Spyware/Malware problems

[osullivanap]

I have encountered problems with my internet explorer which shuts down immediately on opening and displays message saying needs to close unexpectedly. The same happens when i try to use windows update. Internet works, however, in safe-mode, but windows update still does not as I recieve an error message on microsoft website when trying to update. I removed a virus with my McAfee and then 6 more using ad-Aware. Spy-bot and windows defender came up clear. However, my problem was still not solved. I also tried system restore, a clean boot, reregistering my internet explorer and installing internet explorer 8. None of these worked. I have started using Firefox and this seems to be working fine.
Using the microsoft onecare.live scan Win32/Pemsepos.A showed up in c:\windows\system32\lspoyi.dll, but the scan was unable to fix this problem.
I also tried analysing the file c:\windows\system32\lspoyi.dll in VirusTotal.

I would be very grateful for any assistance which you could give me.

Thanks, Andrew


DDS (Ver_09-05-14.01) - NTFSx86
Run by Andrew at 18:23:48.21 on 04/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.159 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netopia\Wireless PC Card\WLANSTA.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\netopia\wireless pc card\WLANSTA.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185483844281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185483831843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\83l6tqt4.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-12 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-11 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-12 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-12 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-12 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-12 40552]
S2 gupdate1c9dd50ca6557f2;Google Update Service (gupdate1c9dd50ca6557f2);c:\program files\google\update\GoogleUpdate.exe [2009-5-25 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-12 34216]
S3 Netopia_iphelp;Netopia WLAN IP Utility;c:\program files\netopia\wireless pc card\iphlpsrv.exe [2007-7-26 102400]

=============== Created Last 30 ================

2009-06-02 22:10 <DIR> --d----- c:\program files\Lavasoft
2009-06-02 21:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-02 21:02 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-06-02 17:00 <DIR> --d----- c:\windows\pss
2009-06-02 16:52 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-02 15:45 1,154 a------- C:\reregisterie.cmd
2009-05-31 15:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-31 15:08 <DIR> --dsh--- c:\documents and settings\andrew\PrivacIE
2009-05-31 15:04 <DIR> --dsh--- c:\documents and settings\andrew\IECompatCache
2009-05-31 14:56 <DIR> --dsh--- c:\documents and settings\andrew\IETldCache
2009-05-31 09:39 2,137 a------- c:\windows\system32\aacbaa5ebb.ax
2009-05-31 09:38 45,056 a------- c:\windows\system32\lspoyi.dll

==================== Find3M ====================

2009-06-02 22:08 27,424 a------- c:\windows\system32\nvModes.dat
2008-08-24 17:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 18:25:56.90 ===============

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[osullivanap]

Thanks for that, Internet explorer seems to be working now without any problems.

The following are the results from combofix scan;


ComboFix 09-06-07.07 - Andrew 08/06/2009 23:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.188 [GMT 1:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\~t2C.tmp

.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-06 20:10 . 2009-06-06 21:23 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2009-06-03 23:05 . 2009-06-04 11:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 22:05 . 2009-06-03 22:06 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Adobe
2009-06-03 20:59 . 2009-06-03 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-03 20:54 . 2009-06-03 20:54 -------- d-----w- c:\documents and settings\Andrew\Application Data\AdobeUM
2009-06-03 16:42 . 2009-06-03 16:42 0 ----a-w- c:\windows\nsreg.dat
2009-06-03 16:39 . 2009-06-03 16:39 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Mozilla
2009-06-03 14:11 . 2009-06-04 17:22 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-03 00:23 . 2009-06-03 00:23 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-02 21:10 . 2009-06-03 16:46 -------- d-----w- c:\program files\Lavasoft
2009-06-02 20:02 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-02 20:02 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-02 19:18 . 2009-06-02 19:18 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Identities
2009-06-02 16:05 . 2009-06-02 16:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-02 15:52 . 2009-06-02 15:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-02 14:45 . 2009-06-02 15:09 1154 ----a-w- C:\reregisterie.cmd
2009-05-31 17:28 . 2009-06-02 15:52 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Apple Computer
2009-05-31 14:18 . 2009-05-31 14:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-31 14:14 . 2009-05-31 14:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-31 14:08 . 2009-05-31 14:08 -------- d-sh--w- c:\documents and settings\Andrew\PrivacIE
2009-05-31 14:04 . 2009-05-31 14:04 -------- d-sh--w- c:\documents and settings\Andrew\IECompatCache
2009-05-31 13:56 . 2009-05-31 13:56 -------- d-sh--w- c:\documents and settings\Andrew\IETldCache
2009-05-31 08:38 . 2009-06-03 22:11 45056 ----a-w- c:\windows\system32\lspoyi.dll
2009-05-25 15:52 . 2009-05-25 15:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 11:43 . 2007-07-26 03:42 27424 ----a-w- c:\windows\system32\nvModes.dat
2009-06-07 10:05 . 2008-09-11 14:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-04 17:21 . 2008-10-28 23:57 -------- d-----w- c:\program files\Vuze
2009-06-03 17:06 . 2008-03-16 20:33 -------- d-----w- c:\program files\Google
2009-05-31 14:15 . 2007-07-28 02:50 -------- d-----w- c:\program files\Java
2009-04-19 20:44 . 2008-03-12 00:17 -------- d-----w- c:\program files\McAfee
2009-03-25 10:06 . 2008-03-12 00:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2008-03-12 00:18 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2008-03-12 00:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2008-03-12 00:18 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2008-03-12 00:18 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-03 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-03 610304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-31 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-20 4866048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2003-06-20 368640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-11-20 323584]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Wireless PC Card Utility.lnk - c:\program files\Netopia\Wireless PC Card\WLANSTA.exe [2007-7-26 626688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/09/2008 15:10 210216]
S2 gupdate1c9dd50ca6557f2;Google Update Service (gupdate1c9dd50ca6557f2);c:\program files\Google\Update\GoogleUpdate.exe [25/05/2009 16:52 133104]
S3 Netopia_iphelp;Netopia WLAN IP Utility;c:\program files\Netopia\Wireless PC Card\iphlpsrv.exe [26/07/2007 01:32 102400]
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-08 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 15:51]

2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-12 10:53]

2008-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-12 10:53]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\83l6tqt4.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-08 23:09
ComboFix-quarantined-files.txt 2009-06-08 22:09

Pre-Run: 17,791,672,320 bytes free
Post-Run: 17,941,417,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

145 --- E O F --- 2009-06-04 17:02

[Angelfire777]

Hi,

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/382404-spyware-malware-problems.html
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
Collect::
c:\windows\system32\lspoyi.dll
c:\windows\system32\aacbaa5ebb.ax
DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

---------------------

*Uninstall these two older versions of Java:

Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 2

Go to Start > Run > copy/paste javacpl.cpl > Press Enter > Select the Update tab > Click Update now.

---------------------

Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

[osullivanap]

Hi,
thanks for all of your help. Internet explorer is now working without any problems. I followed all of the steps outlines above. The file C:\QooBox\Quarantine\[4]-Submit_date@time.zip was submitted successsfully. Also both versions of java were removed. Kaspersky scan detected no malware. The following are firstly, the kaspersky scan log, and secondly the combofix log.


KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 10, 2009 18:42:59
Records in database: 2334930
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 44226
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:51:57

No malware has been detected. The scan area is clean.

The selected area was scanned.




ComboFix 09-06-09.06 - Andrew 10/06/2009 15:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.245 [GMT 1:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

file zipped: c:\windows\system32\aacbaa5ebb.ax
file zipped: c:\windows\system32\lspoyi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aacbaa5ebb.ax
c:\windows\system32\lspoyi.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-06 20:10 . 2009-06-06 21:23 -------- d-----w- c:\documents and settings\Andrew\Application Data\vlc
2009-06-03 23:05 . 2009-06-04 11:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 22:05 . 2009-06-03 22:06 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Adobe
2009-06-03 20:59 . 2009-06-03 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-03 20:54 . 2009-06-03 20:54 -------- d-----w- c:\documents and settings\Andrew\Application Data\AdobeUM
2009-06-03 16:42 . 2009-06-03 16:42 0 ----a-w- c:\windows\nsreg.dat
2009-06-03 16:39 . 2009-06-03 16:39 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Mozilla
2009-06-03 14:11 . 2009-06-04 17:22 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-03 00:23 . 2009-06-03 00:23 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-02 21:10 . 2009-06-03 16:46 -------- d-----w- c:\program files\Lavasoft
2009-06-02 20:02 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-02 20:02 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-02 19:18 . 2009-06-02 19:18 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Identities
2009-06-02 16:05 . 2009-06-02 16:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-02 15:52 . 2009-06-02 15:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-02 14:45 . 2009-06-02 15:09 1154 ----a-w- C:\reregisterie.cmd
2009-05-31 17:28 . 2009-06-02 15:52 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Apple Computer
2009-05-31 14:18 . 2009-05-31 14:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-31 14:14 . 2009-05-31 14:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-31 14:08 . 2009-05-31 14:08 -------- d-sh--w- c:\documents and settings\Andrew\PrivacIE
2009-05-31 14:04 . 2009-05-31 14:04 -------- d-sh--w- c:\documents and settings\Andrew\IECompatCache
2009-05-31 13:56 . 2009-05-31 13:56 -------- d-sh--w- c:\documents and settings\Andrew\IETldCache
2009-05-25 15:52 . 2009-05-25 15:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 23:20 . 2007-07-26 03:42 27424 ----a-w- c:\windows\system32\nvModes.dat
2009-06-07 10:05 . 2008-09-11 14:25 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-04 17:21 . 2008-10-28 23:57 -------- d-----w- c:\program files\Vuze
2009-06-03 17:06 . 2008-03-16 20:33 -------- d-----w- c:\program files\Google
2009-05-31 14:15 . 2007-07-28 02:50 -------- d-----w- c:\program files\Java
2009-04-19 20:44 . 2008-03-12 00:17 -------- d-----w- c:\program files\McAfee
2009-03-25 10:06 . 2008-03-12 00:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 10:06 . 2008-03-12 00:18 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 10:06 . 2008-03-12 00:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 10:06 . 2008-03-12 00:18 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 10:05 . 2008-03-12 00:18 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_22.08.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 15:02 . 2009-06-10 15:02 16384 c:\windows\Temp\Perflib_Perfdata_640.dat
+ 2007-07-24 06:20 . 2009-06-10 14:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-24 06:20 . 2009-06-08 21:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-24 06:20 . 2009-06-10 14:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-24 06:20 . 2009-06-08 21:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-07-24 06:20 . 2009-06-10 14:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-07-24 06:20 . 2009-06-08 21:23 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-03 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-03 610304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-31 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-20 4866048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2003-06-20 368640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-11-20 323584]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Wireless PC Card Utility.lnk - c:\program files\Netopia\Wireless PC Card\WLANSTA.exe [2007-7-26 626688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/09/2008 15:10 210216]
S2 gupdate1c9dd50ca6557f2;Google Update Service (gupdate1c9dd50ca6557f2);c:\program files\Google\Update\GoogleUpdate.exe [25/05/2009 16:52 133104]
S3 Netopia_iphelp;Netopia WLAN IP Utility;c:\program files\Netopia\Wireless PC Card\iphlpsrv.exe [26/07/2007 01:32 102400]
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 15:51]

2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-12 10:53]

2008-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-12 10:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\83l6tqt4.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2056)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-10 16:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 15:09
ComboFix2.txt 2009-06-08 22:09

Pre-Run: 17,895,325,696 bytes free
Post-Run: 17,890,541,568 bytes free

171 --- E O F --- 2009-06-04 17:02



With thanks,
Andrew

[Angelfire777]

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[osullivanap]

Hi,
combofix uninstalled successfully.

Thanks for all of your help,
Andrew