Ntos-krnl hook

McNabbfan58193 · 04-27-2009, 08:35 PM

Hi,

I got a virus a few days ago and have been trying to get rid of it with McAfee, but every time I scan, McAfee says that it removes it and then I scan again and it is still there. I've tried booting into safe mode and scan, but that doesn't help either. I am at my wits end and wondering if anyone could help me. Any help would be much appreciated

Ried · 04-27-2009, 10:14 PM

Hello and welcome to TSF.

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

McNabbfan58193 · 04-28-2009, 08:25 PM

Thanks for all the help. Here are the logs:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Family at 22:08:09.61 on Tue 04/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.305 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\snmp.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WMP300N\WLService.exe
C:\Program Files\Linksys\WMP300N\WMP300N.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Documents and Settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
C:\Documents and Settings\Family\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page =
uSearch Bar =
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1061013
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {4B0FAF5A-67C4-4625-AE07-B0DBADA16EBF} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
uRun: [autochk] rundll32.exe c:\docume~1\family\protect.dll,_IWMPEvents@16
uRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\docume~1\family\locals~1\tempor~1\content.ie5\wqb483xa\defaul~1.sh! c:\docume~1\family\locals~1\tempor~1\content.ie5\3bir0m6a\sa6d42~1.sh! c:\docume~1\family\locals~1\tempor~1\content.ie5\wqb483xa\ads9ca~1.sh! c:\docume~1\family\locals~1\tempor~1\content.ie5\3bir0m6a\ERROR_~1.SH!
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\gbh2o2ydz.exe
dRun: [Windows Resurections] c:\windows\temp\gbh2o2ydz.exe
dRun: [Diagnostic Manager] c:\windows\temp\3551592940.exe
dRun: [A00F109210.exe] c:\windows\temp\_A00F109210.exe
dRun: [A00FF716E.exe] c:\windows\temp\_A00FF716E.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\family\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\family\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\family\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\temp\ntdll64.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: __c002AF14 - c:\windows\system32\__c002AF14.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\1rlgjhbp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnet.com/
FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\1rlgjhbp.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\1rlgjhbp.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\family\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-6 201320]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-23 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-1-6 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-1-6 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WMP300NSvc;WMP300NSvc;c:\program files\linksys\wmp300n\WLService.exe [2008-4-3 53307]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-6 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-6 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-6 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-6 40488]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2008-4-3 822400]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-6 33832]

=============== Created Last 30 ================

2009-04-28 13:10 24,064 a--sh--- c:\documents and settings\family\protect.dll
2009-04-28 13:10 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 13:10 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-27 17:50 439 a------- c:\windows\system32\win32hlp.cnf
2009-04-27 17:50 4,785 a------- c:\windows\system32\warning.gif
2009-04-27 17:50 1,400 a------- c:\windows\system32\ahtn.htm
2009-04-27 17:50 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-04-27 17:49 1 a------- c:\windows\system32\uniq.tll
2009-04-27 17:49 29,696 a------- c:\windows\system32\frmwrk32.exe
2009-04-27 17:49 29,696 a------- c:\windows\system32\loader49.exe
2009-04-27 15:03 27,648 a------- c:\windows\system32\__c00E1819.dat
2009-04-26 21:45 <DIR> --d----- c:\docume~1\family\applic~1\.purple
2009-04-26 21:43 <DIR> --d----- c:\program files\Pidgin
2009-04-26 21:43 <DIR> --d----- c:\program files\common files\GTK
2009-04-24 13:20 4,096 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-23 23:02 28,160 a------- c:\windows\system32\__c002AF14.dat
2009-04-23 23:01 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-23 18:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-04-23 18:13 <DIR> --d----- c:\program files\Nero
2009-04-23 14:11 197,915 a------- C:\wubildr
2009-04-23 14:11 8,192 a------- C:\wubildr.mbr
2009-04-23 13:46 <DIR> --d----- C:\ubuntu
2009-04-23 00:20 <DIR> --d----- c:\docume~1\family\applic~1\Windows Search
2009-04-22 17:04 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-22 16:45 139,264 a------- c:\windows\system32\nvcodins.dll
2009-04-22 16:45 139,264 a------- c:\windows\system32\nvcod.dll
2009-04-22 16:45 2,744,320 a------- c:\windows\system32\nvwss.dll
2009-04-22 16:43 6,186,880 a------- c:\windows\system32\nv4_disp.dll
2009-04-22 16:43 6,186,880 a------- c:\windows\system32\dllcache\nv4_disp.dll
2009-04-22 16:43 6,280,416 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-22 16:43 6,280,416 a------- c:\windows\system32\dllcache\nv4_mini.sys
2009-04-22 14:27 <DIR> --d----- C:\dc27f74c49a7f0742dcc0a808b
2009-04-22 14:24 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-22 14:11 <DIR> --d----- C:\fe61eade64fdd12903a7abb55a655f
2009-04-22 14:10 <DIR> --d----- C:\a6dfb0adcefec847a67b734fc8ceda
2009-04-22 14:07 <DIR> --d----- c:\program files\Microsoft
2009-04-22 14:07 <DIR> --d----- c:\docume~1\family\applic~1\Windows Desktop Search
2009-04-22 14:05 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-04-22 14:05 <DIR> --d----- c:\program files\Windows Desktop Search
2009-04-20 22:53 <DIR> --d----- c:\docume~1\family\applic~1\McAfee
2009-04-20 16:59 46 a------- c:\windows\system32\p2hhr.bat
2009-04-20 16:58 15,000 a------- c:\windows\system32\sf87wuijndoio43j.dll
2009-04-20 16:43 <DIR> --d----- c:\docume~1\family\applic~1\Focus Mp3 Recorder
2009-04-20 16:43 237,568 a------- c:\windows\system32\lame_enc.dll
2009-04-20 01:27 98,304 a------- c:\windows\system32\prunnet.exe
2009-04-18 00:31 <DIR> --d----- c:\program files\Project64 1.6
2009-04-15 18:37 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:37 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:37 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 18:37 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:37 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:37 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:37 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:37 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:37 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:35 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 18:35 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-10 21:33 5,632 a------- c:\windows\system32\ptpusb.dll
2009-04-10 21:33 159,232 a------- c:\windows\system32\ptpusd.dll
2009-04-06 16:54 1,100 a------- C:\net_save.dna
2009-04-06 16:53 <DIR> --d----- c:\program files\common files\SupportSoft
2009-03-31 22:16 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-03-31 22:15 <DIR> --d----- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-04-27 17:49 104,960 a------- c:\windows\system32\userinit.exe
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-28 00:55 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-12-22 16:48 256 ac------ c:\documents and settings\family\pool.bin
2008-05-09 04:49 1,024 ac------ c:\docume~1\alluse~1\applic~1\imgpdf2.dll
2008-05-09 04:48 1,024 ac------ c:\docume~1\alluse~1\applic~1\pdfdoc2.dll
2008-04-07 14:03 9,039,673 -------- c:\documents and settings\family\iWAY250C_130.exe
2008-04-07 13:18 73,728 -c------ c:\documents and settings\family\SetupNI.dll
2008-02-07 18:20 1,024 ac------ c:\docume~1\alluse~1\applic~1\imgdoc2.dll
2004-07-30 09:56 90,112 ac------ c:\program files\common files\PCSBclean.exe
2004-07-26 15:30 291,840 ac------ c:\program files\common files\PCSBoff.exe
2008-04-24 10:04 88 -c-shr-- c:\windows\system32\E8CC884F6B.sys
2008-04-24 10:04 3,610 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 22:10:17.15 ===============
Attach.zip

ark.zip

Ried · 04-28-2009, 10:54 PM

You're welcome, McNabbfan58193.

You have quite a collection of nasties here and it will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download ComboFix from one of these locations, but rename it to mcnabb.exe before saving it. Be sure to save it directly to your desktop:

Link 1
Link 2
Link 3

Disable your AntiVirus and the McAfee Firewallas they will interfere with our tools.
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

McNabbfan58193 · 04-29-2009, 09:51 AM

Again, thanks so much for the help. After running Combofix, all visible symptoms are seemingly gone, but I'll stay with you until given the 'all clear'. Here is the log:

ComboFix 09-04-28.06 - Family 04/29/2009 11:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\McNabb.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Family\LOCALS~1\Temp\mousehook.dll
c:\docume~1\Family\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\Family\protect.dll
c:\documents and settings\Family\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Family\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\Downloaded Program Files\setup.dll
c:\windows\system32\__c002AF14.dat
c:\windows\system32\__c00E1819.dat
c:\windows\system32\ahtn.htm
c:\windows\system32\autochk.dll
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthoeowvkdvyiuclyfxsnadwfiwjjjejljb.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthkdwkrgwyqwlumxjcsmwqbjklvjbuilna.dat
c:\windows\system32\ovfsthmosufijouxrxsmhavavyhiotkmnbkhrk.dll
c:\windows\system32\ovfsthqvkxclmscppphxjcnctlugrodlgpkwyn.dat
c:\windows\system32\ovfsthrnukfiaecotfgymtaosdmcwjmrqfjhyw.dll
c:\windows\system32\ovfsthsutedekdn***qbsmicpkvdonjxuelrma.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\prunnet.exe
c:\windows\system32\sf87wuijndoio43j.dll
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winglsetup.exe
c:\windows\TEMP\ntdll64.dll
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthnpptfqpelxlrpmyjdvgvypyjxqgxsxoy

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 15:28 . 2009-04-29 15:28 -------- d-sh--w C:\found.000
2009-04-28 17:10 . 2009-04-29 14:52 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-28 01:22 . 2009-04-28 01:22 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-04-28 01:15 . 2009-04-28 01:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-27 01:46 . 2009-04-27 01:46 -------- d-----w c:\documents and settings\Family\Application Data\gtk-2.0
2009-04-27 01:45 . 2009-04-27 05:15 -------- d-----w c:\documents and settings\Family\Application Data\.purple
2009-04-27 01:44 . 2009-04-27 01:45 -------- d-----w c:\program files\Aspell
2009-04-27 01:43 . 2009-04-27 04:30 -------- d-----w c:\program files\Pidgin
2009-04-27 01:43 . 2009-04-27 01:43 -------- d-----w c:\program files\Common Files\GTK
2009-04-24 17:20 . 2009-04-24 17:21 4096 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\program files\Common Files\Nero
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\Family\Application Data\Nero
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-23 22:13 . 2009-04-23 22:15 -------- d-----w c:\program files\Nero
2009-04-23 17:46 . 2009-04-23 17:46 -------- d-----w C:\ubuntu
2009-04-23 04:20 . 2009-04-23 04:20 -------- d-----w c:\documents and settings\Family\Application Data\Windows Search
2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcodins.dll
2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcod.dll
2009-04-22 20:45 . 2009-03-27 14:03 2744320 ----a-w c:\windows\system32\nvwss.dll
2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\dllcache\nv4_disp.dll
2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\nv4_disp.dll
2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\dllcache\nv4_mini.sys
2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-04-22 18:27 . 2009-04-22 18:28 -------- d-----w C:\dc27f74c49a7f0742dcc0a808b
2009-04-22 18:24 . 2009-04-22 19:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-22 18:15 . 2009-04-22 18:17 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-22 18:11 . 2009-04-22 18:11 -------- d-----w C:\fe61eade64fdd12903a7abb55a655f
2009-04-22 18:10 . 2009-04-22 18:11 -------- d-----w C:\a6dfb0adcefec847a67b734fc8ceda
2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\program files\Microsoft
2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\documents and settings\Family\Application Data\Windows Desktop Search
2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\program files\Windows Desktop Search
2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\windows\system32\GroupPolicy
2009-04-21 02:53 . 2009-04-21 02:53 -------- d-----w c:\documents and settings\Family\Application Data\McAfee
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-20 20:43 . 2009-04-20 20:43 -------- d-----w c:\documents and settings\Family\Application Data\Focus Mp3 Recorder
2009-04-20 20:43 . 2003-08-07 18:01 237568 ----a-w c:\windows\system32\lame_enc.dll
2009-04-18 04:31 . 2009-04-18 04:55 -------- d-----w c:\program files\Project64 1.6
2009-04-15 22:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 22:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 22:35 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:49 . 2009-04-13 16:49 -------- d-----w c:\documents and settings\People Who Aren't Me\Application Data\MySpace
2009-04-11 01:33 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-11 01:33 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\documents and settings\Family\Local Settings\Application Data\SupportSoft
2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 02:16 . 2009-02-24 19:35 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-04-01 02:15 . 2009-04-01 02:15 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-01 02:03 . 2009-04-01 02:03 -------- d-----w c:\documents and settings\Family\Application Data\Roxio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 14:48 . 2008-12-23 04:58 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-27 22:16 . 2008-12-29 22:49 -------- d-----w c:\program files\Songbird
2009-04-27 01:42 . 2009-03-21 04:03 -------- d-----w c:\program files\MySpace
2009-04-27 01:41 . 2006-10-14 02:35 -------- d-----w c:\program files\Common Files\AOL
2009-04-23 22:53 . 2007-07-06 14:36 -------- d-----w c:\program files\Coupons
2009-04-23 22:10 . 2008-06-09 04:23 256 -c--a-w c:\windows\system32\pool.bin
2009-04-22 19:50 . 2006-10-18 20:09 125208 -c--a-w c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 02:01 . 2008-12-23 04:59 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 1
2009-04-19 19:26 . 2007-01-06 22:35 -------- d-----w c:\program files\McAfee
2009-04-06 20:57 . 2007-01-27 20:54 -------- d-----w c:\program files\support.com
2009-04-01 02:17 . 2008-05-19 09:58 -------- d-----w c:\program files\DivX
2009-03-27 12:14 . 2008-08-21 08:53 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 21:09 . 2006-10-14 02:36 -------- d-----w c:\program files\Common Files\Real
2009-03-19 00:49 . 2009-03-18 22:16 -------- d-----w c:\program files\Cain
2009-03-15 05:45 . 2006-10-14 02:36 -------- d-----w c:\program files\Real
2009-03-15 05:44 . 2008-08-21 00:59 -------- d-----w c:\program files\Windows Media Bonus Pack for Windows XP
2009-03-15 05:43 . 2008-05-19 10:03 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-15 05:40 . 2006-10-14 02:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 05:37 . 2006-12-31 13:36 -------- d-----w c:\program files\Apple Software Update
2009-03-08 08:34 . 2005-08-16 08:18 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-08-16 08:18 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-08-16 08:18 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-08-16 08:18 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-08-16 08:18 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-08-16 08:18 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-08-16 08:18 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-08-16 08:18 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-08-16 08:18 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-08-16 08:18 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-08-16 08:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 23:07 . 2007-10-02 05:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-09 12:10 . 2005-08-16 08:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 08:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 08:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 08:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 08:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 08:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 08:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 08:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 02:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 08:18 56832 ----a-w c:\windows\system32\secur32.dll
2004-07-30 13:56 . 2008-04-03 21:22 90112 -c--a-w c:\program files\Common Files\PCSBclean.exe
2004-07-26 19:30 . 2008-04-03 21:22 291840 -c--a-w c:\program files\Common Files\PCSBoff.exe
2008-04-24 14:04 . 2006-10-18 20:09 88 -csh--r c:\windows\system32\E8CC884F6B.sys
2008-04-24 14:04 . 2006-10-18 20:09 3610 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-13 24576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox 3.1 Beta 2\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8969:TCP"= 8969:TCP:BitComet 8969 TCP
"8969:UDP"= 8969:UDP:BitComet 8969 UDP

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 WMP300NSvc;WMP300NSvc; [x]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 822400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bfcd147-1c15-11dd-8a21-00137237427d}]
\Shell\AutoRun\command - k:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{437a010a-1994-11dd-8a1d-00137237427d}]
\Shell\AutoRun\command - L:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55af1b84-8af3-11db-8933-00137237427d}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3286019434-2195164413-3831484578-1006.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 07:17]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32]

2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4B0FAF5A-67C4-4625-AE07-B0DBADA16EBF} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\gbh2o2ydz.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3551592940.exe
HKU-Default-Run-A00F109210.exe - c:\windows\TEMP\_A00F109210.exe
HKU-Default-Run-A00FF716E.exe - c:\windows\TEMP\_A00FF716E.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
Notify-__c002AF14 - c:\windows\system32\__c002AF14.dat

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnet.com/
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 11:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1616)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\snmp.exe
c:\program files\Linksys\WMP300N\WLService.exe
c:\program files\Linksys\WMP300N\WMP300N.exe
c:\windows\system32\searchindexer.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-29 11:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 15:45

Pre-Run: 36,137,308,160 bytes free
Post-Run: 36,322,349,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\wubildr.mbr = "Ubuntu"

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
376 --- E O F --- 2009-04-27 19:46

Ried · 04-29-2009, 03:48 PM

We have a bit more to do. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/371069-ntos-krnl-hook-post2108879.html#post2108879

Collect::
c:\windows\system32\lmppcsetup.exe

Folder::
c:\program files\Coupons

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

McNabbfan58193 · 04-30-2009, 05:44 AM

My system seems to be running fine now. No noticeable problems. Here are the other two logs:

Combofix:

ComboFix 09-04-28.06 - Family 04/29/2009 22:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.552 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\McNabb.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

file zipped: c:\windows\system32\lmppcsetup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\uninstall.exe
c:\windows\system32\lmppcsetup.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-29 16:07 . 2009-04-30 01:00 -------- d-----w c:\program files\Mozilla Firefox 3.5 Beta 4
2009-04-29 15:28 . 2009-04-29 15:28 -------- d-sh--w C:\found.000
2009-04-28 01:22 . 2009-04-28 01:22 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-04-28 01:15 . 2009-04-28 01:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-27 01:46 . 2009-04-27 01:46 -------- d-----w c:\documents and settings\Family\Application Data\gtk-2.0
2009-04-27 01:45 . 2009-04-27 05:15 -------- d-----w c:\documents and settings\Family\Application Data\.purple
2009-04-27 01:44 . 2009-04-27 01:45 -------- d-----w c:\program files\Aspell
2009-04-27 01:43 . 2009-04-27 04:30 -------- d-----w c:\program files\Pidgin
2009-04-27 01:43 . 2009-04-27 01:43 -------- d-----w c:\program files\Common Files\GTK
2009-04-24 17:20 . 2009-04-24 17:21 4096 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\program files\Common Files\Nero
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\Family\Application Data\Nero
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-23 22:13 . 2009-04-23 22:15 -------- d-----w c:\program files\Nero
2009-04-23 04:20 . 2009-04-23 04:20 -------- d-----w c:\documents and settings\Family\Application Data\Windows Search
2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcodins.dll
2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcod.dll
2009-04-22 20:45 . 2009-03-27 14:03 2744320 ----a-w c:\windows\system32\nvwss.dll
2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\dllcache\nv4_disp.dll
2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\nv4_disp.dll
2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\dllcache\nv4_mini.sys
2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-04-22 18:27 . 2009-04-22 18:28 -------- d-----w C:\dc27f74c49a7f0742dcc0a808b
2009-04-22 18:24 . 2009-04-22 19:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-22 18:15 . 2009-04-22 18:17 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-22 18:11 . 2009-04-22 18:11 -------- d-----w C:\fe61eade64fdd12903a7abb55a655f
2009-04-22 18:10 . 2009-04-22 18:11 -------- d-----w C:\a6dfb0adcefec847a67b734fc8ceda
2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\program files\Microsoft
2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\documents and settings\Family\Application Data\Windows Desktop Search
2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\program files\Windows Desktop Search
2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\windows\system32\GroupPolicy
2009-04-21 02:53 . 2009-04-21 02:53 -------- d-----w c:\documents and settings\Family\Application Data\McAfee
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-20 20:43 . 2009-04-20 20:43 -------- d-----w c:\documents and settings\Family\Application Data\Focus Mp3 Recorder
2009-04-20 20:43 . 2003-08-07 18:01 237568 ----a-w c:\windows\system32\lame_enc.dll
2009-04-18 04:31 . 2009-04-18 04:55 -------- d-----w c:\program files\Project64 1.6
2009-04-15 22:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 22:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 22:35 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:49 . 2009-04-13 16:49 -------- d-----w c:\documents and settings\People Who Aren't Me\Application Data\MySpace
2009-04-11 01:33 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-11 01:33 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\documents and settings\Family\Local Settings\Application Data\SupportSoft
2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\program files\Common Files\SupportSoft
2009-04-01 02:16 . 2009-02-24 19:35 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-04-01 02:15 . 2009-04-01 02:15 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-01 02:03 . 2009-04-01 02:03 -------- d-----w c:\documents and settings\Family\Application Data\Roxio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 20:46 . 2008-12-29 22:49 -------- d-----w c:\program files\Songbird
2009-04-29 16:08 . 2008-12-23 04:58 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-27 01:42 . 2009-03-21 04:03 -------- d-----w c:\program files\MySpace
2009-04-27 01:41 . 2006-10-14 02:35 -------- d-----w c:\program files\Common Files\AOL
2009-04-23 22:10 . 2008-06-09 04:23 256 -c--a-w c:\windows\system32\pool.bin
2009-04-22 19:50 . 2006-10-18 20:09 125208 -c--a-w c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 02:01 . 2008-12-23 04:59 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 1
2009-04-19 19:26 . 2007-01-06 22:35 -------- d-----w c:\program files\McAfee
2009-04-06 20:57 . 2007-01-27 20:54 -------- d-----w c:\program files\support.com
2009-04-01 02:17 . 2008-05-19 09:58 -------- d-----w c:\program files\DivX
2009-03-27 12:14 . 2008-08-21 08:53 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 21:09 . 2006-10-14 02:36 -------- d-----w c:\program files\Common Files\Real
2009-03-19 00:49 . 2009-03-18 22:16 -------- d-----w c:\program files\Cain
2009-03-15 05:45 . 2006-10-14 02:36 -------- d-----w c:\program files\Real
2009-03-15 05:44 . 2008-08-21 00:59 -------- d-----w c:\program files\Windows Media Bonus Pack for Windows XP
2009-03-15 05:43 . 2008-05-19 10:03 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-15 05:40 . 2006-10-14 02:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 05:37 . 2006-12-31 13:36 -------- d-----w c:\program files\Apple Software Update
2009-03-08 08:34 . 2005-08-16 08:18 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-08-16 08:18 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-08-16 08:18 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-08-16 08:18 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-08-16 08:18 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-08-16 08:18 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-08-16 08:18 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-08-16 08:18 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-08-16 08:18 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-08-16 08:18 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-08-16 08:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 23:07 . 2007-10-02 05:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-09 12:10 . 2005-08-16 08:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 08:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 08:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 08:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 08:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 08:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 08:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 08:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 02:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 08:18 56832 ----a-w c:\windows\system32\secur32.dll
2004-07-30 13:56 . 2008-04-03 21:22 90112 -c--a-w c:\program files\Common Files\PCSBclean.exe
2004-07-26 19:30 . 2008-04-03 21:22 291840 -c--a-w c:\program files\Common Files\PCSBoff.exe
2008-04-24 14:04 . 2006-10-18 20:09 88 -csh--r c:\windows\system32\E8CC884F6B.sys
2008-04-24 14:04 . 2006-10-18 20:09 3610 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_15.41.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-18 19:20 . 2009-04-29 23:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-18 19:20 . 2009-04-29 14:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-18 19:20 . 2009-04-29 23:56 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-18 19:20 . 2009-04-29 14:44 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-18 19:20 . 2009-04-29 23:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-18 19:20 . 2009-04-29 14:44 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-18 19:25 . 2009-04-29 16:10 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2006-10-18 19:25 . 2006-10-14 02:49 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-13 24576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-03-08 236544]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8969:TCP"= 8969:TCP:BitComet 8969 TCP
"8969:UDP"= 8969:UDP:BitComet 8969 UDP

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 WMP300NSvc;WMP300NSvc; [x]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 822400]

--- Other Services/Drivers In Memory ---

*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMTPSVC
*Deregistered* - SNMP
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - w32time
*Deregistered* - W3SVC
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - wltrysvc
*Deregistered* - WMP300NSvc
*Deregistered* - wscsvc
*Deregistered* - WSearch
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bfcd147-1c15-11dd-8a21-00137237427d}]
\Shell\AutoRun\command - k:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{437a010a-1994-11dd-8a1d-00137237427d}]
\Shell\AutoRun\command - L:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55af1b84-8af3-11db-8933-00137237427d}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8d308ad-34cf-11de-afa9-806d6172696f}]
\Shell\AutoRun\command - G:\slacker.synclauncher.exe
\Shell\slacker\command - G:\slacker.synclauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3286019434-2195164413-3831484578-1006.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 07:17]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32]

2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - (no file)
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: **{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: **{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnet.com/
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 22:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\
.
Completion time: 2009-04-30 22:31
ComboFix-quarantined-files.txt 2009-04-30 02:31
ComboFix2.txt 2009-04-29 15:45

Pre-Run: 69,908,180,992 bytes free
Post-Run: 69,895,462,912 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
340 --- E O F --- 2009-04-27 19:46
Upload was successful

And Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 23:15:23
Records in database: 2101635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Files scanned: 96432
Threat name: 9
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 05:09:21

File name / Threat name / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\Family\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Family\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthoeowvkdvyiuclyfxsnadwfiwjjjejljb.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthmosufijouxrxsmhavavyhiotkmnbkhrk.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthrnukfiaecotfgymtaosdmcwjmrqfjhyw.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthsutedekdn***qbsmicpkvdonjxuelrma.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir Infected: Trojan-Dropper.Win32.Agent.anrj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c002AF14.dat.vir Infected: Trojan.Win32.Agent2.ijy 1
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_22.26.4.zip Infected: Trojan-Dropper.Win32.Agent.amnc 1
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.amjg 1

The selected area was scanned.

Ried · 05-01-2009, 08:07 PM

Hi McNabbfan58193,

Let's wrap this up.

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll

FixCSet::

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

Please post the C:\ComboFix.txt for final review.

McNabbfan58193 · 05-01-2009, 10:20 PM

Hey Ried,

Hopefully this is the last log. Thanks so much for all your help. I really appreciate it.

ComboFix 09-05-02.4 - Family 05/02/2009 0:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.547 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\McNabb.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

FILE ::
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-30 02:43 . 2009-04-30 02:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 16:07 . 2009-05-02 03:54 -------- d-----w c:\program files\Mozilla Firefox 3.5 Beta 4
2009-04-28 01:22 . 2009-04-28 01:22 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-04-28 01:15 . 2009-04-28 01:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-27 01:46 . 2009-04-27 01:46 -------- d-----w c:\documents and settings\Family\Application Data\gtk-2.0
2009-04-27 01:45 . 2009-05-01 05:02 -------- d-----w c:\documents and settings\Family\Application Data\.purple
2009-04-27 01:44 . 2009-04-27 01:45 -------- d-----w c:\program files\Aspell
2009-04-27 01:43 . 2009-04-27 04:30 -------- d-----w c:\program files\Pidgin
2009-04-27 01:43 . 2009-04-27 01:43 -------- d-----w c:\program files\Common Files\GTK
2009-04-24 17:20 . 2009-04-24 17:21 4096 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\program files\Common Files\Nero
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\Family\Application Data\Nero
2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-23 22:13 . 2009-04-23 22:15 -------- d-----w c:\program files\Nero
2009-04-23 04:20 . 2009-04-23 04:20 -------- d-----w c:\documents and settings\Family\Application Data\Windows Search
2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcodins.dll
2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcod.dll
2009-04-22 20:45 . 2009-03-27 14:03 2744320 ----a-w c:\windows\system32\nvwss.dll
2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\dllcache\nv4_disp.dll
2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\nv4_disp.dll
2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\dllcache\nv4_mini.sys
2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-04-22 18:27 . 2009-04-22 18:28 -------- d-----w C:\dc27f74c49a7f0742dcc0a808b
2009-04-22 18:24 . 2009-04-22 19:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-22 18:15 . 2009-04-22 18:17 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-22 18:11 . 2009-04-22 18:11 -------- d-----w C:\fe61eade64fdd12903a7abb55a655f
2009-04-22 18:10 . 2009-04-22 18:11 -------- d-----w C:\a6dfb0adcefec847a67b734fc8ceda
2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\program files\Microsoft
2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\documents and settings\Family\Application Data\Windows Desktop Search
2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\program files\Windows Desktop Search
2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\windows\system32\GroupPolicy
2009-04-21 02:53 . 2009-04-21 02:53 -------- d-----w c:\documents and settings\Family\Application Data\McAfee
2009-04-20 21:00 . 2009-04-20 21:00 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-20 20:43 . 2009-04-20 20:43 -------- d-----w c:\documents and settings\Family\Application Data\Focus Mp3 Recorder
2009-04-20 20:43 . 2003-08-07 18:01 237568 ----a-w c:\windows\system32\lame_enc.dll
2009-04-18 04:31 . 2009-04-18 04:55 -------- d-----w c:\program files\Project64 1.6
2009-04-15 22:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 22:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 22:35 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:49 . 2009-04-13 16:49 -------- d-----w c:\documents and settings\People Who Aren't Me\Application Data\MySpace
2009-04-11 01:33 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-11 01:33 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\documents and settings\Family\Local Settings\Application Data\SupportSoft
2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 04:10 . 2007-10-16 18:46 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-02 04:07 . 2008-12-29 19:53 930 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3286019434-2195164413-3831484578-1006.job
2009-05-02 04:07 . 2005-08-16 08:49 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-01 17:05 . 2008-12-29 22:49 -------- d-----w c:\program files\Songbird
2009-05-01 05:00 . 2007-01-06 22:38 354 ----a-w c:\windows\Tasks\McQcTask.job
2009-04-30 14:30 . 2009-03-20 21:09 442 ----a-w c:\windows\Tasks\At1.job
2009-04-30 02:42 . 2006-10-14 02:26 -------- d-----w c:\program files\Java
2009-04-29 16:08 . 2008-12-23 04:58 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-27 01:42 . 2009-03-21 04:03 -------- d-----w c:\program files\MySpace
2009-04-27 01:41 . 2006-10-14 02:35 -------- d-----w c:\program files\Common Files\AOL
2009-04-23 22:10 . 2008-06-09 04:23 256 -c--a-w c:\windows\system32\pool.bin
2009-04-22 19:50 . 2006-10-18 20:09 125208 -c--a-w c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 02:01 . 2008-12-23 04:59 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 1
2009-04-19 19:26 . 2007-01-06 22:35 -------- d-----w c:\program files\McAfee
2009-04-15 11:56 . 2007-07-26 19:40 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-15 07:04 . 2007-01-06 22:38 352 ----a-w c:\windows\Tasks\McDefragTask.job
2009-04-06 20:57 . 2007-01-27 20:54 -------- d-----w c:\program files\support.com
2009-04-01 02:17 . 2008-05-19 09:58 -------- d-----w c:\program files\DivX
2009-04-01 02:15 . 2009-04-01 02:15 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-27 12:14 . 2008-08-21 08:53 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-20 21:09 . 2006-10-14 02:36 -------- d-----w c:\program files\Common Files\Real
2009-03-19 00:49 . 2009-03-18 22:16 -------- d-----w c:\program files\Cain
2009-03-15 05:45 . 2006-10-14 02:36 -------- d-----w c:\program files\Real
2009-03-15 05:44 . 2008-08-21 00:59 -------- d-----w c:\program files\Windows Media Bonus Pack for Windows XP
2009-03-15 05:43 . 2008-05-19 10:03 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-15 05:40 . 2006-10-14 02:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 05:37 . 2006-12-31 13:36 -------- d-----w c:\program files\Apple Software Update
2009-03-08 08:34 . 2005-08-16 08:18 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-08-16 08:18 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-08-16 08:18 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-08-16 08:18 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-08-16 08:18 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-08-16 08:18 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-08-16 08:18 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-08-16 08:18 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-08-16 08:18 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-08-16 08:18 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-08-16 08:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 23:07 . 2007-10-02 05:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:35 . 2009-04-01 02:16 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-09 12:10 . 2005-08-16 08:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 08:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 08:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 08:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 08:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 08:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 08:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 08:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 02:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 08:18 56832 ----a-w c:\windows\system32\secur32.dll
2004-07-30 13:56 . 2008-04-03 21:22 90112 -c--a-w c:\program files\Common Files\PCSBclean.exe
2004-07-26 19:30 . 2008-04-03 21:22 291840 -c--a-w c:\program files\Common Files\PCSBoff.exe
2008-04-24 14:04 . 2006-10-18 20:09 88 -csh--r c:\windows\system32\E8CC884F6B.sys
2008-04-24 14:04 . 2006-10-18 20:09 3610 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_15.41.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 04:08 . 2009-05-02 04:08 16384 c:\windows\Temp\Perflib_Perfdata_8ec.dat
+ 2009-05-01 15:24 . 2009-05-01 15:24 16384 c:\windows\Temp\Perflib_Perfdata_880.dat
- 2006-10-18 19:20 . 2009-04-29 14:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-18 19:20 . 2009-05-02 00:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-18 19:20 . 2009-04-29 14:44 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-18 19:20 . 2009-05-02 00:35 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-18 19:20 . 2009-05-02 00:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-18 19:20 . 2009-04-29 14:44 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-14 02:34 . 2009-04-16 04:29 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-04-30 02:43 . 2009-04-30 02:42 148888 c:\windows\system32\javaws.exe
+ 2009-04-30 02:43 . 2009-04-30 02:42 144792 c:\windows\system32\javaw.exe
+ 2009-04-30 02:43 . 2009-04-30 02:42 144792 c:\windows\system32\java.exe
+ 2008-12-24 16:36 . 2009-05-02 04:11 225083 c:\windows\system32\inetsrv\MetaBase.bin
- 2006-10-18 19:25 . 2006-10-14 02:49 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2006-10-18 19:25 . 2009-04-29 16:10 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2006-10-14 02:34 . 2009-05-01 05:04 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-10-14 02:34 . 2009-05-01 05:04 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-10-14 02:34 . 2009-04-16 04:29 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-13 24576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8969:TCP"= 8969:TCP:BitComet 8969 TCP
"8969:UDP"= 8969:UDP:BitComet 8969 UDP

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 WMP300NSvc;WMP300NSvc; [x]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 822400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bfcd147-1c15-11dd-8a21-00137237427d}]
\Shell\AutoRun\command - k:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{437a010a-1994-11dd-8a1d-00137237427d}]
\Shell\AutoRun\command - L:\StartPortableApps.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55af1b84-8af3-11db-8933-00137237427d}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3286019434-2195164413-3831484578-1006.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 07:17]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32]

2009-05-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnet.com/
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 00:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3508)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\snmp.exe
c:\program files\Linksys\WMP300N\WLService.exe
c:\program files\Linksys\WMP300N\WMP300N.exe
c:\windows\system32\searchindexer.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-02 0:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 04:16
ComboFix2.txt 2009-04-30 02:31
ComboFix3.txt 2009-04-29 15:45

Pre-Run: 68,868,096,000 bytes free
Post-Run: 68,863,660,032 bytes free

378 --- E O F --- 2009-05-01 05:04

Ried · 05-01-2009, 10:34 PM

The remainder of Kaspersky's findings are backups created during the course of this fix which we shall be clearing now.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

McNabbfan58193 · 05-01-2009, 10:55 PM

Yup, everything is running smothly and combofix uninstalled itself. Thanks for the tips and, again, the help. It is much appreciated.

Ried · 05-01-2009, 11:18 PM

You're welcome. Take care, and surf safely.

04-27-2009, 08:35 PM	#1 (permalink)
McNabbfan58193 Registered User Join Date: Apr 2009 Posts: 8 OS: XP	Ntos-krnl hook Hi, I got a virus a few days ago and have been trying to get rid of it with McAfee, but every time I scan, McAfee says that it removes it and then I scan again and it is still there. I've tried booting into safe mode and scan, but that doesn't help either. I am at my wits end and wondering if anyone could help me. Any help would be much appreciated

04-27-2009, 10:14 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Ntos-krnl hook Hello and welcome to TSF. Please follow our pre-posting process outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help After running through all the steps, you shall have a proper set of logs. If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-28-2009, 08:25 PM	#3 (permalink)
McNabbfan58193 Registered User Join Date: Apr 2009 Posts: 8 OS: XP	Re: Ntos-krnl hook Thanks for all the help. Here are the logs: DDS (Ver_09-03-16.01) - NTFSx86 Run by Family at 22:08:09.61 on Tue 04/28/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.305 [GMT -4:00] AV: McAfee VirusScan On-access scanning enabled (Updated) FW: McAfee Personal Firewall enabled ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\snmp.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Linksys\WMP300N\WLService.exe C:\Program Files\Linksys\WMP300N\WMP300N.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe \\?\globalroot\systemroot\system32\rundll32.exe C:\Documents and Settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe C:\Documents and Settings\Family\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.comcast.net/ uSearch Page = uSearch Bar = uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1061013 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {4B0FAF5A-67C4-4625-AE07-B0DBADA16EBF} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler uRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe uRun: [autochk] rundll32.exe c:\docume~1\family\protect.dll,_IWMPEvents@16 uRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\docume~1\family\locals~1\tempor~1\content.ie5\wqb483xa\defaul~1.sh! c:\docume~1\family\locals~1\tempor~1\content.ie5\3bir0m6a\sa6d42~1.sh! c:\docume~1\family\locals~1\tempor~1\content.ie5\wqb483xa\ads9ca~1.sh! c:\docume~1\family\locals~1\tempor~1\content.ie5\3bir0m6a\ERROR_~1.SH! mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe" mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16 dRun: [<NO NAME>] c:\windows\temp\gbh2o2ydz.exe dRun: [Windows Resurections] c:\windows\temp\gbh2o2ydz.exe dRun: [Diagnostic Manager] c:\windows\temp\3551592940.exe dRun: [A00F109210.exe] c:\windows\temp\_A00F109210.exe dRun: [A00FF716E.exe] c:\windows\temp\_A00FF716E.exe dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16 StartupFolder: c:\docume~1\family\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\documents and settings\family\start menu\programs\startup\ChkDisk.dll StartupFolder: c:\docume~1\family\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe dPolicies-system: DisableRegistryTools = 1 (0x1) dPolicies-system: DisableTaskMgr = 1 (0x1) IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: c:\windows\temp\ntdll64.dll Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: musicmatch.com\online DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: __c002AF14 - c:\windows\system32\__c002AF14.dat SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\1rlgjhbp.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.cnet.com/ FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\1rlgjhbp.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll FF - component: c:\documents and settings\family\application data\mozilla\firefox\profiles\1rlgjhbp.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\family\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-6 201320] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-23 210216] R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-1-6 359248] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-1-6 144704] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R2 WMP300NSvc;WMP300NSvc;c:\program files\linksys\wmp300n\WLService.exe [2008-4-3 53307] R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-6 695624] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-6 79304] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-6 35240] R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-6 40488] R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2008-4-3 822400] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-6 33832] =============== Created Last 30 ================ 2009-04-28 13:10 24,064 a--sh--- c:\documents and settings\family\protect.dll 2009-04-28 13:10 24,064 a--sh--- c:\windows\system32\autochk.dll 2009-04-28 13:10 27,648 a------- c:\windows\system32\lmppcsetup.exe 2009-04-27 17:50 439 a------- c:\windows\system32\win32hlp.cnf 2009-04-27 17:50 4,785 a------- c:\windows\system32\warning.gif 2009-04-27 17:50 1,400 a------- c:\windows\system32\ahtn.htm 2009-04-27 17:50 104,960 a------- c:\windows\system32\dllcache\userinit.exe 2009-04-27 17:49 1 a------- c:\windows\system32\uniq.tll 2009-04-27 17:49 29,696 a------- c:\windows\system32\frmwrk32.exe 2009-04-27 17:49 29,696 a------- c:\windows\system32\loader49.exe 2009-04-27 15:03 27,648 a------- c:\windows\system32\__c00E1819.dat 2009-04-26 21:45 <DIR> --d----- c:\docume~1\family\applic~1\.purple 2009-04-26 21:43 <DIR> --d----- c:\program files\Pidgin 2009-04-26 21:43 <DIR> --d----- c:\program files\common files\GTK 2009-04-24 13:20 4,096 a------- c:\windows\system32\ftp_non_crp.exe 2009-04-23 23:02 28,160 a------- c:\windows\system32\__c002AF14.dat 2009-04-23 23:01 39,936 a------- c:\windows\system32\winglsetup.exe 2009-04-23 18:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero 2009-04-23 18:13 <DIR> --d----- c:\program files\Nero 2009-04-23 14:11 197,915 a------- C:\wubildr 2009-04-23 14:11 8,192 a------- C:\wubildr.mbr 2009-04-23 13:46 <DIR> --d----- C:\ubuntu 2009-04-23 00:20 <DIR> --d----- c:\docume~1\family\applic~1\Windows Search 2009-04-22 17:04 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat 2009-04-22 16:45 139,264 a------- c:\windows\system32\nvcodins.dll 2009-04-22 16:45 139,264 a------- c:\windows\system32\nvcod.dll 2009-04-22 16:45 2,744,320 a------- c:\windows\system32\nvwss.dll 2009-04-22 16:43 6,186,880 a------- c:\windows\system32\nv4_disp.dll 2009-04-22 16:43 6,186,880 a------- c:\windows\system32\dllcache\nv4_disp.dll 2009-04-22 16:43 6,280,416 a------- c:\windows\system32\drivers\nv4_mini.sys 2009-04-22 16:43 6,280,416 a------- c:\windows\system32\dllcache\nv4_mini.sys 2009-04-22 14:27 <DIR> --d----- C:\dc27f74c49a7f0742dcc0a808b 2009-04-22 14:24 <DIR> --d----- c:\windows\SxsCaPendDel 2009-04-22 14:11 <DIR> --d----- C:\fe61eade64fdd12903a7abb55a655f 2009-04-22 14:10 <DIR> --d----- C:\a6dfb0adcefec847a67b734fc8ceda 2009-04-22 14:07 <DIR> --d----- c:\program files\Microsoft 2009-04-22 14:07 <DIR> --d----- c:\docume~1\family\applic~1\Windows Desktop Search 2009-04-22 14:05 <DIR> --d----- c:\windows\system32\GroupPolicy 2009-04-22 14:05 <DIR> --d----- c:\program files\Windows Desktop Search 2009-04-20 22:53 <DIR> --d----- c:\docume~1\family\applic~1\McAfee 2009-04-20 16:59 46 a------- c:\windows\system32\p2hhr.bat 2009-04-20 16:58 15,000 a------- c:\windows\system32\sf87wuijndoio43j.dll 2009-04-20 16:43 <DIR> --d----- c:\docume~1\family\applic~1\Focus Mp3 Recorder 2009-04-20 16:43 237,568 a------- c:\windows\system32\lame_enc.dll 2009-04-20 01:27 98,304 a------- c:\windows\system32\prunnet.exe 2009-04-18 00:31 <DIR> --d----- c:\program files\Project64 1.6 2009-04-15 18:37 284,160 -------- c:\windows\system32\dllcache\pdh.dll 2009-04-15 18:37 401,408 -------- c:\windows\system32\dllcache\rpcss.dll 2009-04-15 18:37 110,592 -------- c:\windows\system32\dllcache\services.exe 2009-04-15 18:37 473,600 -------- c:\windows\system32\dllcache\fastprox.dll 2009-04-15 18:37 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 18:37 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 18:37 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 18:37 617,472 -------- c:\windows\system32\dllcache\advapi32.dll 2009-04-15 18:37 714,752 -------- c:\windows\system32\dllcache\ntdll.dll 2009-04-15 18:35 2,560 -------- c:\windows\system32\xpsp4res.dll 2009-04-15 18:35 215,552 -------- c:\windows\system32\dllcache\wordpad.exe 2009-04-10 21:33 5,632 a------- c:\windows\system32\ptpusb.dll 2009-04-10 21:33 159,232 a------- c:\windows\system32\ptpusd.dll 2009-04-06 16:54 1,100 a------- C:\net_save.dna 2009-04-06 16:53 <DIR> --d----- c:\program files\common files\SupportSoft 2009-03-31 22:16 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys 2009-03-31 22:15 <DIR> --d----- c:\program files\common files\DivX Shared ==================== Find3M ==================== 2009-04-27 17:49 104,960 a------- c:\windows\system32\userinit.exe 2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE 2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll 2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe 2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll 2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll 2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll 2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll 2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll 2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll 2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll 2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll 2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll 2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll 2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll 2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll 2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll 2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll 2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll 2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll 2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll 2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll 2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll 2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll 2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll 2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll 2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll 2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe 2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll 2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll 2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll 2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll 2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll 2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll 2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll 2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll 2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll 2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll 2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll 2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll 2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll 2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll 2009-02-28 00:55 105,984 -------- c:\windows\system32\dllcache\iecompat.dll 2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll 2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll 2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll 2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll 2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll 2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll 2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll 2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll 2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll 2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll 2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys 2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys 2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat 2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe 2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe 2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe 2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe 2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe 2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll 2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll 2008-12-22 16:48 256 ac------ c:\documents and settings\family\pool.bin 2008-05-09 04:49 1,024 ac------ c:\docume~1\alluse~1\applic~1\imgpdf2.dll 2008-05-09 04:48 1,024 ac------ c:\docume~1\alluse~1\applic~1\pdfdoc2.dll 2008-04-07 14:03 9,039,673 -------- c:\documents and settings\family\iWAY250C_130.exe 2008-04-07 13:18 73,728 -c------ c:\documents and settings\family\SetupNI.dll 2008-02-07 18:20 1,024 ac------ c:\docume~1\alluse~1\applic~1\imgdoc2.dll 2004-07-30 09:56 90,112 ac------ c:\program files\common files\PCSBclean.exe 2004-07-26 15:30 291,840 ac------ c:\program files\common files\PCSBoff.exe 2008-04-24 10:04 88 -c-shr-- c:\windows\system32\E8CC884F6B.sys 2008-04-24 10:04 3,610 ac-sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 22:10:17.15 =============== Attach.zip ark.zip

04-28-2009, 10:54 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Ntos-krnl hook You're welcome, McNabbfan58193. You have quite a collection of nasties here and it will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ************************************************* Download ComboFix from one of these locations, but rename it to mcnabb.exe** before saving it. Be sure to save it directly to your desktop: Link 1 Link 2 Link 3 Disable your AntiVirus and the McAfee Firewallas they will interfere with our tools. Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-29-2009, 09:51 AM	#5 (permalink)
McNabbfan58193 Registered User Join Date: Apr 2009 Posts: 8 OS: XP	Re: Ntos-krnl hook Again, thanks so much for the help. After running Combofix, all visible symptoms are seemingly gone, but I'll stay with you until given the 'all clear'. Here is the log: ComboFix 09-04-28.06 - Family 04/29/2009 11:14.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -4:00] Running from: c:\documents and settings\Family\Desktop\McNabb.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\Family\LOCALS~1\Temp\mousehook.dll c:\docume~1\Family\LOCALS~1\Temp\ntdll64.dll c:\documents and settings\Family\protect.dll c:\documents and settings\Family\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Family\Start Menu\Programs\Startup\ChkDisk.lnk c:\documents and settings\LocalService\protect.dll c:\windows\Downloaded Program Files\setup.dll c:\windows\system32\__c002AF14.dat c:\windows\system32\__c00E1819.dat c:\windows\system32\ahtn.htm c:\windows\system32\autochk.dll c:\windows\system32\Cache c:\windows\system32\config\systemprofile\protect.dll c:\windows\system32\drivers\ovfsthoeowvkdvyiuclyfxsnadwfiwjjjejljb.sys c:\windows\system32\frmwrk32.exe c:\windows\system32\loader49.exe c:\windows\system32\ovfsthkdwkrgwyqwlumxjcsmwqbjklvjbuilna.dat c:\windows\system32\ovfsthmosufijouxrxsmhavavyhiotkmnbkhrk.dll c:\windows\system32\ovfsthqvkxclmscppphxjcnctlugrodlgpkwyn.dat c:\windows\system32\ovfsthrnukfiaecotfgymtaosdmcwjmrqfjhyw.dll c:\windows\system32\ovfsthsutedekdn**qbsmicpkvdonjxuelrma.dll c:\windows\system32\p2hhr.bat c:\windows\system32\prunnet.exe c:\windows\system32\sf87wuijndoio43j.dll c:\windows\system32\uniq.tll c:\windows\system32\warning.gif c:\windows\system32\win32hlp.cnf c:\windows\system32\winglsetup.exe c:\windows\TEMP\ntdll64.dll C:\xcrashdump.dat Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthnpptfqpelxlrpmyjdvgvypyjxqgxsxoy ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 ))))))))))))))))))))))))))))))) . 2009-04-29 15:28 . 2009-04-29 15:28 -------- d-sh--w C:\found.000 2009-04-28 17:10 . 2009-04-29 14:52 27648 ----a-w c:\windows\system32\lmppcsetup.exe 2009-04-28 01:22 . 2009-04-28 01:22 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE 2009-04-28 01:15 . 2009-04-28 01:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache 2009-04-27 01:46 . 2009-04-27 01:46 -------- d-----w c:\documents and settings\Family\Application Data\gtk-2.0 2009-04-27 01:45 . 2009-04-27 05:15 -------- d-----w c:\documents and settings\Family\Application Data\.purple 2009-04-27 01:44 . 2009-04-27 01:45 -------- d-----w c:\program files\Aspell 2009-04-27 01:43 . 2009-04-27 04:30 -------- d-----w c:\program files\Pidgin 2009-04-27 01:43 . 2009-04-27 01:43 -------- d-----w c:\program files\Common Files\GTK 2009-04-24 17:20 . 2009-04-24 17:21 4096 ----a-w c:\windows\system32\ftp_non_crp.exe 2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\program files\Common Files\Nero 2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\Family\Application Data\Nero 2009-04-23 22:16 . 2009-04-23 22:16 -------- d-----w c:\documents and settings\All Users\Application Data\Nero 2009-04-23 22:13 . 2009-04-23 22:15 -------- d-----w c:\program files\Nero 2009-04-23 17:46 . 2009-04-23 17:46 -------- d-----w C:\ubuntu 2009-04-23 04:20 . 2009-04-23 04:20 -------- d-----w c:\documents and settings\Family\Application Data\Windows Search 2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcodins.dll 2009-04-22 20:45 . 2009-03-27 14:03 139264 ----a-w c:\windows\system32\nvcod.dll 2009-04-22 20:45 . 2009-03-27 14:03 2744320 ----a-w c:\windows\system32\nvwss.dll 2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\dllcache\nv4_disp.dll 2009-04-22 20:43 . 2009-03-27 14:03 6186880 ----a-w c:\windows\system32\nv4_disp.dll 2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\dllcache\nv4_mini.sys 2009-04-22 20:43 . 2009-03-27 14:03 6280416 ----a-w c:\windows\system32\drivers\nv4_mini.sys 2009-04-22 18:27 . 2009-04-22 18:28 -------- d-----w C:\dc27f74c49a7f0742dcc0a808b 2009-04-22 18:24 . 2009-04-22 19:06 -------- d-----w c:\windows\SxsCaPendDel 2009-04-22 18:15 . 2009-04-22 18:17 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe 2009-04-22 18:11 . 2009-04-22 18:11 -------- d-----w C:\fe61eade64fdd12903a7abb55a655f 2009-04-22 18:10 . 2009-04-22 18:11 -------- d-----w C:\a6dfb0adcefec847a67b734fc8ceda 2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\program files\Microsoft 2009-04-22 18:07 . 2009-04-22 18:07 -------- d-----w c:\documents and settings\Family\Application Data\Windows Desktop Search 2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\program files\Windows Desktop Search 2009-04-22 18:05 . 2009-04-22 18:05 -------- d-----w c:\windows\system32\GroupPolicy 2009-04-21 02:53 . 2009-04-21 02:53 -------- d-----w c:\documents and settings\Family\Application Data\McAfee 2009-04-20 21:00 . 2009-04-20 21:00 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE 2009-04-20 20:43 . 2009-04-20 20:43 -------- d-----w c:\documents and settings\Family\Application Data\Focus Mp3 Recorder 2009-04-20 20:43 . 2003-08-07 18:01 237568 ----a-w c:\windows\system32\lame_enc.dll 2009-04-18 04:31 . 2009-04-18 04:55 -------- d-----w c:\program files\Project64 1.6 2009-04-15 22:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-15 22:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 22:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-15 22:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 22:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 22:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 22:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 22:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 22:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 22:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 22:35 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-13 16:49 . 2009-04-13 16:49 -------- d-----w c:\documents and settings\People Who Aren't Me\Application Data\MySpace 2009-04-11 01:33 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll 2009-04-11 01:33 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll 2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\documents and settings\Family\Local Settings\Application Data\SupportSoft 2009-04-06 20:53 . 2009-04-06 20:53 -------- d-----w c:\program files\Common Files\SupportSoft 2009-04-01 02:16 . 2009-02-24 19:35 43528 ------w c:\windows\system32\drivers\PxHelp20.sys 2009-04-01 02:15 . 2009-04-01 02:15 -------- d-----w c:\program files\Common Files\DivX Shared 2009-04-01 02:03 . 2009-04-01 02:03 -------- d-----w c:\documents and settings\Family\Application Data\Roxio . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-29 14:48 . 2008-12-23 04:58 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2 2009-04-27 22:16 . 2008-12-29 22:49 -------- d-----w c:\program files\Songbird 2009-04-27 01:42 . 2009-03-21 04:03 -------- d-----w c:\program files\MySpace 2009-04-27 01:41 . 2006-10-14 02:35 -------- d-----w c:\program files\Common Files\AOL 2009-04-23 22:53 . 2007-07-06 14:36 -------- d-----w c:\program files\Coupons 2009-04-23 22:10 . 2008-06-09 04:23 256 -c--a-w c:\windows\system32\pool.bin 2009-04-22 19:50 . 2006-10-18 20:09 125208 -c--a-w c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-20 02:01 . 2008-12-23 04:59 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 1 2009-04-19 19:26 . 2007-01-06 22:35 -------- d-----w c:\program files\McAfee 2009-04-06 20:57 . 2007-01-27 20:54 -------- d-----w c:\program files\support.com 2009-04-01 02:17 . 2008-05-19 09:58 -------- d-----w c:\program files\DivX 2009-03-27 12:14 . 2008-08-21 08:53 453152 ----a-w c:\windows\system32\NVUNINST.EXE 2009-03-20 21:09 . 2006-10-14 02:36 -------- d-----w c:\program files\Common Files\Real 2009-03-19 00:49 . 2009-03-18 22:16 -------- d-----w c:\program files\Cain 2009-03-15 05:45 . 2006-10-14 02:36 -------- d-----w c:\program files\Real 2009-03-15 05:44 . 2008-08-21 00:59 -------- d-----w c:\program files\Windows Media Bonus Pack for Windows XP 2009-03-15 05:43 . 2008-05-19 10:03 -------- d-----w c:\program files\Mozilla Thunderbird 2009-03-15 05:40 . 2006-10-14 02:28 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-15 05:37 . 2006-12-31 13:36 -------- d-----w c:\program files\Apple Software Update 2009-03-08 08:34 . 2005-08-16 08:18 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 08:34 . 2005-08-16 08:18 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 08:33 . 2005-08-16 08:18 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 08:33 . 2005-08-16 08:18 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 08:32 . 2005-08-16 08:18 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 08:32 . 2005-08-16 08:18 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 08:31 . 2005-08-16 08:18 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 08:31 . 2005-08-16 08:18 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 08:31 . 2005-08-16 08:18 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 08:22 . 2005-08-16 08:18 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-06 14:22 . 2005-08-16 08:18 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-03 23:07 . 2007-10-02 05:05 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll 2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll 2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll 2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll 2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll 2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll 2009-02-09 12:10 . 2005-08-16 08:18 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-08-16 08:18 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2005-08-16 08:18 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2005-08-16 08:18 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2005-08-16 08:18 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2005-08-16 08:18 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2005-08-16 08:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2005-08-16 08:18 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-04 02:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2005-08-16 08:18 56832 ----a-w c:\windows\system32\secur32.dll 2004-07-30 13:56 . 2008-04-03 21:22 90112 -c--a-w c:\program files\Common Files\PCSBclean.exe 2004-07-26 19:30 . 2008-04-03 21:22 291840 -c--a-w c:\program files\Common Files\PCSBoff.exe 2008-04-24 14:04 . 2006-10-18 20:09 88 -csh--r c:\windows\system32\E8CC884F6B.sys 2008-04-24 14:04 . 2006-10-18 20:09 3610 -csha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2007-12-04 111904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624] c:\documents and settings\Family\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-13 24576] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox 3.1 Beta 2\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8969:TCP"= 8969:TCP:BitComet 8969 TCP "8969:UDP"= 8969:UDP:BitComet 8969 UDP S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] S2 WMP300NSvc;WMP300NSvc; [x] S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 822400] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bfcd147-1c15-11dd-8a21-00137237427d}] \Shell\AutoRun\command - k:\portableapps\PortableAppsMenu\PortableAppsMenu.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{437a010a-1994-11dd-8a1d-00137237427d}] \Shell\AutoRun\command - L:\StartPortableApps.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55af1b84-8af3-11db-8933-00137237427d}] \Shell\AutoRun\command - J:\LaunchU3.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] 2009-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3286019434-2195164413-3831484578-1006.job - c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 07:17] 2009-04-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32] 2009-04-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-01-06 17:32] 2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . - - - - ORPHANS REMOVED - - - - BHO-{4B0FAF5A-67C4-4625-AE07-B0DBADA16EBF} - (no file) WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file) HKLM-Run-autochk - c:\windows\system32\autochk.dll HKU-Default-Run-Windows Resurections - c:\windows\TEMP\gbh2o2ydz.exe HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\3551592940.exe HKU-Default-Run-A00F109210.exe - c:\windows\TEMP\_A00F109210.exe HKU-Default-Run-A00FF716E.exe - c:\windows\TEMP\_A00FF716E.exe HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll Notify-__c002AF14 - c:\windows\system32\__c002AF14.dat . ------- Supplementary Scan ------- . uStart Page = hxxp://www.comcast.net/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: musicmatch.com\online FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.cnet.com/ FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll FF - component: c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\1rlgjhbp.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("capability.policy.mailnews..wholeText", "noAccess"); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-29 11:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,9f,4c,5b,34,13,25,4e,a2,0f,b0,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1616) c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\msls31.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Bonjour\mDNSResponder.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\windows\system32\inetsrv\inetinfo.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\snmp.exe c:\program files\Linksys\WMP300N\WLService.exe c:\program files\Linksys\WMP300N\WMP300N.exe c:\windows\system32\searchindexer.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\ehome\ehmsas.exe c:\windows\system32\rundll32.exe c:\progra~1\McAfee\MSC\mcuimgr.exe . ************************************************************************ . Completion time: 2009-04-29 11:45 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-29 15:45 Pre-Run: 36,137,308,160 bytes free Post-Run: 36,322,349,056 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect C:\wubildr.mbr = "Ubuntu" Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4 376 --- E O F --- 2009-04-27 19:46

05-01-2009, 10:34 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Ntos-krnl hook The remainder of Kaspersky's findings are backups created during the course of this fix which we shall be clearing now. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? Think Prevention Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-01-2009, 10:55 PM	#11 (permalink)
McNabbfan58193 Registered User Join Date: Apr 2009 Posts: 8 OS: XP	Re: Ntos-krnl hook Yup, everything is running smothly and combofix uninstalled itself. Thanks for the tips and, again, the help. It is much appreciated.

05-01-2009, 11:18 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,914 OS: WinXP and Vista	Re: Ntos-krnl hook You're welcome. Take care, and surf safely. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."