Tech Support Forum - View Single Post - I need to remove Malware spyware message-Todd Hoback

ToddHoback · 11-14-2008, 08:11 PM

Here is the new ComboFix log it produced.:

ComboFix 08-11-13.01 - Owner 2008-11-14 19:02:48.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.621 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
c:\documents and settings\All Users\Application Data\abut.com
c:\documents and settings\All Users\Application Data\awejiv.dat
c:\documents and settings\All Users\Application Data\nudogopese.dat
c:\documents and settings\All Users\Application Data\owodoweti.bin
c:\documents and settings\All Users\Application Data\uhywuro.vbs
c:\documents and settings\Owner\Application Data\ahek.bin
c:\documents and settings\Owner\Application Data\bixyxop.com
c:\documents and settings\Owner\Application Data\ezoti.bin
c:\documents and settings\Owner\Application Data\fyhubumove.pif
c:\documents and settings\Owner\Application Data\ifycac.scr
c:\documents and settings\Owner\Application Data\modiquw.dat
c:\documents and settings\Owner\Application Data\mymadabo.vbs
c:\documents and settings\Owner\Application Data\qyvijy.com
c:\documents and settings\Owner\Application Data\uvod.sys
c:\documents and settings\Owner\Application Data\ydude.reg
c:\program files\Common Files\aresysyqov.scr
c:\program files\Common Files\dameh.com
c:\windows\avahy.exe
c:\windows\cejuzyw._sy
c:\windows\dasyqipiz.bin
c:\windows\esolypis.vbs
c:\windows\gybebuleca.exe
c:\windows\omaz.pif
c:\windows\sinum.exe
c:\windows\SYSTEM32\erabotyk.dl
c:\windows\System32\OOBE\oobebaln.exe
c:\windows\SYSTEM32\pefolu.vbs
c:\windows\SYSTEM32\uzymod.dat
c:\windows\SYSTEM32\ycyxyneqet.ban
c:\windows\usowys.bin
c:\windows\ymiwusudug.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\abut.com
c:\documents and settings\All Users\Application Data\awejiv.dat
c:\documents and settings\All Users\Application Data\nudogopese.dat
c:\documents and settings\All Users\Application Data\owodoweti.bin
c:\documents and settings\All Users\Application Data\uhywuro.vbs
c:\documents and settings\Owner\Application Data\ahek.bin
c:\documents and settings\Owner\Application Data\bixyxop.com
c:\documents and settings\Owner\Application Data\ezoti.bin
c:\documents and settings\Owner\Application Data\fyhubumove.pif
c:\documents and settings\Owner\Application Data\ifycac.scr
c:\documents and settings\Owner\Application Data\modiquw.dat
c:\documents and settings\Owner\Application Data\mymadabo.vbs
c:\documents and settings\Owner\Application Data\qyvijy.com
c:\documents and settings\Owner\Application Data\uvod.sys
c:\documents and settings\Owner\Application Data\ydude.reg
c:\program files\AntivirusPro2009
c:\program files\AntivirusPro2009\data\daily.cvd
c:\program files\Common Files\aresysyqov.scr
c:\program files\Common Files\dameh.com
c:\windows\avahy.exe
c:\windows\cejuzyw._sy
c:\windows\dasyqipiz.bin
c:\windows\esolypis.vbs
c:\windows\gybebuleca.exe
c:\windows\omaz.pif
c:\windows\sinum.exe
c:\windows\SYSTEM32\erabotyk.dl
c:\windows\System32\OOBE\oobebaln.exe
c:\windows\SYSTEM32\pefolu.vbs
c:\windows\SYSTEM32\uzymod.dat
c:\windows\SYSTEM32\ycyxyneqet.ban
c:\windows\usowys.bin
c:\windows\ymiwusudug.reg

.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-23 20:05 . 2008-10-15 08:34 337,408 --------- c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-11-19 22:20 . 2008-11-13 16:22 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-19 22:03 . 2008-11-19 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-19 22:03 . 2008-11-14 18:51 9,071 --a------ c:\windows\SYSTEM32\Config.MPF
2008-11-19 22:02 . 2006-03-03 08:07 143,360 --a------ c:\windows\SYSTEM32\dunzip32.dll
2008-11-19 21:59 . 2007-11-22 06:44 201,320 --a------ c:\windows\SYSTEM32\drivers\mfehidk.sys
2008-11-19 21:59 . 2007-07-13 06:20 113,952 --a------ c:\windows\SYSTEM32\drivers\Mpfp.sys
2008-11-19 21:59 . 2007-11-22 06:44 79,304 --a------ c:\windows\SYSTEM32\drivers\mfeavfk.sys
2008-11-19 21:59 . 2007-12-02 12:51 40,488 --a------ c:\windows\SYSTEM32\drivers\mfesmfk.sys
2008-11-19 21:59 . 2007-11-22 06:44 35,240 --a------ c:\windows\SYSTEM32\drivers\mfebopk.sys
2008-11-19 21:59 . 2007-11-22 06:44 33,832 --a------ c:\windows\SYSTEM32\drivers\mferkdk.sys
2008-11-19 21:58 . 2008-11-19 21:58 <DIR> d-------- c:\program files\McAfee.com
2008-11-19 21:58 . 2008-11-29 20:42 <DIR> d-------- c:\program files\McAfee
2008-11-19 21:58 . 2008-11-19 21:59 <DIR> d-------- c:\program files\Common Files\McAfee
2008-11-15 23:29 . 2008-09-08 02:41 333,824 --------- c:\windows\SYSTEM32\dllcache\srv.sys
2008-11-15 23:28 . 2008-08-14 02:11 2,189,184 --------- c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2008-11-15 23:28 . 2008-08-14 02:09 2,145,280 --------- c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2008-11-15 23:28 . 2008-08-14 01:33 2,066,048 --------- c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2008-11-15 23:28 . 2008-08-14 01:33 2,023,936 --------- c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2008-11-15 23:28 . 2008-09-15 04:12 1,846,400 --------- c:\windows\SYSTEM32\dllcache\win32k.sys
2008-11-12 22:03 . 2008-11-12 22:03 118 --a------ c:\windows\SYSTEM32\MRT.INI
2008-11-12 21:00 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\dllcache\msxml3.dll
2008-11-12 21:00 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-11-11 18:33 . 2008-11-11 18:33 250 --a------ c:\windows\gmer.ini
2008-11-09 16:52 . 2008-11-09 16:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 07:30 --------- d-----w c:\program files\Full Tilt Poker
2008-11-20 06:16 --------- d-----w c:\program files\Common Files\Motive
2008-11-20 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-20 05:46 --------- d-----w c:\documents and settings\Owner\Application Data\Verizon
2008-11-20 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-11-18 20:49 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-14 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-08 04:44 --------- d---a-w c:\program files\Encarta Online
2008-11-08 04:44 --------- d-----w c:\program files\Microsoft Works
2008-11-08 04:44 --------- d-----w c:\program files\EMusic
2008-11-07 08:21 --------- d-----w c:\program files\viewsonic
2008-11-07 08:21 --------- d-----w c:\program files\Compaq A3000
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\dllcache\ieframe.dll
2008-10-01 23:46 49,152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-10-01 23:45 77,824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-10-01 23:45 420,432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-10-01 23:45 155,648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-10-01 23:45 126,976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-10-01 23:45 122,880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-10-01 23:44 731,136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-10-01 23:44 106,496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-04-14 00:12 50,688 --sha-w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_16.36.48.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 00:28:27 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-11-15 02:32:54 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-11-14 00:28:27 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-15 02:32:54 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:31 51,200 ----a-w c:\windows\SYSTEM32\dllcache\oobebaln.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-15 28739]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"CTPDPSRV"="c:\windows\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\SYSTEM32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664]
Compaq A3000 Settings Utility.lnk - c:\program files\Compaq A3000\CPQA3000.exe [2006-03-01 1142784]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-09-05 16384]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-05 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-05 28672]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-03-01 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:57]

2006-06-14 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1142361872.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2008-11-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-03 c:\windows\Tasks\User_Feed_Synchronization-{DE8326EE-D556-48F0-A912-DDE24CD006C2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:58]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 19:04:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-11-14 19

18
ComboFix-quarantined-files.txt 2008-11-15 03:05:56
ComboFix2.txt 2008-11-14 00:37:49

Pre-Run: 50,919,141,376 bytes free
Post-Run: 50,906,591,232 bytes free

240 --- E O F --- 2008-11-13 06:04:05

11-14-2008, 08:11 PM	#7 (permalink)
ToddHoback Registered User Join Date: Nov 2008 Posts: 8 OS: Windows XP	Re: I need to remove Malware spyware message-Todd Hoback Here is the new ComboFix log it produced.: ComboFix 08-11-13.01 - Owner 2008-11-14 19:02:48.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.621 [GMT -8:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt * Created a new restore point * Resident AV is active FILE :: c:\documents and settings\All Users\Application Data\abut.com c:\documents and settings\All Users\Application Data\awejiv.dat c:\documents and settings\All Users\Application Data\nudogopese.dat c:\documents and settings\All Users\Application Data\owodoweti.bin c:\documents and settings\All Users\Application Data\uhywuro.vbs c:\documents and settings\Owner\Application Data\ahek.bin c:\documents and settings\Owner\Application Data\bixyxop.com c:\documents and settings\Owner\Application Data\ezoti.bin c:\documents and settings\Owner\Application Data\fyhubumove.pif c:\documents and settings\Owner\Application Data\ifycac.scr c:\documents and settings\Owner\Application Data\modiquw.dat c:\documents and settings\Owner\Application Data\mymadabo.vbs c:\documents and settings\Owner\Application Data\qyvijy.com c:\documents and settings\Owner\Application Data\uvod.sys c:\documents and settings\Owner\Application Data\ydude.reg c:\program files\Common Files\aresysyqov.scr c:\program files\Common Files\dameh.com c:\windows\avahy.exe c:\windows\cejuzyw._sy c:\windows\dasyqipiz.bin c:\windows\esolypis.vbs c:\windows\gybebuleca.exe c:\windows\omaz.pif c:\windows\sinum.exe c:\windows\SYSTEM32\erabotyk.dl c:\windows\System32\OOBE\oobebaln.exe c:\windows\SYSTEM32\pefolu.vbs c:\windows\SYSTEM32\uzymod.dat c:\windows\SYSTEM32\ycyxyneqet.ban c:\windows\usowys.bin c:\windows\ymiwusudug.reg . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\All Users\Application Data\abut.com c:\documents and settings\All Users\Application Data\awejiv.dat c:\documents and settings\All Users\Application Data\nudogopese.dat c:\documents and settings\All Users\Application Data\owodoweti.bin c:\documents and settings\All Users\Application Data\uhywuro.vbs c:\documents and settings\Owner\Application Data\ahek.bin c:\documents and settings\Owner\Application Data\bixyxop.com c:\documents and settings\Owner\Application Data\ezoti.bin c:\documents and settings\Owner\Application Data\fyhubumove.pif c:\documents and settings\Owner\Application Data\ifycac.scr c:\documents and settings\Owner\Application Data\modiquw.dat c:\documents and settings\Owner\Application Data\mymadabo.vbs c:\documents and settings\Owner\Application Data\qyvijy.com c:\documents and settings\Owner\Application Data\uvod.sys c:\documents and settings\Owner\Application Data\ydude.reg c:\program files\AntivirusPro2009 c:\program files\AntivirusPro2009\data\daily.cvd c:\program files\Common Files\aresysyqov.scr c:\program files\Common Files\dameh.com c:\windows\avahy.exe c:\windows\cejuzyw._sy c:\windows\dasyqipiz.bin c:\windows\esolypis.vbs c:\windows\gybebuleca.exe c:\windows\omaz.pif c:\windows\sinum.exe c:\windows\SYSTEM32\erabotyk.dl c:\windows\System32\OOBE\oobebaln.exe c:\windows\SYSTEM32\pefolu.vbs c:\windows\SYSTEM32\uzymod.dat c:\windows\SYSTEM32\ycyxyneqet.ban c:\windows\usowys.bin c:\windows\ymiwusudug.reg . ((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 ))))))))))))))))))))))))))))))) . 2008-11-23 20:05 . 2008-10-15 08:34 337,408 --------- c:\windows\SYSTEM32\dllcache\netapi32.dll 2008-11-19 22:20 . 2008-11-13 16:22 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore 2008-11-19 22:03 . 2008-11-19 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor 2008-11-19 22:03 . 2008-11-14 18:51 9,071 --a------ c:\windows\SYSTEM32\Config.MPF 2008-11-19 22:02 . 2006-03-03 08:07 143,360 --a------ c:\windows\SYSTEM32\dunzip32.dll 2008-11-19 21:59 . 2007-11-22 06:44 201,320 --a------ c:\windows\SYSTEM32\drivers\mfehidk.sys 2008-11-19 21:59 . 2007-07-13 06:20 113,952 --a------ c:\windows\SYSTEM32\drivers\Mpfp.sys 2008-11-19 21:59 . 2007-11-22 06:44 79,304 --a------ c:\windows\SYSTEM32\drivers\mfeavfk.sys 2008-11-19 21:59 . 2007-12-02 12:51 40,488 --a------ c:\windows\SYSTEM32\drivers\mfesmfk.sys 2008-11-19 21:59 . 2007-11-22 06:44 35,240 --a------ c:\windows\SYSTEM32\drivers\mfebopk.sys 2008-11-19 21:59 . 2007-11-22 06:44 33,832 --a------ c:\windows\SYSTEM32\drivers\mferkdk.sys 2008-11-19 21:58 . 2008-11-19 21:58 <DIR> d-------- c:\program files\McAfee.com 2008-11-19 21:58 . 2008-11-29 20:42 <DIR> d-------- c:\program files\McAfee 2008-11-19 21:58 . 2008-11-19 21:59 <DIR> d-------- c:\program files\Common Files\McAfee 2008-11-15 23:29 . 2008-09-08 02:41 333,824 --------- c:\windows\SYSTEM32\dllcache\srv.sys 2008-11-15 23:28 . 2008-08-14 02:11 2,189,184 --------- c:\windows\SYSTEM32\dllcache\ntoskrnl.exe 2008-11-15 23:28 . 2008-08-14 02:09 2,145,280 --------- c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe 2008-11-15 23:28 . 2008-08-14 01:33 2,066,048 --------- c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe 2008-11-15 23:28 . 2008-08-14 01:33 2,023,936 --------- c:\windows\SYSTEM32\dllcache\ntkrpamp.exe 2008-11-15 23:28 . 2008-09-15 04:12 1,846,400 --------- c:\windows\SYSTEM32\dllcache\win32k.sys 2008-11-12 22:03 . 2008-11-12 22:03 118 --a------ c:\windows\SYSTEM32\MRT.INI 2008-11-12 21:00 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\dllcache\msxml3.dll 2008-11-12 21:00 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\dllcache\mrxsmb.sys 2008-11-11 18:33 . 2008-11-11 18:33 250 --a------ c:\windows\gmer.ini 2008-11-09 16:52 . 2008-11-09 16:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-30 07:30 --------- d-----w c:\program files\Full Tilt Poker 2008-11-20 06:16 --------- d-----w c:\program files\Common Files\Motive 2008-11-20 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2008-11-20 05:46 --------- d-----w c:\documents and settings\Owner\Application Data\Verizon 2008-11-20 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon 2008-11-18 20:49 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks 2008-11-14 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-11-08 04:44 --------- d---a-w c:\program files\Encarta Online 2008-11-08 04:44 --------- d-----w c:\program files\Microsoft Works 2008-11-08 04:44 --------- d-----w c:\program files\EMusic 2008-11-07 08:21 --------- d-----w c:\program files\viewsonic 2008-11-07 08:21 --------- d-----w c:\program files\Compaq A3000 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\dllcache\ieframe.dll 2008-10-01 23:46 49,152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll 2008-10-01 23:45 77,824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll 2008-10-01 23:45 420,432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip 2008-10-01 23:45 155,648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe 2008-10-01 23:45 126,976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe 2008-10-01 23:45 122,880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll 2008-10-01 23:44 731,136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip 2008-10-01 23:44 106,496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll 2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\dllcache\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll 2008-08-27 08:24 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll 2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe 2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\dllcache\ie4uinit.exe 2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\dllcache\iexplore.exe 2008-08-23 05:54 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll 2008-04-14 00:12 50,688 --sha-w c:\windows\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll 2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-13_16.36.48.53 ))))))))))))))))))))))))))))))))))))))))) . - 2008-11-14 00:28:27 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat + 2008-11-15 02:32:54 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat - 2008-11-14 00:28:27 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-11-15 02:32:54 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-04-14 00:12:31 51,200 ----a-w c:\windows\SYSTEM32\dllcache\oobebaln.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-15 28739] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112] "PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920] "CTPDPSRV"="c:\windows\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 45056] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "nwiz"="nwiz.exe" [2003-07-28 c:\windows\SYSTEM32\nwiz.exe] "LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664] Compaq A3000 Settings Utility.lnk - c:\program files\Compaq A3000\CPQA3000.exe [2006-03-01 1142784] hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-09-05 16384] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-05 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-05 28672] NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-03-01 233472] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"= "c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280] S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664] S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800] . Contents of the 'Scheduled Tasks' folder 2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:57] 2006-06-14 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1142361872.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52] 2008-11-20 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-11-20 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-12-03 c:\windows\Tasks\User_Feed_Synchronization-{DE8326EE-D556-48F0-A912-DDE24CD006C2}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 09:58] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-14 19:04:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\explorer.exe -> c:\program files\McAfee\SiteAdvisor\saHook.dll . Completion time: 2008-11-14 1918 ComboFix-quarantined-files.txt 2008-11-15 03:05:56 ComboFix2.txt 2008-11-14 00:37:49 Pre-Run: 50,919,141,376 bytes free Post-Run: 50,906,591,232 bytes free 240 --- E O F --- 2008-11-13 06:04:05