Solved: please please help

needheeelp · 06-Nov-2009, 03:24 PM #1

With whatever kinda malware, virus or whatever. It killed adaware and macafee. CPU runs at 100% most of the time now when before it was minimal. Can't browse the internet at all. Just keep getting redirected to ad sites etc... Also I tried to install and run a hijack this log and that doesn't work either. Also system restore won't work. Please help. Thanks

needheeelp · 09-Nov-2009, 10:49 PM #2

can no one help with this. Please!!!!!!!!!!!!!!!! also a.exe whatever it is now runs in the background. This is the third time i have tried for help on this forum with no help. Please help me.

NeonFx · 10-Nov-2009, 02:25 AM #3

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

needheeelp · 13-Nov-2009, 11:11 AM #4

ok i did what you asked (thanks for helping by the way) . Neither worked. It did the same thing that hijack this did. As soon as it started it just shutdown and closed itself.

NeonFx · 13-Nov-2009, 03:17 PM #5

Alright. Let's see if we can find out what it is that's causing that. Please do the following:

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
A black command prompt window shall appear.
It will now begin to scan. This may take a while, please be paitent until the scan is complete.
Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
A log file called Win32KDiag.txt will be created on your desktop.
Please copy and paste the contents of that log file here in your next reply.

needheeelp · 13-Nov-2009, 11:04 PM #6

i am running win xp sp3
here is the win32kdia.txt

needheeelp · 11:45 PM

after running that now i also have some antimalware crap down in the task bar right hand side that keeps telling me i have problems and it tries to install some antimalware scanner crap and keeps doing it even when i say no and constant popups
and my desktop is black and computer will barely boot up. no icons all since i ran win32kdiag may just be a coincidence but may help is why i am letting you know.

NeonFx · 13-Nov-2009, 11:47 PM #8

Good. I know where the baddie is now. Please do the following:

STEP 1

Please delete your version of Win32kDiag.exe (along with the old Win32kDiag.txt file that was created) and redownload it from HERE

Make sure win32kdiag.exe is on your Desktop. Click on Start -> Run , and copy-paste the following command (the bolded text) into the "Open" box, and click OK. (If you use Vista just paste it into the text box that apears next to your start button)

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

STEP 2

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

needheeelp · 12:44 PM

here is the win32diag.txt Just curious What is a mount point?

Running from: C:\Documents and Settings\Jason Hamilton\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Jason Hamilton\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942840\KB942840

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB969947\KB969947

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB969947\KB969947

Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE8\KB976749-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB976749-IE8\KB976749-IE8

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ERDNT\ERDNT

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\ 12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\ 12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\ 12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\ 12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\ 12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\ 12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\ 12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\ 12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\ 1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\ 1.0.0\1.0.0

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\29851d78a712dd32528f7e769a84edaa\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\29851d78a712dd32528f7e769a84edaa\b ackup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\b ackup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\42bdf2dd6f3cb2280ad31b41b6c04cff\b ackup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\b ackup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\u pdate\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\u pdate\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b4a99ee77ab6fc9b948ad07f463a379f\b ackup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\b ackup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\b ackup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\u pdate\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\u pdate\update.exe

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 01:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 18:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\twain_32\Lexmark\X125\X125

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\twain_32\Lexmark\X125\X125

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

needheeelp · 14-Nov-2009, 12:43 PM **#10**

here is combofix log
ComboFix 09-11-14.03 - Jason Hamilton 11/14/2009 10:11.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.674 [GMT -6:00]
Running from: c:\documents and settings\Jason Hamilton\Desktop\ComboFix.exe
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\87520123
c:\documents and settings\All Users\Application Data\87520123\87520123.exe
c:\documents and settings\Jason Hamilton\Desktop\Security Tool.lnk
c:\documents and settings\Jason Hamilton\Local Settings\Application Data\prnhel
c:\documents and settings\Jason Hamilton\Local Settings\Application Data\prnhel\ncwssysguard.exe
c:\documents and settings\Jason Hamilton\ntuser.dll
c:\documents and settings\Jason Hamilton\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Jason Hamilton\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Jason Hamilton\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\system32\__c0033110.dat
c:\windows\system32\__c0042FDE.exe
c:\windows\system32\__c007B710.exe
c:\windows\system32\__c00ACEB5.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\calc.dll
c:\windows\system32\drivers\ESQULrvasqodovyqjyvdbabiqwvwudomtxmim.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\ESQULlklgnmlmqorsqjaenkvwgwkejkxsrgte.dll
c:\windows\system32\ESQULqboruypswoitehwkxuiqhosqppxrtryy.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\n2dop.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 15:50 . 2009-11-14 15:50 76263 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\CC\uninstall.exe
2009-11-14 15:50 . 2009-11-14 15:50 -------- d-----w- c:\documents and settings\Jason Hamilton\Application Data\CC
2009-11-14 14:26 . 2009-11-14 14:26 2015744 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\CC\cc.exe
2009-11-14 03:22 . 2009-11-14 03:22 2198 ----a-w- C:\cIbQ9u.bat
2009-11-14 03:22 . 2009-11-14 03:22 -------- d-----w- C:\SafetyCenter
2009-11-14 03:22 . 2009-11-14 03:22 986624 ----a-w- c:\documents and settings\Jason Hamilton\temp.exe
2009-11-14 03:11 . 2009-11-14 03:11 7680 ----a-w- C:\excbx.exe
2009-11-14 03:11 . 2009-11-14 03:11 52224 ----a-w- C:\qwshv.exe
2009-11-14 03:11 . 2009-11-14 03:11 52736 ----a-w- C:\aywdthl.exe
2009-11-14 03:11 . 2009-11-14 03:11 23040 ----a-w- C:\hkkyaekg.exe
2009-11-14 03:11 . 2009-11-14 03:11 40960 ----a-w- C:\kewwr.exe
2009-11-14 03:11 . 2009-11-14 03:11 32768 ----a-w- C:\aruxss.exe
2009-11-13 14:55 . 2009-11-13 14:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Creative
2009-11-12 23:18 . 2009-11-12 23:18 550912 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\CC\agent.exe
2009-11-10 01:28 . 2003-03-16 05:15 90112 ----a-w- c:\windows\unvise32.exe
2009-11-10 01:19 . 2009-11-10 01:19 -------- d-----w- c:\program files\DreamCatcher
2009-11-10 00:47 . 2009-09-30 18:11 288096 ----a-r- c:\documents and settings\Jason Hamilton\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-11-10 00:46 . 2009-11-10 00:46 -------- d-----w- c:\documents and settings\Jason Hamilton\Application Data\McAfee
2009-11-10 00:37 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-10 00:36 . 2009-11-10 01:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-11-10 00:36 . 2009-11-10 01:08 -------- d-----w- c:\program files\McAfee
2009-11-06 23:51 . 2009-11-06 23:51 -------- d-----w- C:\users
2009-11-06 19:20 . 2009-11-06 19:20 -------- d-----w- c:\program files\Trend Micro
2009-11-06 19:10 . 2009-11-06 19:10 -------- d-----w- c:\temp\temp1
2009-10-28 00:59 . 2009-11-14 15:36 0 ----a-r- c:\windows\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 16:27 . 2008-02-11 01:14 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2009-11-14 16:27 . 2008-02-11 01:14 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2009-11-14 03:30 . 2008-09-06 02:15 -------- d-----w- c:\program files\Google
2009-11-11 20:43 . 2008-06-28 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 02:46 . 2008-02-11 00:56 -------- d-----w- c:\program files\Steam
2009-11-10 01:14 . 2008-01-17 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-10 01:07 . 2008-01-17 01:01 -------- d-----w- c:\program files\McAfee.com
2009-11-10 00:29 . 2008-01-17 05:49 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-06 23:49 . 2009-02-02 00:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 21:39 . 2009-01-19 05:43 268 ----a-w- c:\documents and settings\Guest\Application Data\LMCPaper.dat
2009-11-03 21:39 . 2009-01-19 05:43 3932 ----a-w- c:\documents and settings\Guest\Application Data\LMLayout.dat
2009-10-08 23:34 . 2008-07-20 03:12 -------- d-----w- c:\documents and settings\Jason Hamilton\Application Data\uTorrent
2009-09-30 04:10 . 2009-09-30 04:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-16 16:22 . 2009-01-09 17:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-03-23 02:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-03-23 02:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-03-23 02:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-03-23 02:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 06:31 . 2008-02-10 17:45 139152 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\PnkBstrK.sys
2009-08-26 06:31 . 2008-02-10 17:45 139152 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\PnkBstrK.sys
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-16 23:19 . 2009-08-16 23:19 30976 ----a-w- c:\documents and settings\Administrator.JASON.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-10-11 08:04 . 2008-03-29 04:53 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-03-29 04:53 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-03-29 04:53 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-03-29 04:53 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-03-29 04:53 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-03-10 2356088]
"agent.exe"="c:\documents and settings\Jason Hamilton\Application Data\CC\agent.exe" [2009-11-12 550912]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2003-10-10 393216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-29 185896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetyCenter"="c:\safetycenter\start.exe" [2009-11-14 986624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lexmark X125 Settings Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lexmark X125 Settings Utility.lnk
backup=c:\windows\pss\Lexmark X125 Settings Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Wolfenstein\\MP\\Wolf2MP.exe"=
"c:\\Program Files\\Activision\\Wolfenstein\\MP\\Wolf2MPLite.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2008 1:23 PM 161064]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/9/2009 7:08 PM 210216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - IPVNMon
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 18:22]

2009-11-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-10 18:22]

2009-11-14 c:\windows\Tasks\User_Feed_Synchronization-{EE6CD336-72FB-4DCD-B07C-A0B50F4C1A6E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Jason Hamilton\Application Data\Mozilla\Firefox\Profiles\a2iz3tl2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AntiMalware - c:\program files\AntiMalware\antimalware.exe
HKCU-Run-ohtxtdws - c:\documents and settings\Jason Hamilton\Local Settings\Application Data\prnhel\ncwssysguard.exe
HKLM-Run-87520123 - c:\docume~1\ALLUSE~1\APPLIC~1\87520123\87520123.exe
HKLM-Run-ohtxtdws - c:\documents and settings\Jason Hamilton\Local Settings\Application Data\prnhel\ncwssysguard.exe
SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 10:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1993962763-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,e2,af,54,99,43,f2,f6,17,8e,68,63,ed,dd,2a,c2,cc,28,91,40,50,05, 8c,
0e,37,2b,31,3e,d1,e4,f4,ab,6a,7f,6c,35,5f,26,2e,97,8c,5e,b2,4e,72,5e,47,7c, \
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-220523388-1993962763-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:c0,3b,33,a8,74,15,a3,3a,e4,11,cb,89,db,76,18,69,ad,ca,12,ab, 5a,
1c,6a,09,2b,52,12,33,22,60,a9,b4,1b,ca,d7,c4,3e,33,19,86,c8,f8,c6,52,11,65, \
"rkeysecu"=hex:36,8c,3a,cc,33,d9,c8,01,33,38,cc,dc,33,c6,b7,94
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WLDAP32.dll

- - - - - - - > 'explorer.exe'(2344)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2009-11-14 10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 16:33
ComboFix2.txt 2009-03-26 01:12

Pre-Run: 162,429,833,216 bytes free
Post-Run: 163,399,847,936 bytes free

- - End Of File - - 2F23C7EF571F38B0348075B6CBE89C65

needheeelp · 02:46 PM

McAfee virus scan works again. When i put combofix on another icon (green circle with check mark called control center) appeared at the same time. Doesn't seem to be part of combofix but what do I know

NeonFx · 14-Nov-2009, 04:25 PM **#12**

You did good. Mountpoints are also known as Junctions. It's a way of making folders and files so that they point to somewhere else on a system, kindof like a shortcut, only these are hardcoded into the harddrive. This particular infection you had uses these to detect when something is scanning and disables it when it does. Removing the mountpoints disabled the infection which allowed us to run a scanner.

Let's continue:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

File::
c:\documents and settings\Jason Hamilton\Application Data\CC\uninstall.exe
c:\documents and settings\Jason Hamilton\Application Data\CC\cc.exe
C:\cIbQ9u.bat
c:\documents and settings\Jason Hamilton\temp.exe
C:\excbx.exe
C:\qwshv.exe
C:\aywdthl.exe
C:\hkkyaekg.exe
C:\kewwr.exe
C:\aruxss.exe
c:\documents and settings\Jason Hamilton\Application Data\CC\agent.exe
c:\windows\unvise32.exe
c:\windows\win32k.sys

Folder::
c:\documents and settings\Jason Hamilton\Application Data\CC
C:\SafetyCenter
c:\temp\temp1

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"agent.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetyCenter"=-

KillAll::

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

needheeelp · 14-Nov-2009, 09:39 PM **#13**

here is the new combofix

ComboFix 09-11-14.03 - Jason Hamilton 11/14/2009 19:15.5.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.558 [GMT -6:00]
Running from: c:\documents and settings\Jason Hamilton\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason Hamilton\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\aruxss.exe"
"C:\aywdthl.exe"
"C:\cIbQ9u.bat"
"c:\documents and settings\Jason Hamilton\Application Data\CC\agent.exe"
"c:\documents and settings\Jason Hamilton\Application Data\CC\cc.exe"
"c:\documents and settings\Jason Hamilton\Application Data\CC\uninstall.exe"
"c:\documents and settings\Jason Hamilton\temp.exe"
"C:\excbx.exe"
"C:\hkkyaekg.exe"
"C:\kewwr.exe"
"C:\qwshv.exe"
"c:\windows\unvise32.exe"
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jason Hamilton\Application Data\CC
c:\documents and settings\Jason Hamilton\Application Data\CC\cc.exe
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\guide.html
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\images\05.png
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\images\06.png
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\images\07.png
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\images\08.png
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\images\09.png
c:\documents and settings\Jason Hamilton\Application Data\CC\faq\images\10.png
c:\documents and settings\Jason Hamilton\Application Data\CC\settings.ini
c:\documents and settings\Jason Hamilton\Application Data\CC\uninstall.exe
c:\documents and settings\Jason Hamilton\temp.exe
C:\excbx.exe
C:\hkkyaekg.exe
C:\kewwr.exe
C:\SafetyCenter
c:\safetycenter\main.ico
c:\safetycenter\new.exe
c:\safetycenter\protector.exe
c:\safetycenter\sound.wav
c:\safetycenter\uninstall.exe
c:\temp\temp1
c:\windows\unvise32.exe
c:\windows\win32k.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-13 14:55 . 2009-11-13 14:55 -------- d-----w- c:\documents and settings\Guest\Application Data\Creative
2009-11-10 01:19 . 2009-11-10 01:19 -------- d-----w- c:\program files\DreamCatcher
2009-11-10 00:47 . 2009-09-30 18:11 288096 ----a-r- c:\documents and settings\Jason Hamilton\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-11-10 00:46 . 2009-11-10 00:46 -------- d-----w- c:\documents and settings\Jason Hamilton\Application Data\McAfee
2009-11-10 00:37 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-10 00:36 . 2009-11-14 17:02 -------- d-----w- c:\program files\Common Files\McAfee
2009-11-10 00:36 . 2009-11-14 17:05 -------- d-----w- c:\program files\McAfee
2009-11-06 23:51 . 2009-11-06 23:51 -------- d-----w- C:\users
2009-11-06 19:20 . 2009-11-06 19:20 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 01:26 . 2008-02-11 01:14 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2009-11-15 01:26 . 2008-02-11 01:14 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2009-11-14 17:06 . 2008-01-17 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-14 17:02 . 2008-01-17 01:01 -------- d-----w- c:\program files\McAfee.com
2009-11-14 03:30 . 2008-09-06 02:15 -------- d-----w- c:\program files\Google
2009-11-11 20:43 . 2008-06-28 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 02:46 . 2008-02-11 00:56 -------- d-----w- c:\program files\Steam
2009-11-10 00:29 . 2008-01-17 05:49 -------- d-----w- c:\program files\Full Tilt Poker
2009-11-06 23:49 . 2009-02-02 00:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 21:39 . 2009-01-19 05:43 268 ----a-w- c:\documents and settings\Guest\Application Data\LMCPaper.dat
2009-11-03 21:39 . 2009-01-19 05:43 3932 ----a-w- c:\documents and settings\Guest\Application Data\LMLayout.dat
2009-10-08 23:34 . 2008-07-20 03:12 -------- d-----w- c:\documents and settings\Jason Hamilton\Application Data\uTorrent
2009-09-30 04:10 . 2009-09-30 04:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-16 16:22 . 2009-03-23 02:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 16:22 . 2009-03-23 02:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 16:22 . 2009-03-23 02:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 16:22 . 2009-01-09 17:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-03-23 02:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 06:31 . 2008-02-10 17:45 139152 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\PnkBstrK.sys
2009-08-26 06:31 . 2008-02-10 17:45 139152 ----a-w- c:\documents and settings\Jason Hamilton\Application Data\PnkBstrK.sys
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2006-10-11 08:04 . 2008-03-29 04:53 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-03-29 04:53 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-03-29 04:53 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-03-29 04:53 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-03-29 04:53 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-14_16.28.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 01:27 . 2009-11-15 01:27 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2009-11-15 01:08 . 2009-11-15 01:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-17 00:25 . 2009-11-14 15:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-17 00:25 . 2009-11-15 01:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-15 01:08 . 2009-11-15 01:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-17 00:25 . 2009-11-14 15:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-14 17:38 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-14 17:38 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2003-07-16 20:51 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2006-06-30 16:28 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
- 2008-01-16 18:00 . 2009-06-10 18:50 1458136 c:\windows\system32\FNTCACHE.DAT
+ 2008-01-16 18:00 . 2009-11-14 18:41 1458136 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-16 04:27 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2007-10-30 10:16 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-14 17:38 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-03-10 2356088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2003-10-10 393216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-29 185896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lexmark X125 Settings Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lexmark X125 Settings Utility.lnk
backup=c:\windows\pss\Lexmark X125 Settings Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Wolfenstein\\MP\\Wolf2MP.exe"=
"c:\\Program Files\\Activision\\Wolfenstein\\MP\\Wolf2MPLite.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2008 1:23 PM 161064]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/14/2009 11:05 AM 203280]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-14 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-14 18:22]

2009-11-14 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-14 18:22]

2009-11-15 c:\windows\Tasks\User_Feed_Synchronization-{EE6CD336-72FB-4DCD-B07C-A0B50F4C1A6E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Jason Hamilton\Application Data\Mozilla\Firefox\Profiles\a2iz3tl2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Control center - c:\documents and settings\Jason Hamilton\Application Data\CC\uninstall.exe
AddRemove-Painkiller - c:\windows\unvise32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1993962763-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ef,e2,af,54,99,43,f2,f6,17,8e,68,63,ed,dd,2a,c2,cc,28,91,40,50,05, 8c,
0e,37,2b,31,3e,d1,e4,f4,ab,6a,7f,6c,35,5f,26,2e,97,8c,5e,b2,4e,72,5e,47,7c, \
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-220523388-1993962763-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:39,15,e1,e9,9d,5b,cb,c2,4e,6f,74,09,ef,d7,6f,0d,55,ce,d4,8f, dd,
fc,0f,59,9e,63,f7,1c,ce,3f,76,6d,cb,6b,18,5c,9f,7c,93,cf,a3,52,e8,20,11,bc, \
"rkeysecu"=hex:c3,e4,81,1f,94,39,6f,ca,77,25,26,71,5a,34,14,9e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1112)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2009-11-14 19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 01:36
ComboFix2.txt 2009-11-14 16:33
ComboFix3.txt 2009-03-26 01:12

Pre-Run: 163,263,406,080 bytes free
Post-Run: 163,242,512,384 bytes free

- - End Of File - - 32F4797448C2678EA13A7FC61EFA6598

needheeelp · 14-Nov-2009, 09:59 PM **#14**

I noticed that full tilt poker software won't update now. Would that be a result of what we are doing to fix computer or just a coincidental unrelated?

NeonFx · 14-Nov-2009, 10:27 PM **#15**

Full Tilt Poker, along with a lot of other poker programs, is usually considered bad because of the types of access it has to your private information and how it can serve ads to your computer. We typically recommend that they be removed.

That being said, I don't see how my previous fix could have interfered with it, but it's possible ComboFix changed something the first time it was run. You should try reinstalling it after you run the following (because MBAM might want to remove it).

I don't see anything else there. How's the computer running?

STEP 1

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!