Virus/Trojan disabling McAfee

[Nistlerooy]

Back a few months ago I contracted the Vundo virus but was able to get rid of it with Malwarebytes. A couple weeks ago during a routine scan, one of my anti-spyware programs found it, but it hadn't progressed (installed any of the other files), and I hadn't noticed any symptoms. It was successfully removed.

Since I got the vundo virus back when, things haven't quite been the same--the computer is running more slowly, it locks up more, little things like that. Two days ago I noticed that I was getting the "Your computer is not fully protected" notification, and when I went into McAfee SecrutiyCenter to "fix" the problem, it wouldn't work--the real-time virus protection, spyware protection, System guard, and script scanner protection were disabled and I couldn't re-enable them. In addition, I have 11 svchost.exe processes running; I know it's normal to have several, but 11 seems like a lot and I never remember seeing that many--this was the first hint I had to a possible virus/trojan).

I've run a few anti-spyware programs to clean what I could, as to not bog down the forum so much, but I'm not so sure these basic problems got it all. I've posted the DDS report here, and I'll attach the last Malwarebytes' and SuperAntiPyware logs I have (from yesterday) and a couple days ago. Since I ran them I can now re-enable McAfee.

GMER was taking a very long time (like upwards of 9 hours) and I'm not sure if that's normal? But anyway, I let it run continue to run through the night and woke up to a BSoD. Here's the message:

"A process or thread crucial to system operation has unexpectedly exited or been terminated." At the bottom it said this:

"Stop: 0x000000F4 (0x00000003, 0x896980F0, 0x89698264, 0x805D1764C)"

I did a forced power off, turned it back on, and haven't had any problems as of yet. I'll let GMER run again today, but probably won't have the log until much later tonight or tomorrow.

TIA!
-Taylor

DDS Log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Taylor at 21:11:22.76 on Sat 04/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1287 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\Taylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=16313
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {11359F4A-B191-42D7-905A-594F8CF0387B} - No File
TB: NewsStand Toolbar: {6e94acd5-2c6a-48ac-84ef-a4de746d385f} - c:\program files\newsstand\reader\NSIETool.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SkinClock] c:\program files\free desktop clock\DesktopClock.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [CTFMon] c:\windows\system32\trial\ctf\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Search &Dictionary - c:\program files\lexico\toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\lexico\toolbar\thesaurus.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} - hxxp://software.newsstand.com/reader/live/Disk1/isetupml.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - hxxp://dictionary.reference.com/tools/toolbar/lexico.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
Notify: ssqRICTm - ssqRICTm.dll
AppInit_DLLs: oeigmy.dll xhoxkm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taylor\applic~1\mozilla\firefox\profiles\yef27cdx.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\documents and settings\taylor\application data\mozilla\firefox\profiles\yef27cdx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-29 130424]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-29 213640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-12 47640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-29 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-11-29 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-29 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-29 40552]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-29 34216]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-29 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-29 1095560]
S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-8-4 31592]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-04-06 01:42 <DIR> --d----- c:\program files\AVG
2009-04-06 01:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-06 01:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-06 01:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-06 01:33 <DIR> --d----- c:\docume~1\taylor\applic~1\SUPERAntiSpyware.com
2009-04-01 20:53 189,472 a------- c:\windows\system32\PnkBstrB.xtr
2009-03-29 20:41 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-29 20:41 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-29 20:41 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-29 20:40 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-29 20:40 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-29 20:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-23 18:32 <DIR> --d----- c:\program files\HammerHead
2009-03-22 12:07 <DIR> --d----- c:\program files\Aptana
2009-03-22 02:06 <DIR> --d----- c:\program files\Joomla

==================== Find3M ====================

2009-04-08 20:06 138,168 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-08 20:06 189,472 a------- c:\windows\system32\PnkBstrB.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 22:37 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-02-09 04:19 1,846,272 a------- c:\windows\system32\win32k.sys
2008-01-14 19:55 8,161,792 a------- c:\program files\HTML Guardian 7.msi
2008-07-05 23:54 61 ---sh--- c:\windows\cnerolf.bin
2008-12-23 16:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122320081224\index.dat
2008-12-26 01:23 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-12-26 01:23 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-12-26 01:23 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:12:34.76 ===============

[Nistlerooy]

Ok, so I tried to run GMER again last night, and I woke up to another BSoD, although this time it was different. Here was the message this time around:

"A problem has been detected and windows has been shut down to prevent damage to your computer"

STOP: 0x0000008E (0x00000005, 0xB9D18CB7, 0xA68B7B18, 0x00000000)
PCTCore.sys - Address B9D18CB7 base at B9D15000, Datestamp 49b0b742


So I'm not sure if GMER is going to work for me or not, but so far it doesn't look like it.

[Ried]

Hello dtfrancis,

Try to run gmer again, but this time also uncheck 'Devices'.

[Nistlerooy]

Hello Ried,

Still no go. Woke up to a BSoD again. Here's the message:

"A process or thread crucial to system operation has unexpectedly exited or been terminated."

STOP: 0x000000F4 (0x00000003, 0x89739020, 0x8939194, 0x805D164C)

When I restart my computer, Windows recognizes that it crashed and sends an error report. It then takes me to a page telling me it's a device driver problem ( http://wer.microsoft.com/responses/R...1-cca7337c0a6d )

It will run for about 6 or 7 hours just fine, I'm just not sure at what point this occurs.

Thanks,
-Taylor

[Ried]

Thanks for trying. :)

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

**If combofix will not run, rename it to dtfrancis.exe and try again.

[Nistlerooy]

I'll get right on it, Ried. Thanks.

Do you know about how long it takes to run? like 5 minutes? 9 hours? Just wondering so I know if I need to run it at night or not.

Thanks again,

Taylor

[Ried]

gmer should only take about 10 minutes, dds.scr - about 3 minutes. If gmer gives you trouble, move on and run dds.scr and post those results, and tell me what happened when you tried to run gmer.

[Nistlerooy]

Quote:

Originally Posted by Ried

gmer should only take about 10 minutes

Odd, my GMER ran for 6+ hours each time and never finished (maybe I had something checked I shouldn't have?) The ones I do have checked are:

System
Modules
Processes
Threads
Libraries
Services
Registry
Files
C:\
ADS

Quote:

...move on and run dds.scr and post those results...

These are in my original post at the top

And is ComboFix pretty quick when it runs, or do I need to let it go over night?

Thanks,
Taylor

[Ried]

ComboFix should complete in 10-15 minutes.

[Nistlerooy]

Hello Ried.

So, I didn't pick up on it until this morning, but over the last 2 or 3 days I've been symptom free--my AV is no longer being disabled and I can enable it just fine, run scans, etc. Do you think I should still do the ComboFix, or consider it gone (after running several anti-malware programs and restarting numerous times) and then bring it back up if it flares up again?

[Ried]

Please run ComboFix.exe anyway. Only 10 minutes of your time.

Be sure to post the log it produces for further review.

[Nistlerooy]

That I can do. I may have to do it remotely (since I'm at work) via LogMeIn, do you think that be ok, or should I wait until later tonight when I'm at home (another 6-7 hours or so)?

[Ried]

Via LogMeIn will work just fine.

[Nistlerooy]

Ried, working on it now.

got a pv.cfexe failure window asking me if I wanted to send the info on to Microsoft. I said "Don't Send" Is this normal?

Also, at first when it asked me to download WRC, it said I wasn't connected to the internet...yet I am, and I know this because I'm connected remotely.

I'm still pushing on, though. Hopefully I'll have a report for you soon, just wanted to make sure these 2 things were normal.

[Nistlerooy]

Update: It kicked me out and LogMeIn is no longer running on the computer (it shows offline). My wife said the screen is completely blank--no Start/Task bar, no icons, nothing but a windows that says "auto scan." Hopefully I'll have the report for you shortly!

[Ried]

I've never had trouble running CF remotely via LogMeIn, so I'm not sure what happened there.

Tell your wife to reboot the machine. Then wait until you get home to run ComboFix. Before you do run it, delete the existing ComboFix.exe and download a fresh copy.

[Nistlerooy]

Hey Ried,

Apparetly it wasn't that big of an issue. I was able to log in to LMI after it was done. when it came up the desktop was back to normal, minus a few icons in the system tray. here's the log that was up in notepad when I came back to it. Thanks for everything.

ComboFix 09-04-17.01 - Taylor 04/16/2009 11:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1493 [GMT -6:00]
Running from: c:\documents and settings\Taylor\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tracy\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\system32\AutoRun.inf
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-06 07:42 . 2009-04-06 07:42 -------- d-----w c:\program files\AVG
2009-04-06 07:42 . 2009-04-06 15:31 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-06 07:33 . 2009-04-06 07:33 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-06 07:33 . 2009-04-06 07:33 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-06 07:33 . 2009-04-06 07:33 -------- d-----w c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com
2009-04-02 02:53 . 2009-04-09 02:06 189472 ----a-w c:\windows\system32\PnkBstrB.xtr
2009-03-30 21:21 . 2009-03-30 21:21 -------- d-----w c:\documents and settings\Tracy\Application Data\DivX
2009-03-30 02:41 . 2008-12-11 14:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-03-30 02:41 . 2009-03-06 22:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-30 02:41 . 2008-12-18 18:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-30 02:40 . 2009-03-30 15:19 -------- d-----w c:\program files\Common Files\PC Tools
2009-03-30 02:40 . 2008-12-10 18:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-03-30 02:40 . 2009-03-30 02:40 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-03-26 04:36 . 2009-03-26 04:36 -------- d-----w c:\documents and settings\Taylor\Local Settings\Application Data\PunkBuster
2009-03-24 00:32 . 2009-04-12 03:08 -------- d-----w c:\program files\HammerHead
2009-03-22 18:07 . 2009-03-22 18:07 -------- d-----w c:\program files\Aptana
2009-03-22 08:06 . 2009-03-22 08:06 -------- d-----w c:\program files\Joomla
2009-03-17 18:38 . 2009-03-17 18:38 -------- d-----w c:\documents and settings\Tracy\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 06:15 . 2009-02-12 22:19 -------- d-----w c:\program files\LogMeIn
2009-04-16 04:55 . 2007-12-01 04:30 215088 ----a-w c:\documents and settings\Tracy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 22:58 . 2007-11-30 23:24 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-11 18:14 . 2008-12-23 02:30 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 18:04 . 2008-04-05 21:03 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-11 18:03 . 2008-12-23 23:56 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-11 17:57 . 2008-07-23 05:42 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 17:46 . 2008-12-29 18:59 -------- d-----w c:\program files\Spyware Doctor
2009-04-11 17:42 . 2008-12-31 17:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 20:42 . 2008-01-06 06:05 -------- d-----w c:\documents and settings\Tracy\Application Data\LimeWire
2009-04-09 02:06 . 2008-06-05 19:00 138168 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-09 02:06 . 2008-06-05 19:00 189472 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-07 22:34 . 2007-12-20 23:35 -------- d-----w c:\documents and settings\Taylor\Application Data\LimeWire
2009-04-07 20:46 . 2007-12-15 03:23 -------- d-----w c:\program files\LimeWire
2009-04-06 21:32 . 2008-12-31 17:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2008-12-31 17:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 06:02 . 2007-12-04 09:05 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-26 04:37 . 2008-06-05 19:00 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-25 16:41 . 2007-11-30 05:54 -------- d-----w c:\program files\McAfee
2009-03-22 02:31 . 2007-11-30 06:34 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-12 05:11 . 2008-04-29 01:37 -------- d-----w c:\program files\Steam
2009-03-06 14:00 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 00:31 . 2009-03-04 00:31 -------- d-----w c:\program files\Ubisoft
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 16:33 . 2008-12-23 02:30 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 19:44 . 2008-02-18 04:02 -------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-02-26 16:43 . 2008-11-07 01:17 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 20:13 . 2009-02-24 20:13 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-02-24 20:12 . 2008-02-18 04:38 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-02-24 20:12 . 2008-02-18 04:38 -------- d-----w c:\program files\Common Files\Intuit
2009-02-24 20:10 . 2008-02-18 04:04 -------- d-----w c:\program files\TurboTax
2009-02-24 13:43 . 2009-02-24 13:39 -------- d-----w c:\program files\PhotoScape
2009-02-20 18:09 . 2004-08-10 11:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 16:16 . 2007-11-30 05:49 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-15 17:54 . 2009-02-15 17:54 594 ----a-w C:\updatedatfix.log
2009-02-12 22:20 . 2009-02-12 22:20 1024 ----a-w C:\.rnd
2009-02-11 15:27 . 2007-12-12 01:22 244 ---ha-w C:\sqmnoopt00.sqm
2009-02-11 15:27 . 2007-12-12 01:22 232 ---ha-w C:\sqmdata00.sqm
2009-02-09 10:19 . 2004-08-10 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-10 11:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-10 11:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-10 11:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2005-03-30 01:21 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-10 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2005-03-30 01:01 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-10 11:00 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-02 01:25 . 2008-07-29 05:13 244 ---ha-w C:\sqmnoopt19.sqm
2009-02-02 01:25 . 2008-07-29 05:13 232 ---ha-w C:\sqmdata19.sqm
2008-11-29 16:18 . 2008-01-02 00:39 213488 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-17 22:13 . 2008-05-17 22:12 256 ----a-w c:\documents and settings\Tracy\pool.bin
2008-01-15 01:55 . 2008-01-15 01:55 8161792 ----a-w c:\program files\HTML Guardian 7.msi
2007-12-07 19:06 . 2007-12-07 19:04 365984 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-11-30 15:53 . 2007-11-30 15:53 128 ----a-w c:\documents and settings\Tracy\Local Settings\Application Data\fusioncache.dat
2007-11-30 06:13 . 2007-11-30 06:13 129 ----a-w c:\documents and settings\Taylor\Local Settings\Application Data\fusioncache.dat
2008-07-06 05:54 . 2008-07-06 05:54 61 --sh--w c:\windows\cnerolf.bin
2008-12-23 22:01 . 2008-12-23 22:01 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122320081224\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SkinClock"="c:\program files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 334848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-21 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-10 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 03:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=oeigmy.dll xhoxkm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 21:18 267048 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
2008-03-26 23:40 2577120 ----a-w c:\program files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 14:56 236016 ----a-w c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-01-02 08:03 1410296 ----a-w c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 08:11 132496 ----a-w c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-30 23:24 68856 ----a-w c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"getPlus(R) Helper"=3 (0x3)
"aawservice"=2 (0x2)
"gusvc"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VRC\\VRC.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv\\Civilization4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iii complete\\Conquests\\Civ3Conquests.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv warlords\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv warlords\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mount and blade\\runme.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's EndWar\\Binaries\\EndWar.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's EndWar\\Tom Clancy's EndWar Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"990:TCP"= 990:TCP:PalmTreo

R3 PciCon;PciCon; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-25 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-25 47640]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2008-07-25 12192]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c513a7c-d2ab-11dc-965b-001676dad68c}]
\Shell\AutoRun\command - g:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - g:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c513a84-d2ab-11dc-965b-001676dad68c}]
\Shell\AutoRun\command - g:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - g:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-30 04:59]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-30 17:53]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-30 17:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CTFMon - c:\windows\system32\trial\CTF\ctfmon.exe
Notify-AtiExtEvent - (no file)
Notify-ssqRICTm - ssqRICTm.dll
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\Wcescomm.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=16313
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Taylor\Application Data\Mozilla\Firefox\Profiles\yef27cdx.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\documents and settings\Taylor\Application Data\Mozilla\Firefox\Profiles\yef27cdx.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 11:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-2111687655-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-04-16 11:52
ComboFix-quarantined-files.txt 2009-04-16 17:52

Pre-Run: 141,275,774,976 bytes free
Post-Run: 142,031,118,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

293 --- E O F --- 2009-04-16 15:19

[Ried]

ComboFix removed the remaining malware, but we still have a reg key to fix.

Open notepad and copy/paste the entire text in the quote box below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry.

You may delete the file afterwards.

----------------------------------

After completing the above, your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.



To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[Nistlerooy]

Thanks, Ried. You've been a great help. What was the diagnosis? Did the malware have a name that was still on the computer? I'll post and all clear once I do the reg edit below and then I suppose you can mark this case closed

[Nistlerooy]

Ok, I did the reg edit, the uninstall of ComboFix, I had to do a manual restart, I've turned my virus scanner back on, I will turn site adviser back on and check that other stuff, too.

Again, thank you so much for all your help!
I think we can close this thread now unless you have anything else for me.

Oh, almost forgot a couple questions:
1 - Do I need to go into my wife's account (we have 2 user accounts) and do SpywareBlaster protection, or does doing it on mine cover all users?
2 - I forgot the second one, if I remember maybe I'll pm you.