Tech Support banner

Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
32 Posts
Discussion Starter #1
For the past 2 months something is not right with our home computer, and I don’t know what.

I run McAfee, but the scan does not seem to run, takes days to finish and sometimes only says 1200 files scanned with no virus detected.
When I run task manager says CPU usage is 100%.
IE hangs up or is very slow to connect. Web pages don’t load and explorer hangs up and has to be restarted.

I am not getting pop-ups and explorer is not getting re-directed.
I have security set to refuse cookies.
Win Patrol set to ask before letting programs access internet.

I am thinking a family member (have multiple users) opened an infected e-mail or went to an unsafe site to download, only because of the suddenness of the change in system performance.

I am attaching the DDS.TXT and ATTACH.TXT files as instructed in the virus help page.

Thank you for looking at these.

TonyG


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 19:12:39.40 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.90 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://webmaila.netzero.net/webmail/new/5?session_redirect=true&count=1253463191&ajaxSupported=2
uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
uInternet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;*.local;<local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://my.netzero.net/s/search?r=minisearch
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\x1IEBHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110327194740.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Internet Explorer] c:\drvrtmp\winxp\java.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Microsoft Office Outlook] c:\program files\microsoft office\office11\OUTLOOK.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,[email protected]
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [WindowsUpdater] C:\Sys32.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
uExplorerRun: [Internet Explorer] c:\drvrtmp\winxp\java.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: sythe.org\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {01B200EF-5875-213F-3FD8-11DE3FC16F0C} - C:\Sys32.exe
mASetup: {41A3F6DF-FBC6-6449-1294-0FEE5ADEE1E8} - c:\program files\sql\SQL.exe s
mASetup: {DLBCY212-5153-L8E1-JU12-3204GO18Q40P} - "c:\drvrtmp\winxp\java.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\d6ilo5v8.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-26 84072]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-26 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-26 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-26 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-26 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88544]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-26 84264]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-26 88544]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-30 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-30 40552]
S4 0304501221201051mcinstcleanup;McAfee Application Installer Cleanup (0304501221201051);c:\windows\temp\030450~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\030450~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
.
=============== Created Last 30 ================
.
2011-03-29 22:57:55 -------- d-----w- c:\windows\system32\NtmsData
2011-03-27 23:47:40 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2011-03-27 23:47:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-03-27 23:26:54 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-03-12 16:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:16:34.67 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/30/2008 12:09:37 AM
System Uptime: 3/27/2011 7:56:36 PM (48 hours ago)
.
Motherboard: Dell Computer Corp. | | 0N6381
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 28.096 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP999: 12/30/2010 11:25:04 AM - System Checkpoint
RP1000: 12/31/2010 11:37:17 AM - System Checkpoint
RP1001: 1/1/2011 2:37:18 PM - System Checkpoint
RP1002: 1/2/2011 3:07:38 PM - System Checkpoint
RP1003: 1/3/2011 5:54:07 PM - System Checkpoint
RP1004: 1/4/2011 6:55:08 PM - System Checkpoint
RP1005: 1/5/2011 8:04:01 PM - System Checkpoint
RP1006: 1/6/2011 9:03:55 PM - System Checkpoint
RP1007: 1/8/2011 7:34:01 AM - System Checkpoint
RP1008: 1/9/2011 10:10:26 PM - System Checkpoint
RP1009: 1/11/2011 1:17:22 PM - System Checkpoint
RP1010: 1/12/2011 1:42:58 PM - System Checkpoint
RP1011: 1/13/2011 2:42:50 PM - System Checkpoint
RP1012: 1/13/2011 4:57:35 PM - Software Distribution Service 3.0
RP1013: 1/14/2011 5:25:23 PM - System Checkpoint
RP1014: 1/15/2011 5:47:13 PM - System Checkpoint
RP1015: 1/16/2011 5:47:25 PM - System Checkpoint
RP1016: 1/17/2011 5:53:05 PM - System Checkpoint
RP1017: 1/18/2011 6:52:40 PM - System Checkpoint
RP1018: 1/19/2011 7:52:30 PM - System Checkpoint
RP1019: 1/21/2011 7:55:03 AM - System Checkpoint
RP1020: 1/23/2011 10:22:58 AM - System Checkpoint
RP1021: 1/24/2011 7:43:57 PM - System Checkpoint
RP1022: 1/25/2011 8:00:24 PM - System Checkpoint
RP1023: 1/26/2011 8:37:28 PM - System Checkpoint
RP1024: 1/28/2011 7:00:06 AM - System Checkpoint
RP1025: 1/29/2011 2:09:18 PM - System Checkpoint
RP1026: 1/30/2011 2:37:24 PM - System Checkpoint
RP1027: 1/31/2011 3:36:22 PM - System Checkpoint
RP1028: 2/1/2011 4:56:11 PM - System Checkpoint
RP1029: 2/2/2011 5:12:24 PM - System Checkpoint
RP1030: 2/3/2011 5:42:32 PM - System Checkpoint
RP1031: 2/4/2011 6:26:31 PM - System Checkpoint
RP1032: 2/5/2011 7:12:24 PM - System Checkpoint
RP1033: 2/7/2011 7:18:01 AM - System Checkpoint
RP1034: 2/8/2011 2:16:40 PM - System Checkpoint
RP1035: 2/9/2011 5:18:56 PM - System Checkpoint
RP1036: 2/10/2011 3:05:25 AM - Software Distribution Service 3.0
RP1037: 2/11/2011 3:00:29 AM - Software Distribution Service 3.0
RP1038: 2/11/2011 4:00:54 PM - Software Distribution Service 3.0
RP1039: 2/12/2011 5:45:41 PM - System Checkpoint
RP1040: 2/13/2011 6:46:14 PM - System Checkpoint
RP1041: 2/14/2011 8:21:14 PM - System Checkpoint
RP1042: 2/15/2011 9:56:08 PM - System Checkpoint
RP1043: 2/16/2011 10:52:44 PM - System Checkpoint
RP1044: 2/17/2011 11:27:59 PM - System Checkpoint
RP1045: 2/20/2011 7:45:09 PM - System Checkpoint
RP1046: 2/21/2011 9:21:33 PM - System Checkpoint
RP1047: 2/23/2011 7:01:17 AM - System Checkpoint
RP1048: 2/24/2011 7:40:32 AM - System Checkpoint
RP1049: 2/25/2011 7:53:06 AM - System Checkpoint
RP1050: 2/26/2011 7:57:36 AM - System Checkpoint
RP1051: 2/27/2011 8:22:59 AM - System Checkpoint
RP1052: 2/28/2011 7:47:55 PM - System Checkpoint
RP1053: 3/2/2011 3:37:21 PM - System Checkpoint
RP1054: 3/3/2011 7:47:49 PM - System Checkpoint
RP1055: 3/4/2011 7:57:32 PM - System Checkpoint
RP1056: 3/5/2011 8:58:41 PM - System Checkpoint
RP1057: 3/6/2011 10:20:37 PM - System Checkpoint
RP1058: 3/7/2011 10:57:33 PM - System Checkpoint
RP1059: 3/8/2011 11:57:33 PM - System Checkpoint
RP1060: 3/10/2011 3:01:55 AM - Software Distribution Service 3.0
RP1061: 3/11/2011 4:04:25 AM - System Checkpoint
RP1062: 3/11/2011 7:28:38 AM - Installed Java(TM) 6 Update 24
RP1063: 3/12/2011 8:47:06 AM - System Checkpoint
RP1064: 3/13/2011 10:28:55 AM - System Checkpoint
RP1065: 3/14/2011 11:24:45 AM - System Checkpoint
RP1066: 3/15/2011 11:37:17 AM - System Checkpoint
RP1067: 3/16/2011 5:00:02 PM - Software Distribution Service 3.0
RP1068: 3/17/2011 5:10:57 PM - System Checkpoint
RP1069: 3/18/2011 7:02:55 PM - System Checkpoint
RP1070: 3/19/2011 8:56:32 PM - System Checkpoint
RP1071: 3/20/2011 10:26:06 PM - System Checkpoint
RP1072: 3/22/2011 7:42:18 AM - System Checkpoint
RP1073: 3/23/2011 4:38:07 PM - System Checkpoint
RP1074: 3/24/2011 3:00:47 AM - Software Distribution Service 3.0
RP1075: 3/25/2011 6:29:54 AM - System Checkpoint
RP1076: 3/26/2011 11:28:41 AM - System Checkpoint
RP1077: 3/27/2011 1:32:39 PM - System Checkpoint
RP1078: 3/28/2011 4:37:12 PM - System Checkpoint
RP1079: 3/28/2011 6:30:13 PM - Configured Linksys EasyLink Advisor
RP1080: 3/28/2011 6:37:26 PM - Removed Microsoft LifeChat
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS2
Adobe Reader 9.4.3
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Bing Bar
Bonjour
CCScore
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell Photo AIO Printer 922
DivX Setup
Download Updater (AOL LLC)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
getPlus(R)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Kodak EasyShare software
McAfee AntiVirus Plus
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Mozilla Firefox 4.0 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
netbrdg
NetZero HiSpeed (remove only)
NetZero Internet
OfotoXMI
PowerDVD 5.3
Primal Pictures Sports Injuries - The Shoulder
QuickTime
Security Task Manager 1.7h
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SFR
SHASTA
skin0001
SKINXSDK
skiStunt
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
staticcr
SwiftKit
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Viewpoint Media Player
VPRINTOL
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinPatrol 2007
WinRAR archiver
WIRELESS
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
3/28/2011 6:37:35 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
3/27/2011 7:26:35 PM, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================
 

·
Registered
Joined
·
1,383 Posts
Welcome to TSF :)

Download Combofix from this webpage: A guide and tutorial on using ComboFix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 

·
Registered
Joined
·
32 Posts
Discussion Starter #3
Hi sjpritc25, thanks for responding to my plea for help!
Attached below is the combofix txt file.

Also my son swears there is a keylogger (?) on this machine because the last time he used it to play one of his on-line games his account got hijacked. Would combofix find that issue, too?



ComboFix 11-03-30.01 - Owner 03/30/2011 22:34:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.256 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\addon.dat
C:\Sys32.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-29 22:57 . 2011-03-29 22:58 -------- d-----w- c:\windows\system32\NtmsData
2011-03-27 23:47 . 2010-10-14 02:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-03-27 23:26 . 2010-10-14 02:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-03-27 18:24 . 2011-03-27 18:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-27 18:22 . 2011-03-27 18:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-11 12:30 . 2011-03-11 12:30 -------- d-----w- c:\program files\Common Files\Java
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40 . 2010-04-26 02:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2010-04-30 23:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-03-30 04:02 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-30 04:02 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 14:09 1854976 ----a-w- c:\windows\system32\win32k.sys
2011-03-18 17:53 . 2011-03-25 22:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-10-14 02:28 . 2011-03-27 23:47 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Microsoft Office Outlook"="c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE" [2010-06-23 196440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 316728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/26/2010 8:00 AM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/27/2011 7:46 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/27/2011 7:46 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/27/2011 7:47 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/27/2011 7:26 PM 141792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/19/2008 7:32 PM 24652]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/26/2010 8:00 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/26/2010 8:00 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/26/2010 8:00 AM 88544]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/27/2011 7:46 PM 271480]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 7:44 PM 183560]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/26/2010 8:00 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/26/2010 8:00 AM 84264]
S4 0304501221201051mcinstcleanup;McAfee Application Installer Cleanup (0304501221201051);c:\windows\TEMP\030450~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\030450~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41A3F6DF-FBC6-6449-1294-0FEE5ADEE1E8}]
2009-06-15 05:23 57689 ---h--w- c:\program files\SQL\SQL.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmaila.netzero.net/webmail/new/5?session_redirect=true&count=1253463191&ajaxSupported=2
uInternet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;*.local;<local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
Trusted Zone: sythe.org\www
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d6ilo5v8.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-Internet Explorer - c:\drvrtmp\WinXP\java.exe
HKLM-Run-WindowsUpdater - C:\Sys32.exe
HKLM_ActiveSetup-{01B200EF-5875-213F-3FD8-11DE3FC16F0C} - C:\Sys32.exe
AddRemove-Ski Stunt Simulator - e:\ski stunt simulator\Uninstall.EXE
AddRemove-SwiftKit - c:\documents and settings\Owner\My Documents\Nicks Documents\Uninstall.exe
AddRemove-{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - c:\program files\NOS\bin\getPlus_HelperSvc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-30 22:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
WindowsUpdater = C:\Sys32.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
.
[HKEY_USERS\S-1-5-21-1801674531-813497703-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-30 23:06:23
ComboFix-quarantined-files.txt 2011-03-31 03:06
.
Pre-Run: 30,100,508,672 bytes free
Post-Run: 31,985,594,368 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9CF3E074C366495A7BFA78F2809ACA2A
 

·
Registered
Joined
·
1,383 Posts
I'm curious why this port is open. Is this computer used to connect to your work or is it just strictly a home computer?
 

·
Registered
Joined
·
32 Posts
Discussion Starter #6
so you got me wondering how many ports. Here is list of those I found (attached bit map).

Question is which can I close?
 

Attachments

·
Registered
Joined
·
1,383 Posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 

·
Registered
Joined
·
32 Posts
Discussion Starter #8
OK, I ran combofix.

While it was running I got an unusual message:

PEV.cfxxe- corrupt file
the file or directory C:\$Mft is corrupt and unreadable. Please run chkdsk utility.

Also WinPatrol
had this change (attached bitmap) It change it once and now wants to change back, so I refused.


ComboFix 11-04-02.03 - Owner 04/02/2011 22:07:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.127 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\drvrtmp
c:\drvrtmp\log.exe
c:\drvrtmp\WinXP\log.exe
c:\drvrtmp\WinXP\SystemRestore.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-04-01 04:32 . 2010-10-14 02:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-01 04:32 . 2010-10-14 02:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-01 04:32 . 2010-10-14 02:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-01 04:32 . 2010-10-14 02:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-01 04:32 . 2010-10-14 02:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-01 04:32 . 2010-10-14 02:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-01 04:32 . 2010-10-14 02:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-01 04:31 . 2011-04-01 04:31 -------- d-----w- c:\program files\McAfee.com
2011-04-01 04:31 . 2011-04-01 04:33 -------- d-----w- c:\windows\LastGood
2011-04-01 04:17 . 2010-10-14 02:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-01 03:51 . 2011-04-01 03:51 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2011-04-01 02:52 . 2010-10-14 02:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-03-29 22:57 . 2011-03-29 22:58 -------- d-----w- c:\windows\system32\NtmsData
2011-03-27 18:24 . 2011-03-27 18:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-27 18:22 . 2011-03-27 18:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-11 12:30 . 2011-03-11 12:30 -------- d-----w- c:\program files\Common Files\Java
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40 . 2010-04-26 02:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2010-04-30 23:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-03-30 04:02 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-30 04:02 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Microsoft Office Outlook"="c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE" [2010-06-23 196440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 316728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/1/2011 12:32 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/1/2011 12:31 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/1/2011 12:31 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/1/2011 12:31 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/1/2011 12:32 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/1/2011 12:17 AM 141792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/19/2008 7:32 PM 24652]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/1/2011 12:32 AM 55840]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/31/2011 10:52 PM 88544]
S2 0170651301632388mcinstcleanup;McAfee Application Installer Cleanup (0170651301632388);c:\docume~1\Owner\LOCALS~1\Temp\017065~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Owner\LOCALS~1\Temp\017065~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 7:44 PM 183560]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/1/2011 12:32 AM 313288]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/31/2011 10:52 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/1/2011 12:32 AM 84264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MCAFEE_SITEADVISOR_SERVICE
*NewlyCreated* - MCMPFSVC
*NewlyCreated* - MCMSCSVC
*NewlyCreated* - MCNASVC
*NewlyCreated* - MCODS
*NewlyCreated* - MCPROXY
*NewlyCreated* - MSK80SERVICE
*Deregistered* - mfeapfk01
*Deregistered* - mfeavfk01
*Deregistered* - mfefirek01
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-02 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-04-01 18:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.netzero.net/?r=inbox
uInternet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;*.local;<local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: sythe.org\www
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-02 22:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
.
[HKEY_USERS\S-1-5-21-1801674531-813497703-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-02 22:47:28
ComboFix-quarantined-files.txt 2011-04-03 02:47
ComboFix2.txt 2011-03-31 03:06
.
Pre-Run: 31,654,281,216 bytes free
Post-Run: 31,809,855,488 bytes free
.
- - End Of File - - 97DEA44DC4C4BD2D46A0B0500CAF084E
 

Attachments

·
Registered
Joined
·
32 Posts
Discussion Starter #10
i restarted machine and it went into chkdsk utility, seems to be OK. Warning message is gone.

Still keep getting the winpatrol message abot the dll file, so I keep refusing to accept change.
 

·
Registered
Joined
·
1,383 Posts
Before i send you away, I want to check another thing out.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
DirLook::
c:\program files\sql
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 

·
Registered
Joined
·
32 Posts
Discussion Starter #12
Sending me away sounds real encouraging.
What was wrong? And you had remarked on the number of ports, are they OK?

Here is log file.

ComboFix 11-04-03.02 - Owner 04/03/2011 23:30:41.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.318 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-04-04 02:25 . 2011-04-04 02:25 -------- d-----w- c:\program files\Citrix
2011-04-04 02:24 . 2011-04-04 02:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2011-04-01 04:32 . 2010-10-14 02:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-01 04:32 . 2010-10-14 02:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-01 04:32 . 2010-10-14 02:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-01 04:32 . 2010-10-14 02:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-01 04:32 . 2010-10-14 02:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-01 04:32 . 2010-10-14 02:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-01 04:32 . 2010-10-14 02:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-01 04:31 . 2011-04-01 04:31 -------- d-----w- c:\program files\McAfee.com
2011-04-01 04:17 . 2010-10-14 02:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-01 03:51 . 2011-04-01 03:51 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2011-04-01 02:52 . 2010-10-14 02:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-03-29 22:57 . 2011-03-29 22:58 -------- d-----w- c:\windows\system32\NtmsData
2011-03-27 18:24 . 2011-03-27 18:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-27 18:22 . 2011-03-27 18:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-03-12 16:28 . 2011-03-12 16:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-11 12:30 . 2011-03-11 12:30 -------- d-----w- c:\program files\Common Files\Java
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40 . 2010-04-26 02:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2010-04-30 23:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-03-30 04:02 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-30 04:02 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\sql ----
.
2009-06-15 05:48 . 2011-04-03 02:08 1909336 ---ha-w- c:\program files\sql\klog.dat
2009-06-15 05:23 . 2009-06-15 05:23 57689 ---h--w- c:\program files\sql\SQL.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Office Outlook"="c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE" [2010-06-23 196440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 316728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/1/2011 12:32 AM 84072]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/1/2011 12:32 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/1/2011 12:32 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/31/2011 10:52 PM 88544]
S2 0170651301632388mcinstcleanup;McAfee Application Installer Cleanup (0170651301632388);c:\docume~1\Owner\LOCALS~1\Temp\017065~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Owner\LOCALS~1\Temp\017065~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 7:44 PM 183560]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/31/2011 10:52 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/1/2011 12:32 AM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-03 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-04-01 18:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.netzero.net/?r=inbox
uInternet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;*.local;<local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: sythe.org\www
.
- - - - ORPHANS REMOVED - - - -
.
Notify-GoToAssist - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-03 23:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
.
[HKEY_USERS\S-1-5-21-1801674531-813497703-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1000)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\windows\system32\cscui.dll
.
Completion time: 2011-04-04 00:07:51
ComboFix-quarantined-files.txt 2011-04-04 04:07
ComboFix2.txt 2011-04-03 02:47
ComboFix3.txt 2011-03-31 03:06
.
Pre-Run: 32,023,740,416 bytes free
Post-Run: 32,016,334,848 bytes free
.
- - End Of File - - 882EF6D7CA56DA63434EF73C013B8313
 

·
Registered
Joined
·
1,383 Posts
Open notepad and copy/paste the text in the codebox below into it:
Code:
 @echo off
for %%g in (
c:\program files\sql\SQL.exe
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:

Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here --> Bleeping Computer - Computer Help and Discussion
 

·
Registered
Joined
·
32 Posts
Discussion Starter #14
Thanks. Created file, double clicked gear icon, it flashed on screen, then went away and did not create the .zip file.
What ever you did seems to have fixed my issues. THANKS!
I just was hoping to find out what was wrong to stop it from happening again. I did set today as a new restore point.
 

·
Registered
Joined
·
1,383 Posts
can you follow the instructins and just upload this file

c:\program files\sql\SQL.exe to my channel thanks
 

·
Registered
Joined
·
1,383 Posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
Folder::
c:\program files\sql
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



================================

We need to make sure nothing else is hiding.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • [*]Spyware, adware, dialers, and other riskware
      [*]Archives
      [*]E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
 

·
Registered
Joined
·
32 Posts
Discussion Starter #18
Hi,
Here is combofix log:

ComboFix 11-04-11.01 - Owner 04/11/2011 16:43:18.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.267 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\restore 04APR11\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\sql
c:\program files\sql\klog.dat
c:\program files\sql\SQL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-04 02:25 . 2011-04-04 02:25 -------- d-----w- c:\program files\Citrix
2011-04-04 02:24 . 2011-04-04 02:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Citrix
2011-04-01 04:32 . 2010-10-14 02:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-01 04:32 . 2010-10-14 02:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-01 04:32 . 2010-10-14 02:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-01 04:32 . 2010-10-14 02:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-01 04:32 . 2010-10-14 02:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-01 04:32 . 2010-10-14 02:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-01 04:32 . 2010-10-14 02:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-01 04:31 . 2011-04-01 04:31 -------- d-----w- c:\program files\McAfee.com
2011-04-01 04:17 . 2010-10-14 02:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-01 03:51 . 2011-04-01 03:51 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2011-04-01 02:52 . 2010-10-14 02:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-03-29 22:57 . 2011-03-29 22:58 -------- d-----w- c:\windows\system32\NtmsData
2011-03-27 18:24 . 2011-03-27 18:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-27 18:22 . 2011-03-27 18:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 02:40 . 2010-04-26 02:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19 . 2010-04-30 23:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2008-03-30 04:02 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-30 04:02 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Office Outlook"="c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE" [2010-06-23 196440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 316728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/1/2011 12:32 AM 84072]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/1/2011 12:32 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/1/2011 12:32 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/31/2011 10:52 PM 88544]
S2 0170651301632388mcinstcleanup;McAfee Application Installer Cleanup (0170651301632388);c:\docume~1\Owner\LOCALS~1\Temp\017065~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Owner\LOCALS~1\Temp\017065~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 7:44 PM 183560]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/31/2011 10:52 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/1/2011 12:32 AM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-04-11 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-04-01 18:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.netzero.net/?r=inbox
uInternet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.prod.untd.com;*.local;<local>
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: sythe.org\www
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-11 17:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,fe,76,cf,dc,89,2c,49,90,ef,02,\
.
[HKEY_USERS\S-1-5-21-1801674531-813497703-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-11 17:12:40
ComboFix-quarantined-files.txt 2011-04-11 21:12
ComboFix2.txt 2011-04-04 04:07
ComboFix3.txt 2011-04-03 02:47
ComboFix4.txt 2011-03-31 03:06
.
Pre-Run: 31,730,069,504 bytes free
Post-Run: 31,704,010,752 bytes free
.
- - End Of File - - 0919836E7CE215295C3980467E6ED881


But, when I tried to run Kaspersky on-line scan I get the attached fail message.

Mcafee real time scanning is off, firewall is off and winpatrol is off.
 

Attachments

·
Registered
Joined
·
1,383 Posts
Give this one a try instead.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
 

·
Registered
Joined
·
32 Posts
Discussion Starter #20
Hi I tried to post my reply 2-times. I must be doing something wrong...
The computer is performing much better, not hanging up.

Here is ESTE log:

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e39c67acab68a84cb632eb31ff544220
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-07 03:27:27
# local_time=2011-05-06 11:27:27 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777189 100 75 2174370 17308867 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=176204
# found=9
# cleaned=0
# scan_time=10315
C:\Qoobox\Quarantine\C\Sys32.exe.vir a variant of Win32/Injector.QY trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\drvrtmp\WinXP\SystemRestore.exe.vir a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\SQL\SQL.exe.vir a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5E5A8793-6C7B-440C-AC4F-5C542CAA83E7}\RP1081\A0087973.exe a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5E5A8793-6C7B-440C-AC4F-5C542CAA83E7}\RP1081\A0087990.exe a variant of Win32/Injector.QY trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5E5A8793-6C7B-440C-AC4F-5C542CAA83E7}\RP1084\A0091805.exe a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5E5A8793-6C7B-440C-AC4F-5C542CAA83E7}\RP1084\A0091825.exe a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5E5A8793-6C7B-440C-AC4F-5C542CAA83E7}\RP1088\A0093492.exe a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{5E5A8793-6C7B-440C-AC4F-5C542CAA83E7}\RP1092\A0093723.exe a variant of Win32/Injector.FRA trojan (unable to clean) 00000000000000000000000000000000 I
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top