Solved: Search Redirects

champ123 · 19-Nov-2009, 10:46 AM #1

Hi,

Was wondering if anyone can help me with a problem I've been having.
I usually search with Yahoo, but it seems no matter what search engine I use, I get redirected way too often. I can hardly click on any link without getting redirected. If I try to go to another page of search results, I also get redirected. McAfee has found nothing. I don't know if it's related, but also IE will not close about 50% of the time, usually requiring a "end task".

Thanks and any help is appreciated. I've taken the liberty to paste a hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:48 AM, on 11/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Write DVD!\saimon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe "
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {82721259-9894-00E7-7255-99ca3230262a} - C:\Program Files\Common Files\System\tab-mmcs.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\vuvvor.exe
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [zwmhuvof] C:\WINDOWS\System32\cswatqu.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [I053RfeEQ] jetcript.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potg_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball...GameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104478570500
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab33902.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KodakDigitalDisplayService - Orb Networks - C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - F:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
--
End of file - 10475 bytes

NeonFx · 20-Nov-2009, 04:03 PM #2

Hello there

Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\si3112.sys /s /md5
%SYSTEMDRIVE%\viadsk.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

champ123 · 20-Nov-2009, 05:17 PM #3

Thanks NeonFx for getting back.... I have the attachment and here's the Sysprot file: (Thanks, Brian)

SysProt AntiRootkit v1.0.1.0
by swatkat
*************************************************************************** ***************
*************************************************************************** ***************
No Hidden Processes found
*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AA2E6000
Module End: AA2FE000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7CB9000
Module End: F7CBB000
Hidden: Yes
*************************************************************************** ***************
*************************************************************************** ***************
No SSDT Hooks found
*************************************************************************** ***************
*************************************************************************** ***************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 80515A6A
Jump To: AA33F7B8
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwUnmapViewOfSection
At Address: 8057DEF1
Jump To: AA33F7E4
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwUnloadKey
At Address: 80654DE6
Jump To: AA33F8E9
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwTerminateProcess
At Address: 8058E695
Jump To: AA33F7FD
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwSetValueKey
At Address: 8058228C
Jump To: AA33F87B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwSetInformationProcess
At Address: 8057CFC0
Jump To: AA33F766
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwSetContextThread
At Address: 80635977
Jump To: AA33F77A
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwRestoreKey
At Address: 8065607D
Jump To: AA33F913
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwReplaceKey
At Address: 806564E8
Jump To: AA33F927
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwRenameKey
At Address: 80655B88
Jump To: AA33F84F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwQueryValueKey
At Address: 80573037
Jump To: AA33F891
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwQueryMultipleValueKey
At Address: 8065570C
Jump To: AA33F8A7
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwQueryKey
At Address: 80578A14
Jump To: AA33F93B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwProtectVirtualMemory
At Address: 80581889
Jump To: AA33F7A2
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenThread
At Address: 805E1941
Jump To: AA33F728
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenProcess
At Address: 80581702
Jump To: AA33F714
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenKey
At Address: 80572BF4
Jump To: AA33F811
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwNotifyChangeKey
At Address: 805E2197
Jump To: AA33F8FF
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwMapViewOfSection
At Address: 8057E369
Jump To: AA33F7CE
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwEnumerateValueKey
At Address: 80587693
Jump To: AA33F8BD
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: AA33F8D3
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwDeleteValueKey
At Address: 80591F8B
Jump To: AA33F865
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwDeleteKey
At Address: 80593334
Jump To: AA33F839
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateProcessEx
At Address: 8058B7CD
Jump To: AA33F750
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateProcess
At Address: 805B0470
Jump To: AA33F73C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateKey
At Address: 8057791D
Jump To: AA33F825
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateFile
At Address: 8057C328
Jump To: AA33F78E
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
*************************************************************************** ***************
*************************************************************************** ***************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F77648B4
Hooking Module: C:\WINDOWS\system32\drivers\sfsync02.sys
Hooked Module: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F77648B4
Hooking Module: C:\WINDOWS\system32\drivers\sfsync02.sys
*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: BRIAN.SD.COX.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: BRIAN:29831
Remote Address: LOCALHOST:1046
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:29831
Remote Address: LOCALHOST:1037
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:29831
Remote Address: LOCALHOST:1035
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:29831
Remote Address: LOCALHOST:1033
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:29831
Remote Address: LOCALHOST:1031
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:29831
Remote Address: LOCALHOST:1029
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:27015
Remote Address: LOCALHOST:1027
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED
Local Address: BRIAN:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING
Local Address: BRIAN:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING
Local Address: BRIAN:5180
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\AIM\aim.exe
State: LISTENING
Local Address: BRIAN:1060
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: BRIAN:1051
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
State: LISTENING
Local Address: BRIAN:1049
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
State: LISTENING
Local Address: BRIAN:1046
Remote Address: LOCALHOST:29831
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1044
Remote Address: LOCALHOST:1034
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1041
Remote Address: LOCALHOST:1034
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1039
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1038
Remote Address: LOCALHOST:1036
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1037
Remote Address: LOCALHOST:29831
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1036
Remote Address: LOCALHOST:1039
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1036
Remote Address: LOCALHOST:1038
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1035
Remote Address: LOCALHOST:29831
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1034
Remote Address: LOCALHOST:1044
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1034
Remote Address: LOCALHOST:1041
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1033
Remote Address: LOCALHOST:29831
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1031
Remote Address: LOCALHOST:29831
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1029
Remote Address: LOCALHOST:29831
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: ESTABLISHED
Local Address: BRIAN:1027
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED
Local Address: BRIAN:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
State: LISTENING
Local Address: BRIAN:29831
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: LISTENING
Local Address: BRIAN:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: LISTENING
Local Address: BRIAN:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: BRIAN:1045
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: LISTENING
Local Address: BRIAN:1036
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: LISTENING
Local Address: BRIAN:1034
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: LISTENING
Local Address: BRIAN:1032
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: LISTENING
Local Address: BRIAN:1030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Digital Display\OrbKodakLauncher\DllStartupService.exe
State: LISTENING
Local Address: BRIAN:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: BRIAN:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: BRIAN.SD.COX.NET:6646
Remote Address: NA
Type: UDP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: NA
Local Address: BRIAN.SD.COX.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: BRIAN.SD.COX.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BRIAN.SD.COX.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: BRIAN.SD.COX.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: BRIAN.SD.COX.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BRIAN:44301
Remote Address: NA
Type: UDP
Process: F:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
State: NA
Local Address: BRIAN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BRIAN:1066
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BRIAN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BRIAN:53681
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: BRIAN:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: BRIAN:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: BRIAN:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: BRIAN:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
*************************************************************************** ***************
*************************************************************************** ***************
No hidden files/folders found

NeonFx · 20-Nov-2009, 06:33 PM #4

Good Job. Please do the following now:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

champ123 · 21-Nov-2009, 12:53 AM #5

NeonFx,
I ran the CF Program. I think it went well, but after reboot, McAfee blocked a couple of (???/Files or Processes), I disabled McAfee before downloading CF but this McAfee provided by Cox is hard to understand sometimes.
Also, an added benefit, I noticed the Volume Control is back on the system tray. Don't know why, but I haven't been able to get that back on the tray even after changing the properties, it just wouldn't show up.
Thanks, Brian

ComboFix 09-11-20.02 - Brian W. Champer 11/20/2009 20:09.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.348 [GMT -8:00]
Running from: c:\documents and settings\Brian W. Champer\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Brian W. Champer\Application Data\Sskdmns.dll
c:\windows\patch.exe
c:\windows\system32\Cache
c:\windows\system32\drivers\pciide.sys
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.
2009-11-11 15:31 . 2009-11-11 15:31 -------- d-----w- c:\program files\Gotham Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:22 . 2006-01-02 21:08 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80651102}.dat
2009-11-21 04:22 . 2006-01-02 21:08 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80651102}.dat
2009-11-21 04:05 . 2009-05-02 12:47 -------- d-----w- c:\documents and settings\Brian W. Champer\Application Data\HPAppData
2009-11-19 06:56 . 2008-12-12 17:05 -------- d-----w- c:\program files\McAfee
2009-11-11 15:31 . 2004-01-05 23:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 13:11 . 2007-10-02 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-04 12:56 . 2005-04-08 01:57 40224 ----a-w- c:\documents and settings\Brian W. Champer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 00:43 . 2007-10-02 22:05 -------- d-----w- c:\program files\Microsoft Works
2009-09-16 17:22 . 2008-12-12 17:06 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2008-12-12 17:06 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2008-12-12 17:06 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2008-12-12 17:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2008-12-12 17:06 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-02-18 23:19 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82721259-9894-00E7-7255-99ca3230262a}]
2009-03-29 02:04 49152 --sha-r- c:\program files\Common Files\System\tab-mmcs.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 237568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"Write DVD-R!"="c:\program files\Write DVD!\saimon.exe" [2003-07-18 114688]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-09-10 177448]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2005-6-19 65536]
Kodak EasyShare software.lnk - c:\program files\Kodak EasyShare software\bin\EasyShare.exe [2008-2-8 282624]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"f:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/2/2006 1:06 PM 11264]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/2/2006 1:05 PM 13696]
R1 saicdr;saicdr;c:\windows\system32\drivers\Saicdr.sys [1/5/2004 3:16 PM 51456]
R1 saicdrwup;saicdrwup;c:\windows\system32\drivers\saicdrwup.sys [1/5/2004 3:16 PM 3328]
R1 saiudf;saiudf;c:\windows\system32\drivers\Saiudf.sys [1/5/2004 3:16 PM 360960]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/10/2008 2:03 PM 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Digital Display\OrbKodakLauncher\DllStartupService.exe [3/6/2008 1:49 PM 81920]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/12/2008 9:09 AM 206096]
S2 0129921258613836mcinstcleanup;McAfee Application Installer Cleanup (0129921258613836);c:\windows\TEMP\012992~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\012992~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [1/2/2007 4:58 PM 96256]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\BRIANW~1.CHA\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\BRIANW~1.CHA\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [1/16/2004 3:36 PM 20864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\4525c62b-11cd-4c66-ba3c-83b69cdc7a6c]
c:\windows\System32\lullmw.exe
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]
2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-12 19:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-12 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sandiego.cox.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://websearch.drsnsrch.com/sidesearch.cgi?id=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: { - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
IE: {{EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-I053RfeEQ - jetcript.exe
HKLM-Run-Narrator - c:\windows\System32\vuvvor.exe
HKLM-Run-zwmhuvof - c:\windows\System32\cswatqu.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE

**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\????????b`??????C@?\???\??????s????\??????s \????&3?A??s?&3??C@?x???`|?w\?????@
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?0?????B???@?????P?????@?? ??????~?B~??????????@???????????????????B?????<???????????????????????????r ?B
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Creative\ShareDLL\MediaDet.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
f:\program files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
.
**************************************************************************
.
Completion time: 2009-11-20 20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 04:29
Pre-Run: 35,271,557,120 bytes free
Post-Run: 37,875,027,968 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - DBE15F8344179AAE53ACEE7C29CCC723

NeonFx · 21-Nov-2009, 01:33 AM #6

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

KillAll::

Driver::
DMSKSSRh

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\4525c62b-11cd-4c66-ba3c-83b69cdc7a6c]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82721259-9894-00E7-7255-99ca3230262a}]
 
File::
c:\windows\System32\lullmw.exe
c:\docume~1\BRIANW~1.CHA\LOCALS~1\Temp\DMSKSSRh.sys
c:\program files\Common Files\System\tab-mmcs.dll

DDS::
mSearch Bar = hxxp://websearch.drsnsrch.com/sidesearch.cgi?id=

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

champ123 · 21-Nov-2009, 03:09 AM #7

Hey NeonFx,
I had to download ComboFX again. It got removed somehow. Below is the log. At the end of the process, McAfee popped up again and deleted a few files, not sure if it matters (actually, I just realized it's deleting ComboFX)

Thanks, Brian

ComboFix 09-11-20.02 - Brian W. Champer 11/20/2009 22:41.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -8:00]
Running from: c:\documents and settings\Brian W. Champer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian W. Champer\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"c:\docume~1\BRIANW~1.CHA\LOCALS~1\Temp\DMSKSSRh.sys"
"c:\program files\Common Files\System\tab-mmcs.dll"
"c:\windows\System32\lullmw.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\System\tab-mmcs.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DMSKSSRH
-------\Service_DMSKSSRh

((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.
2009-11-11 15:31 . 2009-11-11 15:31 -------- d-----w- c:\program files\Gotham Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 06:49 . 2006-01-02 21:08 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000009-00001102-00000002-80651102}.dat
2009-11-21 06:49 . 2006-01-02 21:08 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000009-00001102-00000002-80651102}.dat
2009-11-21 06:38 . 2009-05-02 12:47 -------- d-----w- c:\documents and settings\Brian W. Champer\Application Data\HPAppData
2009-11-19 06:56 . 2008-12-12 17:05 -------- d-----w- c:\program files\McAfee
2009-11-11 15:31 . 2004-01-05 23:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 13:11 . 2007-10-02 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-04 12:56 . 2005-04-08 01:57 40224 ----a-w- c:\documents and settings\Brian W. Champer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 00:43 . 2007-10-02 22:05 -------- d-----w- c:\program files\Microsoft Works
2009-09-16 17:22 . 2008-12-12 17:06 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2008-12-12 17:06 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2008-12-12 17:06 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2008-12-12 17:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2008-12-12 17:06 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-02-18 23:19 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-21_04.23.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-01-05 22:40 . 2009-11-21 04:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-01-05 22:40 . 2009-11-21 00:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 237568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"Write DVD-R!"="c:\program files\Write DVD!\saimon.exe" [2003-07-18 114688]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-09-10 177448]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2005-6-19 65536]
Kodak EasyShare software.lnk - c:\program files\Kodak EasyShare software\bin\EasyShare.exe [2008-2-8 282624]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"f:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"f:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [1/2/2006 1:06 PM 11264]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/2/2006 1:05 PM 13696]
R1 saicdr;saicdr;c:\windows\system32\drivers\Saicdr.sys [1/5/2004 3:16 PM 51456]
R1 saicdrwup;saicdrwup;c:\windows\system32\drivers\saicdrwup.sys [1/5/2004 3:16 PM 3328]
R1 saiudf;saiudf;c:\windows\system32\drivers\Saiudf.sys [1/5/2004 3:16 PM 360960]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/10/2008 2:03 PM 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 4:45 AM 13088]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Digital Display\OrbKodakLauncher\DllStartupService.exe [3/6/2008 1:49 PM 81920]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/12/2008 9:09 AM 206096]
S2 0129921258613836mcinstcleanup;McAfee Application Installer Cleanup (0129921258613836);c:\windows\TEMP\012992~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\012992~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [1/2/2007 4:58 PM 96256]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [1/16/2004 3:36 PM 20864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 20:34]
2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-12 19:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-12 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sandiego.cox.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: { - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
IE: {{EFFF8D47-D060-4108-B761-E8EC86622E56} - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 22:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\???????PI`??????C@?\???\??????s????\??????s \????&3?A??s?&3??C@?x???`|?w\?????@
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???D???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?0?????B???@?????P?????@?? ??????~?B~??????????@???????????????????B?????<???????????????????????????r ?B
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1280)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Creative\ShareDLL\MediaDet.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
f:\program files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
.
**************************************************************************
.
Completion time: 2009-11-20 22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 06:56
ComboFix2.txt 2009-11-21 04:30
Pre-Run: 42,788,487,168 bytes free
Post-Run: 42,650,812,416 bytes free
- - End Of File - - FF2E57EDE79F924C36869CF91DA19E2B

NeonFx · 21-Nov-2009, 03:28 AM #8

Good

Let's do the following:

STEP 1

Run OTS

Under the Paste Fix Here box on the right, paste in the contents of following code box

Code:

[Unregister Dlls]
[Empty Temp Folders]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.

STEP 2

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

champ123 · 21-Nov-2009, 11:29 AM #9

Uhhh, wow, that took awhile, but I scanned all three hard drives.

Thanks again,

Here's the logs:

All Processes Killed
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Brian W. Champer
->Temp folder emptied: 225368 bytes
->Temporary Internet Files folder emptied: 13197711 bytes

User: BRIANW~1~CHA

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: kodak
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294979 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138887 bytes
%systemroot%\System32 .tmp files removed: 8025617 bytes
Windows Temp folder emptied: 1383 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 21.90 mb

< End of fix log >
OTS by OldTimer - Version 3.1.6.0 fix logfile created on 11202009_233651
Files\Folders moved on Reboot...
C:\Documents and Settings\kodak\Local Settings\Temp\Perflib_Perfdata_380.dat moved successfully.
Registry entries deleted on Reboot...

*******************

Malwarebytes' Anti-Malware 1.41
Database version: 3205
Windows 5.1.2600 Service Pack 3
11/21/2009 7:20:29 AM
mbam-log-2009-11-21 (07-20-29).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 248386
Time elapsed: 2 hour(s), 41 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

NeonFx · 21-Nov-2009, 04:16 PM **#10**

Good. I'm glad to see those results. Let run an online scan to be absolutely sure you're clean. This will take a while but it's worth it as it can often find things all other scans will miss.

STEP 1

Before we do, I need you to update Internet Explorer to IE8. Even if you don't use it, we need to have it updated as its components are deeply connected with Windows itself.

Please go here to download the installer:

http://www.microsoft.com/windows/internet-explorer/

STEP 2

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.

STEP 3

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

champ123 · 08:52 PM

Hey Neon Fx,
I did all the above. There's no report to give. The program said No Threats Found and didn't generate anything. Earlier this morning, before running the scan and updating what you told me, I did some searches. Worked like a charm. I was redirected once, but I think that is normal. I did quite a few searches and page changes, nothing.... you're the man.

NeonFx · 21-Nov-2009, 08:45 PM **#12**

ComboFix had a false positive so let's restore that first:

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir

Quit::

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

champ123 · 21-Nov-2009, 09:30 PM **#13**

I don't know what happened. I had to download CF again. It keeps getting deleted without warning. McAfee is disabled. Anyway, I ran CF but I could not save the results. Instead of me naming the file "combofix.txt", it came up as "DeQuarantine". It looks like the program worked, should I run it again?? It looks like CF also disconnected me from the internet and I had to reboot.

Here's the contents of DeQuarantine:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pciide.sys.vir -> C:\WINDOWS\system32\drivers\pciide.sys ( 3328 bytes )

Thanks, Brian

NeonFx · 21-Nov-2009, 09:36 PM **#14**

Nope, that's all I wanted to see. Thank you for confirming that it worked

Any other problems? Or are you ready for my cleanup and prevention speech.

champ123 · 21-Nov-2009, 09:43 PM **#15**

Yes,
I am ready for your speech... Give it to me. I would also like to offer my thanks. I noticed you're in CA. I'm a contractor in SD. I believe you have my e-mail address. If you ever have any questions or concerns about home improvement, contact me.. and I do mean anything. I also like to help people and participate in a few forums.

Brian

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!