windows\system32\drivers\mfeapfk.sys

2011-12-17 06:39:20 459728 ----a-r- c:\windows\system32\drivers\mfehidk.sys

2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe

2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth

2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes

2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-11-23 07:52:14 -------- d-sh--w- c:\documents and settings\fresh bread\IECompatCache

.

==================== Find3M ====================

.

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 1:19:55.69 ===============

Besides the obvious problems I had with renewing McAfee (of which I'm pretty sure I need to contact their customer support department and at some point figure out how to uninstall it to properly renew it), it seems everything is ok, right?

The problem is that MBAM keeps blocking access to potentially malicious websites (outgoing). Here is a sample from just today when I allowed this computer to have internet access:

00:55:35 Fresh Bread IP-BLOCK 63.223.106.17 (Type: outgoing)

00:55:38 Fresh Bread IP-BLOCK 63.223.106.17 (Type: outgoing)

00:55:44 Fresh Bread IP-BLOCK 63.223.106.17 (Type: outgoing)

00:56:14 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:17 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:23 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:23 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:26 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:32 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:35 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

00:56:38 Fresh Bread IP-BLOCK 83.133.124.250 (Type: outgoing)

(the rest of the log up to this point just continues blocking 83.133.124.250)

A few days ago I did an ESET scan which found Win32 Rootkit.Kryptik.GG trojan (in WINDOWS\system32\drivers\ipsec.sys) and multiple threats in the operating memory.

My theory is that I've been infected with a rootkit virus, like so many others. If you can help me defeat this nuisance that would be wonderful.

Share this post


Link to post
Share on other sites

ComboFix found Rootkit.ZeroAccess! in the tcp/ip stack. After it ran, though, I lost my internet connection. I tried to manually "repair" the connection like the instructions said at BleepingComputer but it didn't work.

So I ran ComboFix again (because ComboFix said I might need to do that if I lost my internet connection). There was still no connection and ComboFix still found Rootkit.ZeroAcess!

From Internet Explorer I did a Diagnose Connection Problems and it said "Windows has detected a problem with the Winsock provider catalog on this computer."

I thought maybe I should get a new copy of ComboFix so I used a flash drive to download it from another computer and than ran it again on my computer. Again it found Rootkit. ZeroAccess! and I couldn't get the internet to work still.

So I'm posting from a different computer now. My computer has no internet connection and probably still has Rootkit.ZeroAccess! -__- Hopefully you can see where the problem is from these logs.

ComboFix 11-12-28.02 - Fresh Bread 12/28/2011 3:21.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.664 [GMT -5:00]

Running from: D:\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))

.

.

2011-12-28 04:41 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-28 04:41 . 2011-12-28 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-28 04:34 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-12-28 04:34 . 2011-12-28 04:34 -------- d-----w- c:\program files\McAfee Online Backup

2011-12-28 04:33 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-28 04:31 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-28 04:31 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-28 04:31 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-28 04:31 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-28 04:31 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-28 04:31 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-28 04:31 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-28 04:31 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-28 04:31 . 2011-12-28 04:32 -------- d-----w- c:\program files\Common Files\Mcafee

2011-12-28 04:31 . 2011-12-28 05:23 -------- d-----w- c:\program files\McAfee

2011-12-28 04:18 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-28 04:18 . 2011-12-28 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-12-28 03:32 . 2011-12-28 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\program files\Citrix

2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Citrix

2011-12-28 02:13 . 2011-12-28 05:50 -------- d-----w- c:\program files\Perfect Uninstaller

2011-12-18 06:56 . 2011-12-18 06:56 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52 . 2011-12-18 06:52 -------- d-----w- c:\documents and settings\All Users\Uniblue

2011-12-18 03:48 . 2011-12-18 03:48 -------- d-----w- c:\program files\ESET

2011-12-17 07:28 . 2011-12-17 07:28 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:45 . 2011-12-17 06:45 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\McAfee Anti-Theft

2011-12-15 05:44 . 2011-12-15 05:44 -------- d-----w- c:\program files\Common Files\Java

2011-12-15 04:58 . 2011-12-15 04:58 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\PCHealth

2011-12-14 03:43 . 2011-12-14 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2011-12-13 11:33 . 2011-12-13 11:33 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\Malwarebytes

2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-12-11 04:57 . 2011-12-11 05:34 -------- d-----w- c:\documents and settings\Administrator

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll

2011-12-07 03:54 . 2011-12-07 03:59 -------- d-----w- c:\program files\QuickTime

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2009-08-01 07:34 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54 . 2010-07-01 03:14 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27 . 2010-07-01 03:14 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06 . 2011-05-15 18:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20 . 2009-08-01 07:34 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2009-08-01 07:34 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2009-08-01 07:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2009-08-01 07:34 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2009-08-01 07:34 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2009-08-01 07:34 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13 . 2009-08-01 07:34 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22 . 2009-08-01 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys

[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys

.

[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys

[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys

.

((((((((((((((((((((((((((((( SnapShot@2011-12-28_05.48.40 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-28 08:20 . 2011-12-28 08:20 16384 c:\windows\Temp\Perflib_Perfdata_3a0.dat

+ 2011-12-28 08:20 . 2011-12-28 08:20 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat

+ 2009-08-01 07:34 . 2011-12-28 08:25 73368 c:\windows\system32\perfc009.dat

- 2009-08-01 07:34 . 2011-12-28 05:28 73368 c:\windows\system32\perfc009.dat

+ 2009-08-01 07:34 . 2011-12-28 08:25 445946 c:\windows\system32\perfh009.dat

- 2009-08-01 07:34 . 2011-12-28 05:28 445946 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]

"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]

"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2011-12-28 02:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Documents and Settings\\Fresh Bread\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [12/27/2011 11:33 PM 64048]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/27/2011 11:31 PM 89792]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/27/2011 11:34 PM 54776]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 11:41 PM 652872]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/27/2011 11:32 PM 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/27/2011 11:18 PM 150856]

R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 4:35 AM 237568]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/27/2011 11:31 PM 57600]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 2:35 AM 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 11:41 PM 20464]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/27/2011 11:31 PM 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]

S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/1/2009 2:34 AM 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 3:48 AM 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 3:50 AM 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/27/2011 11:31 PM 87656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 3:43 AM 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

xmlpros REG_MULTI_SZ XMLProvS

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]

.

2011-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005Core.job

- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]

.

2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005UA.job

- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-28 03:32

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(976)

c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

.

Completion time: 2011-12-28 03:35:07

ComboFix-quarantined-files.txt 2011-12-28 08:35

ComboFix2.txt 2011-12-28 07:29

ComboFix3.txt 2011-12-28 05:54

.

Pre-Run: 91,177,267,200 bytes free

Post-Run: 91,169,386,496 bytes free

.

- - End Of File - - AC6C9B6B1127F5CCC1294C2D48B6CF4F

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Fresh Bread at 1:03:48 on 2011-12-28

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.456 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\vssvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\PLFSetL.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\McAfee\MAT\McPvTray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227233155.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{E2030F1D-FA9E-405E-97F2-0EA8456A89F0} : DhcpNameServer = 65.32.5.111 65.32.5.112

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-27 64048]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-27 89792]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-27 54776]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-27 652872]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 166288]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-27 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 150856]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-27 57600]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-27 20464]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 180816]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-27 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 59456]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 87656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

.

=============== Created Last 30 ================

.

2011-12-28 05:09:04 -------- d-sha-r- C:\cmdcons

2011-12-28 05:05:53 98816 ----a-w- c:\windows\sed.exe

2011-12-28 05:05:53 518144 ----a-w- c:\windows\SWREG.exe

2011-12-28 05:05:53 256000 ----a-w- c:\windows\PEV.exe

2011-12-28 05:05:53 208896 ----a-w- c:\windows\MBR.exe

2011-12-28 04:41:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-28 04:41:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-28 04:34:24 -------- d-----w- c:\program files\McAfeeMOBK

2011-12-28 04:34:15 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-12-28 04:34:04 -------- d-----w- c:\program files\McAfee Online Backup

2011-12-28 04:33:44 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-28 04:31:55 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-28 04:31:49 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-28 04:31:49 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-28 04:31:49 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-28 04:31:49 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-28 04:31:49 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-28 04:31:49 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-28 04:31:49 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-28 04:31:43 -------- d-----w- c:\program files\common files\Mcafee

2011-12-28 04:31:41 -------- d-----w- c:\program files\McAfee.com

2011-12-28 04:31:25 -------- d-----w- c:\program files\McAfee

2011-12-28 04:18:56 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-28 03:32:00 -------- d-----w- c:\documents and settings\all users\application data\Citrix

2011-12-28 02:46:43 -------- d-----w- c:\program files\Citrix

2011-12-28 02:46:39 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\Citrix

2011-12-28 02:13:36 -------- d-----w- c:\program files\Perfect Uninstaller

2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue

2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET

2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft

2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe.e42d.deleteme

2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth

2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes

2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

.

==================== Find3M ====================

.

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-15 17:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 1:05:00.26 ===============

Share this post


Link to post
Share on other sites

I have a small question too. When I went to get a new copy of ComboFix I deleted the older copy by just "delete" but ... should I have uninstalled it from the run command instead? When I tried to put the new ComboFix on my desktop it said "shortcut to ComboFix" on it ... so I was wondering if the shortcut pointed to the older version (which was in the recycling bin) or to the newer version which was on the flashdrive.

Anyways my question is ... should I do an uninstall from the run command? The instructions at Bleepingcomputer said not to uninstall until I finished getting rid of any viruses, so I am reluctant to "uninstall" at this point. ._.

Share this post


Link to post
Share on other sites

Hi,

When I say grab a fresh copy, just delete ComboFix.exe and grab a new one. No need to do anything else yet. The BleepingComputer guide is correct.

Please grab a fresh copy of ComboFix, run it, and post its log. It has been updated.

Share this post


Link to post
Share on other sites

Happy New Year (soon).

I got a fresh copy of ComboFix but my internet connection still isn't working. (I'm posting from a different computer)

I also did a DDS scan in case that helps.

Incidentally ComboFix said it found the Rootkit virus again ._.

COMBOFIX LOG

ComboFix 11-12-31.03 - Fresh Bread 12/31/2011 17:06:17.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.654 [GMT -5:00]

Running from: D:\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))

.

.

2011-12-28 04:41 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-28 04:41 . 2011-12-28 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-28 04:34 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-12-28 04:34 . 2011-12-28 04:34 -------- d-----w- c:\program files\McAfee Online Backup

2011-12-28 04:33 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-28 04:31 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-28 04:31 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-28 04:31 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-28 04:31 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-28 04:31 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-28 04:31 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-28 04:31 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-28 04:31 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-28 04:31 . 2011-12-28 04:32 -------- d-----w- c:\program files\Common Files\Mcafee

2011-12-28 04:31 . 2011-12-28 05:23 -------- d-----w- c:\program files\McAfee

2011-12-28 04:18 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-28 04:18 . 2011-12-28 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-12-28 03:32 . 2011-12-28 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\program files\Citrix

2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Citrix

2011-12-28 02:13 . 2011-12-28 05:50 -------- d-----w- c:\program files\Perfect Uninstaller

2011-12-18 06:56 . 2011-12-18 06:56 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52 . 2011-12-18 06:52 -------- d-----w- c:\documents and settings\All Users\Uniblue

2011-12-18 03:48 . 2011-12-18 03:48 -------- d-----w- c:\program files\ESET

2011-12-17 07:28 . 2011-12-17 07:28 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:45 . 2011-12-17 06:45 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\McAfee Anti-Theft

2011-12-15 05:44 . 2011-12-15 05:44 -------- d-----w- c:\program files\Common Files\Java

2011-12-15 04:58 . 2011-12-15 04:58 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\PCHealth

2011-12-14 03:43 . 2011-12-14 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2011-12-13 11:33 . 2011-12-13 11:33 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\Malwarebytes

2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-12-11 04:57 . 2011-12-11 05:34 -------- d-----w- c:\documents and settings\Administrator

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

2011-12-07 03:59 . 2011-12-07 03:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll

2011-12-07 03:54 . 2011-12-07 03:59 -------- d-----w- c:\program files\QuickTime

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2009-08-01 07:34 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54 . 2010-07-01 03:14 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27 . 2010-07-01 03:14 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06 . 2011-05-15 18:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20 . 2009-08-01 07:34 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2009-08-01 07:34 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2009-08-01 07:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2009-08-01 07:34 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2009-08-01 07:34 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2009-08-01 07:34 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13 . 2009-08-01 07:34 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22 . 2009-08-01 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys

[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys

.

[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys

[-] 2008-04-14 12:00 . 90A9305F8727DDB9D5EA8189B520E463 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys

.

((((((((((((((((((((((((((((( SnapShot@2011-12-28_05.48.40 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-31 22:05 . 2011-12-31 22:05 16384 c:\windows\Temp\Perflib_Perfdata_374.dat

+ 2011-12-31 22:04 . 2011-12-31 22:04 16384 c:\windows\Temp\Perflib_Perfdata_280.dat

+ 2009-08-01 07:34 . 2011-12-31 22:09 73368 c:\windows\system32\perfc009.dat

- 2009-08-01 07:34 . 2011-12-28 05:28 73368 c:\windows\system32\perfc009.dat

+ 2009-08-01 07:34 . 2011-12-31 22:09 445946 c:\windows\system32\perfh009.dat

- 2009-08-01 07:34 . 2011-12-28 05:28 445946 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]

"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]

"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2011-12-28 02:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Documents and Settings\\Fresh Bread\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [12/27/2011 11:33 PM 64048]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/27/2011 11:31 PM 89792]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/27/2011 11:34 PM 54776]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 11:41 PM 652872]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/27/2011 11:32 PM 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/27/2011 11:18 PM 150856]

R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 4:35 AM 237568]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/27/2011 11:31 PM 57600]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 2:35 AM 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 11:41 PM 20464]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/27/2011 11:31 PM 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]

S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/1/2009 2:34 AM 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 3:48 AM 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 3:50 AM 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/27/2011 11:31 PM 87656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 3:43 AM 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

xmlpros REG_MULTI_SZ XMLProvS

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]

.

2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]

.

2011-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005Core.job

- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]

.

2011-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005UA.job

- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-31 17:18

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(968)

c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

.

Completion time: 2011-12-31 17:20:58

ComboFix-quarantined-files.txt 2011-12-31 22:20

ComboFix2.txt 2011-12-28 08:35

ComboFix3.txt 2011-12-28 07:29

ComboFix4.txt 2011-12-28 05:54

.

Pre-Run: 91,136,401,408 bytes free

Post-Run: 91,128,664,064 bytes free

.

- - End Of File - - 2D01A5BF309B9097832414772E9E40FE

DDS LOG

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Fresh Bread at 17:36:01 on 2011-12-31

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.389 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\PLFSetL.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\McAfee\MAT\McPvTray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227233155.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{E2030F1D-FA9E-405E-97F2-0EA8456A89F0} : DhcpNameServer = 65.32.5.111 65.32.5.112

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-27 64048]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-27 89792]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-27 54776]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-27 652872]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 166288]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-27 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 150856]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-27 57600]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-27 20464]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 180816]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-27 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 59456]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 87656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

.

=============== Created Last 30 ================

.

2011-12-28 05:09:04 -------- d-sha-r- C:\cmdcons

2011-12-28 05:05:53 98816 ----a-w- c:\windows\sed.exe

2011-12-28 05:05:53 518144 ----a-w- c:\windows\SWREG.exe

2011-12-28 05:05:53 256000 ----a-w- c:\windows\PEV.exe

2011-12-28 05:05:53 208896 ----a-w- c:\windows\MBR.exe

2011-12-28 04:41:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-28 04:41:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-28 04:34:24 -------- d-----w- c:\program files\McAfeeMOBK

2011-12-28 04:34:15 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-12-28 04:34:04 -------- d-----w- c:\program files\McAfee Online Backup

2011-12-28 04:33:44 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-28 04:31:55 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-28 04:31:49 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-28 04:31:49 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-28 04:31:49 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-28 04:31:49 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-28 04:31:49 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-28 04:31:49 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-28 04:31:49 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-28 04:31:43 -------- d-----w- c:\program files\common files\Mcafee

2011-12-28 04:31:41 -------- d-----w- c:\program files\McAfee.com

2011-12-28 04:31:25 -------- d-----w- c:\program files\McAfee

2011-12-28 04:18:56 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-28 03:32:00 -------- d-----w- c:\documents and settings\all users\application data\Citrix

2011-12-28 02:46:43 -------- d-----w- c:\program files\Citrix

2011-12-28 02:46:39 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\Citrix

2011-12-28 02:13:36 -------- d-----w- c:\program files\Perfect Uninstaller

2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue

2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET

2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft

2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe.e42d.deleteme

2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth

2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes

2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-12-07 03:59:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

.

==================== Find3M ====================

.

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-15 17:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 17:37:43.82 ===============

Share this post


Link to post
Share on other sites

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

FCOPY::
c:\windows\system32\dllcache\ipsec.sys | c:\windows\system32\drivers\ipsec.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Share this post


Link to post
Share on other sites

The good news is that my computer has internet access again ^_^. I ran ComboFix twice and the second time worked. The bad news is that ComboFix said I have the rootkit virus still. (>_<)

Here are the logs:

COMBOFIX LOG

ComboFix 12-01-06.01 - Fresh Bread 01/06/2012 16:02:08.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.640 [GMT -5:00]

Running from: D:\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))

.

.

2011-12-28 04:41 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-28 04:41 . 2011-12-28 04:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-28 04:34 . 2010-04-14 01:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-12-28 04:34 . 2011-12-28 04:34 -------- d-----w- c:\program files\McAfee Online Backup

2011-12-28 04:33 . 2011-04-11 19:29 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-28 04:31 . 2011-10-15 17:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-28 04:31 . 2011-10-15 17:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-28 04:31 . 2011-10-15 17:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-28 04:31 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-28 04:31 . 2011-10-15 17:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-28 04:31 . 2011-10-15 17:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-28 04:31 . 2011-10-15 17:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-28 04:31 . 2011-10-15 17:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-28 04:31 . 2011-12-28 04:32 -------- d-----w- c:\program files\Common Files\Mcafee

2011-12-28 04:31 . 2011-12-28 05:23 -------- d-----w- c:\program files\McAfee

2011-12-28 04:18 . 2011-11-18 21:36 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-28 04:18 . 2011-12-28 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-12-28 03:32 . 2011-12-28 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\program files\Citrix

2011-12-28 02:46 . 2011-12-28 02:46 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Citrix

2011-12-28 02:13 . 2011-12-28 05:50 -------- d-----w- c:\program files\Perfect Uninstaller

2011-12-18 06:56 . 2011-12-18 06:56 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52 . 2011-12-18 06:52 -------- d-----w- c:\documents and settings\All Users\Uniblue

2011-12-18 03:48 . 2011-12-18 03:48 -------- d-----w- c:\program files\ESET

2011-12-17 07:28 . 2011-12-17 07:28 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:45 . 2011-12-17 06:45 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\McAfee Anti-Theft

2011-12-15 05:44 . 2011-12-15 05:44 -------- d-----w- c:\program files\Common Files\Java

2011-12-15 04:58 . 2011-12-15 04:58 -------- d-----w- c:\documents and settings\Fresh Bread\Local Settings\Application Data\PCHealth

2011-12-14 03:43 . 2011-12-14 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2011-12-13 11:33 . 2011-12-13 11:33 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\Fresh Bread\Application Data\Malwarebytes

2011-12-12 21:33 . 2011-12-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-12-11 04:57 . 2011-12-11 05:34 -------- d-----w- c:\documents and settings\Administrator

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-23 13:25 . 2009-08-01 07:34 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54 . 2010-07-01 03:14 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27 . 2010-07-01 03:14 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06 . 2011-05-15 18:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20 . 2009-08-01 07:34 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20 . 2009-08-01 07:34 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20 . 2009-08-01 07:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23 . 2009-08-01 07:34 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07 . 2009-08-01 07:34 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31 . 2009-08-01 07:34 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13 . 2009-08-01 07:34 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-15 17:16 . 2011-10-15 17:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16 . 2011-10-15 17:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22 . 2009-08-01 06:53 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-12-28_05.48.40 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-01-06 21:00 . 2012-01-06 21:00 16384 c:\windows\Temp\Perflib_Perfdata_4ac.dat

+ 2012-01-06 21:00 . 2012-01-06 21:00 16384 c:\windows\Temp\Perflib_Perfdata_2fc.dat

+ 2009-08-01 07:34 . 2012-01-06 21:05 73368 c:\windows\system32\perfc009.dat

- 2009-08-01 07:34 . 2011-12-28 05:28 73368 c:\windows\system32\perfc009.dat

+ 2009-08-01 07:34 . 2012-01-06 21:05 445946 c:\windows\system32\perfh009.dat

- 2009-08-01 07:34 . 2011-12-28 05:28 445946 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]

"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]

"McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-8-1 565248]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2011-12-28 02:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Documents and Settings\\Fresh Bread\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [12/27/2011 11:33 PM 64048]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/27/2011 11:31 PM 89792]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/27/2011 11:34 PM 54776]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2011 11:41 PM 652872]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/27/2011 11:31 PM 214904]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/27/2011 11:32 PM 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/27/2011 11:18 PM 150856]

R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 4:35 AM 237568]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/27/2011 11:31 PM 57600]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 2:35 AM 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2011 11:41 PM 20464]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/27/2011 11:31 PM 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]

S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/1/2009 2:34 AM 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 3:48 AM 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 3:50 AM 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/8/2010 11:11 PM 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/27/2011 11:31 PM 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/27/2011 11:31 PM 87656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/1/2009 3:43 AM 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

xmlpros REG_MULTI_SZ XMLProvS

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]

.

2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 04:11]

.

2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005Core.job

- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]

.

2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3993469562-757298511-4166307882-1005UA.job

- c:\documents and settings\Fresh Bread\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 07:27]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-06 16:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1384)

c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

.

Completion time: 2012-01-06 16:16:54

ComboFix-quarantined-files.txt 2012-01-06 21:16

ComboFix2.txt 2011-12-31 22:20

ComboFix3.txt 2011-12-28 08:35

ComboFix4.txt 2011-12-28 07:29

ComboFix5.txt 2012-01-06 20:24

.

Pre-Run: 91,905,392,640 bytes free

Post-Run: 91,896,414,208 bytes free

.

- - End Of File - - 81AE3B162823FE4623BA05C550057566

DDS LOG

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Fresh Bread at 16:19:22 on 2012-01-06

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.595 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\wscntfy.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph06103045l0354wui5w4842655s

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111227233155.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: amtrak.com\tickets

Trusted Zone: amtrak.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{E2030F1D-FA9E-405E-97F2-0EA8456A89F0} : DhcpNameServer = 65.32.5.111 65.32.5.112

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-12-27 64048]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 464176]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-27 89792]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-12-27 54776]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-27 652872]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-27 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-27 166288]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-27 160608]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-27 150856]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-1 237568]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-27 57600]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-27 20464]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-27 180816]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-27 338176]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2009-8-1 14336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-1 1684736]

S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-1 24064]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]

S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe --> c:\progra~1\mcafee\msc\mcawfwk.exe [?]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-27 59456]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-27 83856]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-27 87656]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-1 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

.

=============== Created Last 30 ================

.

2011-12-28 05:09:04 -------- d-sha-r- C:\cmdcons

2011-12-28 05:05:53 98816 ----a-w- c:\windows\sed.exe

2011-12-28 05:05:53 518144 ----a-w- c:\windows\SWREG.exe

2011-12-28 05:05:53 256000 ----a-w- c:\windows\PEV.exe

2011-12-28 05:05:53 208896 ----a-w- c:\windows\MBR.exe

2011-12-28 04:41:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-28 04:41:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-28 04:34:24 -------- d-----w- c:\program files\McAfeeMOBK

2011-12-28 04:34:15 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys

2011-12-28 04:34:04 -------- d-----w- c:\program files\McAfee Online Backup

2011-12-28 04:33:44 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2011-12-28 04:31:55 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-12-28 04:31:49 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-12-28 04:31:49 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-12-28 04:31:49 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-12-28 04:31:49 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-12-28 04:31:49 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-12-28 04:31:49 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-12-28 04:31:49 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-12-28 04:31:43 -------- d-----w- c:\program files\common files\Mcafee

2011-12-28 04:31:41 -------- d-----w- c:\program files\McAfee.com

2011-12-28 04:31:25 -------- d-----w- c:\program files\McAfee

2011-12-28 04:18:56 150856 ----a-w- c:\windows\system32\mfevtps.exe

2011-12-28 03:32:00 -------- d-----w- c:\documents and settings\all users\application data\Citrix

2011-12-28 02:46:43 -------- d-----w- c:\program files\Citrix

2011-12-28 02:46:39 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\Citrix

2011-12-28 02:13:36 -------- d-----w- c:\program files\Perfect Uninstaller

2011-12-18 06:56:53 -------- d-----w- c:\program files\VS Revo Group

2011-12-18 06:52:12 -------- d-----w- c:\documents and settings\all users\Uniblue

2011-12-18 03:48:48 -------- d-----w- c:\program files\ESET

2011-12-17 07:28:06 -------- d-----w- c:\documents and settings\fresh bread\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2011-12-17 06:45:54 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\McAfee Anti-Theft

2011-12-17 06:38:53 148520 ----a-r- c:\windows\system32\mfevtps.exe.e42d.deleteme

2011-12-15 04:58:52 -------- d-----w- c:\documents and settings\fresh bread\local settings\application data\PCHealth

2011-12-12 21:33:58 -------- d-----w- c:\documents and settings\fresh bread\application data\Malwarebytes

2011-12-12 21:33:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

.

==================== Find3M ====================

.

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-04 22:06:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll

2011-10-15 17:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-10-15 17:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 16:19:50.81 ===============

Share this post


Link to post
Share on other sites

Hi,

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time)
  • Please post the contents of that log in your next reply.

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Next, download MBRCheck.exe by a_d_13 and save it to your Desktop.

Run it; when it completes, a log will be available on your Desktop (MBRCheck xxxxxx .txt) where xxxxxx is the time it ran.

Share this post


Link to post
Share on other sites

The forums look updated. They look nice.

aswMBR log:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software

Run date: 2012-01-12 15:39:36

-----------------------------

15:39:36.296 OS Version: Windows 5.1.2600 Service Pack 3

15:39:36.296 Number of processors: 2 586 0x1C02

15:39:36.296 ComputerName: STRAWBERRY-CHAN UserName: Fresh Bread

15:39:40.312 Initialize success

15:44:57.156 AVAST engine defs: 12011200

15:45:04.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

15:45:04.390 Disk 0 Vendor: Hitachi_ PBBO Size: 152627MB BusType: 3

15:45:04.421 Disk 0 MBR read successfully

15:45:04.421 Disk 0 MBR scan

15:45:04.500 Disk 0 Windows VISTA default MBR code

15:45:04.515 Disk 0 Partition 1 00 12 Compaq diag NTFS 10244 MB offset 63

15:45:04.531 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142381 MB offset 20981760

15:45:04.562 Disk 0 scanning sectors +312578048

15:45:04.687 Disk 0 scanning C:\WINDOWS\system32\drivers

15:45:46.593 Service scanning

15:45:48.734 Modules scanning

15:45:56.890 Disk 0 trace - called modules:

15:45:56.937 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys

15:45:56.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8736aab8]

15:45:56.968 3 CLASSPNP.SYS[f75fdfd7] -> nt!IofCallDriver -> \Device\00000072[0x8735c1a8]

15:45:56.984 5 ACPI.sys[f7574620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x873d3030]

15:45:57.843 AVAST engine scan C:\WINDOWS

15:46:30.421 File: C:\WINDOWS\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]

15:46:46.328 AVAST engine scan C:\WINDOWS\system32

15:50:31.562 AVAST engine scan C:\WINDOWS\system32\drivers

15:50:51.234 AVAST engine scan C:\Documents and Settings\Fresh Bread

15:59:44.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Fresh Bread\Desktop\MBR.dat"

15:59:44.531 The log file has been saved successfully to "C:\Documents and Settings\Fresh Bread\Desktop\aswMBR 1-12.txt"

MBRCHECK log:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x00000004

Kernel Drivers (total 125):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x80700000 \WINDOWS\system32\hal.dll

0xF7ABD000 \WINDOWS\system32\KDCOM.DLL

0xF79CD000 \WINDOWS\system32\BOOTVID.dll

0xF756E000 ACPI.sys

0xF7ABF000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF755D000 pci.sys

0xF75BD000 isapnp.sys

0xF79D1000 compbatt.sys

0xF79D5000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7B85000 pciide.sys

0xF783D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF75CD000 MountMgr.sys

0xF753E000 ftdisk.sys

0xF7845000 PartMgr.sys

0xF79D9000 ACPIEC.sys

0xF7B86000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

0xF75DD000 VolSnap.sys

0xF7526000 atapi.sys

0xF7458000 iaStor.sys

0xF75ED000 disk.sys

0xF75FD000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7438000 fltMgr.sys

0xF7426000 sr.sys

0xF73B7000 mfehidk.sys

0xF760D000 PxHelp20.sys

0xF73A0000 KSecDD.sys

0xF7313000 Ntfs.sys

0xF72E6000 NDIS.sys

0xF72CC000 Mup.sys

0xF72B8000 McPvDrv.sys

0xF761D000 amdagp.sys

0xF76DD000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF54E9000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xF54D5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF54AD000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xF52D0000 \SystemRoot\system32\DRIVERS\bcmwl5.sys

0xF76ED000 \SystemRoot\system32\DRIVERS\l1c51x86.sys

0xF78ED000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xF52AC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF78F5000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF71CA000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF76FD000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF78FD000 \SystemRoot\system32\DRIVERS\DKbFltr.sys

0xF7905000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF527B000 \SystemRoot\system32\DRIVERS\SynTP.sys

0xF7B01000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF770D000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS

0xF51FF000 \SystemRoot\System32\Drivers\wdf01000.sys

0xF51D4000 \SystemRoot\system32\drivers\mfeavfk.sys

0xF2E65000 \SystemRoot\system32\drivers\mfefirek.sys

0xF789D000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7274000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xF7CA1000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF2E52000 \SystemRoot\system32\DRIVERS\mfendisk.sys

0xF763D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7270000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF2D9B000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF764D000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF769D000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF78B5000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF2B7A000 \SystemRoot\system32\DRIVERS\psched.sys

0xF455C000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF78C5000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF78CD000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF454C000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7B51000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF2B57000 \SystemRoot\system32\DRIVERS\ks.sys

0xF2AF9000 \SystemRoot\system32\DRIVERS\update.sys

0xF71D2000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF453C000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF2C4E000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xA9EE2000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xA9EBE000 \SystemRoot\system32\drivers\portcls.sys

0xF2C3E000 \SystemRoot\system32\drivers\drmk.sys

0xA6BD6000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xA5AE5000 \SystemRoot\system32\DRIVERS\MOBK.sys

0xA6C20000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xA5DFD000 \SystemRoot\System32\Drivers\Null.SYS

0xA6C1E000 \SystemRoot\System32\Drivers\Beep.SYS

0xA60B8000 \SystemRoot\System32\drivers\vga.sys

0xA6C1C000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xA6C1A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xA60B0000 \SystemRoot\System32\Drivers\Msfs.SYS

0xA60A8000 \SystemRoot\System32\Drivers\Npfs.SYS

0xA5D96000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA5AB2000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA5A59000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA5A44000 \SystemRoot\system32\drivers\mfetdi2k.sys

0xA5A1E000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA59F6000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA5D82000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xA59D4000 \SystemRoot\System32\drivers\afd.sys

0xA61DA000 \SystemRoot\system32\DRIVERS\netbios.sys

0xA59A9000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA5911000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xA5D72000 \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys

0xA61AA000 \SystemRoot\System32\Drivers\Fips.SYS

0xA1458000 \SystemRoot\system32\DRIVERS\snp2uvc.sys

0xA233C000 \SystemRoot\system32\DRIVERS\STREAM.SYS

0xA8F39000 \SystemRoot\system32\DRIVERS\sncduvc.SYS

0x9F4EC000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x9CF4E000 \SystemRoot\System32\Drivers\dump_iaStor.sys

0xBF800000 \SystemRoot\System32\win32k.sys

0x9DADE000 \SystemRoot\System32\drivers\Dxapi.sys

0x9E204000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0x9D01E000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF024000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\igxprd32.dll

0xBF04F000 \SystemRoot\System32\igxpdv32.DLL

0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL

0xBF47A000 \SystemRoot\System32\ATMFD.DLL

0xA5981000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x9CF21000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0x9CE49000 \SystemRoot\system32\DRIVERS\srv.sys

0x9CC7C000 \SystemRoot\system32\drivers\wdmaud.sys

0x9F4FC000 \SystemRoot\system32\drivers\sysaudio.sys

0x9C7FA000 \SystemRoot\system32\drivers\mfeapfk.sys

0x9E4EB000 \SystemRoot\system32\drivers\mfebopk.sys

0x9C592000 \SystemRoot\System32\Drivers\HTTP.sys

0x9C392000 \SystemRoot\system32\drivers\cfwids.sys

0x9BDD2000 \??\C:\DOCUME~1\FRESHB~1\LOCALS~1\Temp\aswMBR.sys

0x9BCA8000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 53):

0 System Idle Process

4 System

1308 C:\WINDOWS\system32\smss.exe

1360 csrss.exe

1384 C:\WINDOWS\system32\winlogon.exe

1428 C:\WINDOWS\system32\services.exe

1440 C:\WINDOWS\system32\lsass.exe

1600 C:\WINDOWS\system32\svchost.exe

1672 svchost.exe

1712 C:\WINDOWS\system32\svchost.exe

1868 svchost.exe

1896 svchost.exe

444 C:\WINDOWS\system32\spoolsv.exe

596 svchost.exe

632 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

652 C:\Program Files\Bonjour\mDNSResponder.exe

744 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

756 C:\Program Files\Java\jre6\bin\jqs.exe

788 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

916 C:\WINDOWS\system32\mfevtps.exe

964 C:\Program Files\McAfee Online Backup\MOBKbackup.exe

1112 C:\Program Files\Acer\Acer VCM\RS_Service.exe

1136 C:\WINDOWS\system32\svchost.exe

1924 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe

1252 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe

2560 C:\WINDOWS\explorer.exe

2664 C:\WINDOWS\system32\rundll32.exe

2732 C:\WINDOWS\system32\ctfmon.exe

2396 alg.exe

1952 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

2744 C:\PROGRA~1\LAUNCH~1\LManager.exe

3036 C:\WINDOWS\system32\hkcmd.exe

3064 C:\WINDOWS\system32\igfxpers.exe

3136 C:\WINDOWS\PLFSetL.exe

3156 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

396 C:\WINDOWS\RTHDCPL.EXE

3196 C:\WINDOWS\system32\igfxsrvc.exe

3240 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

3716 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

3796 C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe

3976 C:\Program Files\iTunes\iTunesHelper.exe

436 C:\Program Files\Common Files\Java\Java Update\jusched.exe

364 C:\Program Files\McAfee.com\Agent\mcagent.exe

952 C:\Program Files\McAfee\MAT\McPvTray.exe

1300 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

2480 C:\Program Files\Acer\Acer VCM\AcerVCM.exe

700 C:\Program Files\iPod\bin\iPodService.exe

3932 C:\WINDOWS\system32\igfxext.exe

2884 C:\WINDOWS\system32\svchost.exe

2168 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

2948 C:\Program Files\Internet Explorer\iexplore.exe

608 C:\Program Files\Internet Explorer\iexplore.exe

3140 C:\Documents and Settings\Fresh Bread\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80500000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS545016B9A300, Rev: PBBOC60F

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected

SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

MBR.zip

Share this post


Link to post
Share on other sites

Hi,

Are you currently experiencing any symptoms of infection?

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Well my computer doesn't act like it has a virus, but I don't trust it anymore after what I've read about what a rootkit virus does. Basically I've heard that I should reformat my entire computer. I want to back stuff up somehow, but I've been told (not in this forum, but through word of mouth) that anything I backup (files and even the flash drive I use) could be infected and then carry the rootkit virus with it to reinfect me in the future. >_< What is true here? What would you recommend?

Beforehand the only way I knew something was strange was because Malwarebytes kept blocking IP addresses. I was getting tons of those every minute. Somehow I mixed up the trial and the free version of Malwarebytes, so since I'm on the free version now I'm wondering if that is why I don't get any blocking anymore ... or is it because Malwarebytes doesn't have to block anything anymore (ie, the virus is gone)? Also ping.exe was working overtime it seemed and making my computer run slower and I don't see that running anymore.

I had used ESET before and it had detected the rootkit before but it couldn't delete it. This time it didn't see the rootkit but according to the log it did find and clean the Kryptik trojan.I wanted to know if I should "delete quarantined files" before I click "finish"

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=3a026f5220618744b78c860282050675

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-12-18 05:47:13

# local_time=2011-12-18 12:47:13 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16777173 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=93498

# found=2

# cleaned=0

# scan_time=5898

C:\WINDOWS\system32\drivers\ipsec.sys a variant of Win32/Rootkit.Kryptik.GG trojan (unable to clean) 00000000000000000000000000000000 I

${Memory} multiple threats 00000000000000000000000000000000 I

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=3a026f5220618744b78c860282050675

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-01-18 02:31:41

# local_time=2012-01-18 09:31:41 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16777173 100 75 914478 27259126 0 0

# compatibility_mode=8192 67108863 100 0 1781136 1781136 0 0

# scanned=73619

# found=12

# cleaned=12

# scan_time=17840

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ReactivateIE.exe.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\Toolbar32.dll.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarBroker.exe.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP303\A0093378.exe a variant of Win32/Kryptik.XKR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP308\A0095344.exe a variant of Win32/PerfectUninstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP308\A0095358.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP308\A0095364.exe a variant of Win32/PerfectUninstaller application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095578.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095580.dll a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095581.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{577E2158-88B0-493A-BDB5-E2EE0FE6AC39}\RP309\A0095582.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

The thing I noticed in the security check was that it said Windows Firewall is disabled. Since I have a firewall through McAfee I wanted to ask if I should run two firewalls together (in other words should I turn on the Windows Firewall too)? I have heard that it isn't good to have two virus programs running together. Is that the same with firewalls?

Results of screen317's Security Check version 0.99.30

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee Total Protection

McAfee Online Backup

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 30

````````````````````````````````

Process Check:

objlist.exe by Laurent

ESET ESET Online Scanner OnlineCmdLineScanner.exe

McAfee Online Backup MOBKbackup.exe

``````````End of Log````````````

Share this post


Link to post
Share on other sites

I had one more concern. I was looking in the application data folder and I noticed a strange folder. It says it was modifyed around the time I got the virus in fact. It is named "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" (what a long name for a folder!). The Adobe folder also has the same modification date. I'm wondering if I should delete these folders (and would that matter since it doesn't delete register files). The strange com.adobe.mauby folder seems empty, so maybe one of the cleaners already cleaned out the important bad files? What do you suggest? I could always redownload Adobe I'm sure.

Share this post


Link to post
Share on other sites

Ok ... I don't like posting so many times in a row, but I noticed something else strange in the application data folder and maybe the "root" of all the problems in the first place. There is another folder that shouldn't be there. It is named "utorrent" which I had deleted from computer I thought (it doesn't exist in the program files folder anymore as far as I can tell). Well, it doesn't have any application in it but some files that seem to be unable to run (you know how they get that funny look to them when a program doesn't exist for them anymore). What bothers me the most is the date and time of the last modification of the folder ... I'm pretty sure it is the exact date and time of when I got the initial XP Antivirus 2012 virus! So I want to get rid of this folder for sure! But again how can I make sure that I'm also deleting the registry files associated with it? Or is it ok to just delete this rogue folder?

Share this post


Link to post
Share on other sites

Hi,

I apologize for the extended delay. The new forum software made finding my topics difficult, and yours slipped through.

You didn't have a file infector, so while yes, formatting is the best option here, backing up documents and images should be fine.

Yes click Delete Quarantined Files.

Do not run two firewalls together.

Delete the com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 folder.

Delete the uTorrent folder.

Reboot.

Update MBAM, run a Quick Scan, and post its log.

If you don't think your computer is safe (I wouldn't either), formatting your hard drive and reinstalling Windows is definitely the best option.

Share this post


Link to post
Share on other sites

Thank you very much for answering all my questions (sorry I had so many). I thought maybe since I posted so many times in a row is why you couldn't respond back to me sooner (in other words the system put me at the bottom of the list)

I feel better to know that it wasn't a "file infector" so I can back up my data now. I guess I have to look into that before I go through the inevitable process of reformatting ... Do you have any suggestions?

The scan doesn't show any problems by the way:

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 192864

Time elapsed: 17 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

Hi,

Sorry I missed your post.

I guess I have to look into that before I go through the inevitable process of reformatting ... Do you have any suggestions?
Not sure I understand you here. Look into what, specifically?

Share this post


Link to post
Share on other sites

Sorry. I need to "back up" data. I have heard of online systems for this and then there is the old fashioned manual method using an external hard drive I guess. I am going to google it.

Share this post


Link to post
Share on other sites

The best way for me has always been using a flash drive / external hard drive. That way you know exactly what you are backing up, which may not necessarily be the case for online solutions.

Share this post


Link to post
Share on other sites

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Share this post


Link to post
Share on other sites

Oh, I didn't notice there was a second page already.

I'm still here. I haven't felt comfortable with the online backup tools I found so far, so it was reassuring to hear you endorse the old-fashioned method of using an external hard drive. Thank you.

Share this post


Link to post
Share on other sites

:)

Let me know if there is anything else I can help with. I would recommend doing it sooner rather than later...

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.