TechSpot

Browser redirect virus and McAfee being disabled

By bababoo
Oct 7, 2011
  1. Hi, I really appreciate if you can help me. I have the redirect virus when using IE, Fire fox just crashes and wont open. I have McAfee and it did detect and clean something a few weeks ago but since then I have had all sorts of trouble with the virus scanning closing down, or uninstalling itself. I have re-installed the software 3 times.

    I run windows XP on a Dell Inspirion 6000

    The requested logs will be attached below.
     
  2. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7892

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/10/2011 7:58:24 PM
    mbam-log-2011-10-07 (19-58-24).txt

    Scan type: Quick scan
    Objects scanned: 230900
    Time elapsed: 41 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 1
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\cocacolais.exe (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)
     
  3. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-10-07 21:06:19
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHT2060AH rev.006C
    Running: l768vhir.exe; Driver: C:\DOCUME~1\KERRYA~1\LOCALS~1\Temp\fwldykod.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7325290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73252A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF73252D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7325326]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF732527C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7325254]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7325268]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73252BA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF73252FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF73252E6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7325350]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF732533C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7325310]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  4. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Kerry and Matt at 21:36:58 on 2011-10-07
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.490 [GMT 10.5:30]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\McAfee Online Backup\MOBKbackup.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\McAfee\MAT\McPvTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uDefault_Page_URL = hxxp://www.dell.com/ap/ap/en/gen/default.htm
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111007073015.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\mskagent.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ieMouse.NET] rundll32.exe "c:\documents and settings\kerry and matt\local settings\application data\directmobilemon\ieMouse.NET.dll",nsCommsplugin appAuthenticationARM
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
    mRun: [<NO NAME>]
    mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [FPCCSMiddleware] c:\program files\fisher-price\computer cool school\FPCCSMiddleware.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [McPvTray_exe] "c:\program files\mcafee\mat\McPvTray.exe"
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Smart Wizard Wireless Settings.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VideoCam Suite 2.0.lnk.disabled
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    Trusted Zone: colesonline.com.au\www
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    TCP: DhcpNameServer = 10.0.0.138
    TCP: Interfaces\{12302F06-7DFF-4CC9-8A16-55EEA29E3178} : DhcpNameServer = 10.0.0.138
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\kerry and matt\application data\mozilla\firefox\profiles\vcr1mlqh.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-10-7 64048]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 461864]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-10-7 89624]
    R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-10-7 54776]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-7 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-7 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-7 214904]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-7 214904]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-10-7 166024]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-10-7 160344]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-7 148520]
    R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-7 57432]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-10-7 180072]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-10-7 59288]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-7 338040]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-10-7 83688]
    S1 M9207;LifeView M9207 USB Digital TV BOX;c:\windows\system32\drivers\M9207BDA.sys [2007-1-25 43264]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-21 135664]
    S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\d:\bpiksp50.sys --> d:\BPIKSp50.sys [?]
    S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [2007-12-12 81152]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2007-12-12 87040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-21 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-10-7 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-7 87808]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-3 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-3 40552]
    .
    =============== Created Last 30 ================
    .
    2011-10-07 08:43:40 -------- d-----w- c:\documents and settings\kerry and matt\application data\Malwarebytes
    2011-10-07 08:43:22 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-10-07 08:43:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-07 08:43:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-06 21:04:08 -------- d-----w- c:\program files\McAfeeMOBK
    2011-10-06 21:03:50 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
    2011-10-06 21:03:20 -------- d-----w- c:\program files\McAfee Online Backup
    2011-10-06 21:02:48 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
    2011-10-06 21:00:16 28504 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
    2011-10-06 21:00:13 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-06 20:59:54 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-06 20:59:54 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-06 20:59:54 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-06 20:59:54 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-06 20:59:54 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-06 20:59:54 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-06 20:59:54 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-06 20:59:45 -------- d-----w- c:\program files\common files\Mcafee
    2011-10-06 20:58:06 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-04 06:52:00 -------- d-----w- c:\program files\Citrix
    2011-09-19 09:43:14 -------- d-----w- c:\documents and settings\kerry and matt\local settings\application data\McAfee Anti-Theft
    2011-09-19 07:45:04 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-09-19 07:43:21 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-09-11 10:13:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-09-11 10:13:28 713016 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
    2011-09-11 10:13:15 19416 ----a-w- c:\program files\mozilla firefox\xpcom.dll
    2011-09-11 10:13:15 15494104 ----a-w- c:\program files\mozilla firefox\xul.dll
    2011-09-11 10:13:14 269272 ----a-w- c:\program files\mozilla firefox\updater.exe
    2011-09-11 10:13:13 142296 ----a-w- c:\program files\mozilla firefox\ssl3.dll
    2011-09-11 10:13:12 166872 ----a-w- c:\program files\mozilla firefox\softokn3.dll
    .
    ==================== Find3M ====================
    .
    2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-14 23:30:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-14 23:30:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2006-11-23 11:48:19 317248 ----a-w- c:\program files\dxwebsetup.exe
    .
    ============= FINISH: 21:40:20.82 ===============
     
  5. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 13/05/2005 9:09:16 PM
    System Uptime: 7/10/2011 8:01:20 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | |
    Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 56 GiB total, 5.631 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
    Description: Default Monitor
    Device ID: DISPLAY\DEFAULT_MONITOR\5&2203AF2D&0&00000110&01&00
    Manufacturer: (Standard monitor types)
    Name: Default Monitor
    PNP Device ID: DISPLAY\DEFAULT_MONITOR\5&2203AF2D&0&00000110&01&00
    Service:
    .
    Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
    Description: Default Monitor
    Device ID: DISPLAY\DEFAULT_MONITOR\5&2203AF2D&0&00000200&01&00
    Manufacturer: (Standard monitor types)
    Name: Default Monitor
    PNP Device ID: DISPLAY\DEFAULT_MONITOR\5&2203AF2D&0&00000200&01&00
    Service:
    .
    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia Windows Portable Device Driver
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: 6720c-1b
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd
    .
    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia E71
    Device ID: ROOT\WPD\0001
    Manufacturer: Nokia
    Name: Nokia E71
    PNP Device ID: ROOT\WPD\0001
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP1: 26/09/2011 8:54:49 PM - System Checkpoint
    RP2: 27/09/2011 8:59:20 PM - System Checkpoint
    RP3: 29/09/2011 12:26:30 PM - System Checkpoint
    RP4: 30/09/2011 1:18:32 PM - System Checkpoint
    RP5: 4/10/2011 5:21:54 PM - Installed Citrix Presentation Server Client
    .
    ==== Installed Programs ======================
    .
    .
    "Nero SoundTrax Help
    ABBYY FineReader 5.0 Sprint Plus
    Adobe Download Manager 2.2 (Remove Only)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.9
    Adobe Shockwave Player 11.5
    Advertising Center
    ALPS Touch Pad Driver
    AOL Australia
    AOL|7 Broadband Demo
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Panorama Maker 3
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    Avanquest update
    BigPond Broadband ADSL
    BigPond Broadband ADSL FAQ
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    Broadcom Management Programs 2
    Business Contact Manager for Outlook 2003
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MP Navigator EX 3.0
    Canon MP640 series MP Drivers
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CD-LabelPrint
    Citrix Presentation Server Client
    Conexant D110 MDC V.9x Modem
    Dell Driver Download Manager
    Dell Media Experience
    Dell Media Experience Update
    Dell Photo AIO Printer 922
    Digital Line Detect
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    DNTV Live! 1.2.7
    DNTV Live! Decoders
    DolbyFiles
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    Fisher-Price Computer Cool School
    Fisher-Price Dora and Diego's Classroom
    G5a922EN
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImagXpress
    Intel(R) PROSet/Wireless Software
    Internal Network Card Power Management
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    LaCie Backup Software v1.5.2215
    LifeView MVP
    Logitech Desktop Messenger
    Logitech Harmony Remote Software 7
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee Online Backup
    McAfee Shredder
    McAfee Total Protection
    mCore
    mDrWiFi
    Menu Templates - Starter Kit
    mHlpDell
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 6.01
    Microsoft IntelliType Pro 6.01
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.5
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    mIWA
    mIWCA
    mLogView
    mMHouse
    Modem Helper
    Motorola Driver Installation
    Motorola Phone Tools
    Movie Templates - Starter Kit
    Mozilla Firefox 6.0.2 (x86 en-GB)
    mPfMgr
    mPfWiz
    mProSafe
    MSN
    mSSO
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    mToolkit
    mWlsSafe
    mXML
    mZConfig
    Nero 9 Trial
    Nero Burning ROM Help
    Nero BurnRights
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero Disc Copy Gadget
    Nero Disc Copy Gadget Help
    Nero DiscSpeed
    Nero DriveSpeed
    Nero Express Help
    Nero InfoTool
    Nero Installer
    Nero PhotoSnap
    Nero PhotoSnap Help
    Nero Recode
    Nero Recode Help
    Nero Rescue Agent
    Nero RescueAgent Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero WaveEditor
    Nero WaveEditor Help
    NeroBurningROM
    NeroExpress
    neroxml
    NETGEAR WG111 Software
    NetWaiting
    Nikon Message Center
    Nokia Connectivity Cable Driver
    Nokia Flashing Cable Driver
    Nokia Music
    Nokia Ovi Application Installer
    Nokia Ovi Application Installer 6.85.3011
    Nokia Ovi Content Copier
    Nokia Ovi Content Copier 6.85.3011
    Nokia Ovi One Touch Access
    Nokia Ovi One Touch Access 6.85.3011
    Nokia Ovi Suite
    Nokia Ovi System Utilities
    Nokia Ovi System Utilities 6.85.3016
    Nokia PC Suite
    Nokia Photos
    Nokia Software Updater
    Number Run
    PC Connectivity Solution
    PictureProject
    PowerDVD 5.3
    QuickSet
    QuickTime
    RealPlayer
    Remote Control USB Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Sonic DLA
    Sonic MyDVD
    Sonic RecordNow!
    Sonic Update Manager
    SoundTrax
    Spybot - Search & Destroy
    Telstra Turbo Card Manager
    Telstra Turbo Modem Manager
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB PC Camera
    VC80CRTRedist - 8.0.50727.4053
    VideoCam Suite 2.0
    VideoReDo/Plus Version 2.5.6.512
    Viewpoint Media Player (Remove Only)
    VoiceOver Kit
    WebFldrs XP
    Windows Driver Package - Atheros (arusb(Atheros)) Net (09/23/2008 3.0.0.131)
    Windows Driver Package - NETGEAR (W8335XP) Net (02/22/2005 3.1.1.7)
    Windows Driver Package - NETGEAR Inc. (RTLWUSB) Net (02/07/2007 5.1283.0207.2007)
    Windows Driver Package - Nokia Modem (02/15/2007 3.1)
    Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Driver Package - Thomson (USB_RNDIS) Net (02/16/2004 1.0.0.3)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/10/2011 8:02:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    7/10/2011 6:54:42 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
    6/10/2011 9:37:18 PM, error: Service Control Manager [7000] - The MOBCleanup service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
     
  6. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    I do also have some external drives that have been connected since this problem began, but they are currently disconnected, because I dont want to loose that data.

    Let me know the next steps

    Thanks
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help you!

    Something has disabled the security center, so we will try to find that. Before starting that, you have 2 very outdated programs running and they are vulnerabilities to the system:

    1. Update Adobe: Visit this Adobe Reader site Current version is V10. Uninstall any earlier updates as they are vulnerabilities.
    2. Update Java: Check this site .Java Updates Please get v6u27.Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    ====================================
    You will have malware in the Java cache due to the outdated program:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =======================================
    Please go on to Download Combofix> Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===================================
    Then run this online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    Please post the entire log with heading resembling this:
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ====================================
    Please read and follow My Guidelines: :
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  8. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    I have uninstalled and re-installed the current versions of Java and Adobe.

    I installed Combofix, but it ran before I could disable McAfee.

    It kept coming up with an error in a dialog box

    Windows cannot find NIRCMD

    And

    Windows cannot find NIRKMD

    In the blue screen it kept coming up with NIRKMD not reconised as an internal or external command or NIRCMDC not reconised as internal or external command.

    Below is the log, I have not run the Eset scan yet, do you want me to re-run combofix?

    ComboFix 11-10-07.04 - Kerry and Matt 08/10/2011 8:33.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.521 [GMT 10.5:30]
    Running from: c:\documents and settings\Kerry and Matt\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Kerry and Matt\Application Data\Local
    c:\documents and settings\Kerry and Matt\Local Settings\Application Data\DirectMobilemon\ieMouse.NET.dll
    c:\documents and settings\Kerry and Matt\WINDOWS
    c:\program files\google\common\google updater\googleupdaterservice.exe
    c:\windows\bwUnin-8.1.1.50-8876480SL.exe
    c:\windows\dasetup.log
    c:\windows\system32\CddbCdda.dll
    c:\windows\system32\comct332.ocx
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-07 21:45 . 2011-10-07 21:45 -------- d-----w- c:\program files\Common Files\Java
    2011-10-07 21:44 . 2011-10-07 21:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-07 21:44 . 2011-10-07 21:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-10-07 21:44 . 2011-10-07 21:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-07 21:33 . 2011-10-07 21:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\Kerry and Matt\Application Data\Malwarebytes
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-10-07 08:43 . 2011-08-31 06:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-06 21:04 . 2011-10-06 21:04 -------- d-----w- c:\program files\McAfeeMOBK
    2011-10-06 21:03 . 2010-04-13 09:40 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
    2011-10-06 21:03 . 2011-10-06 21:03 -------- d-----w- c:\program files\McAfee Online Backup
    2011-10-06 21:02 . 2011-04-11 03:59 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
    2011-10-06 21:00 . 2011-08-19 05:26 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
    2011-10-06 21:00 . 2011-08-14 23:30 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-06 20:59 . 2011-08-14 23:30 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-06 20:59 . 2011-08-14 23:30 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-06 20:59 . 2011-08-14 23:30 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-06 20:59 . 2011-08-14 23:30 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-06 20:59 . 2011-08-14 23:30 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-06 20:59 . 2011-08-14 23:30 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-06 20:59 . 2011-08-14 23:30 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-06 20:59 . 2011-10-06 21:01 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-10-06 20:58 . 2011-08-19 05:29 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-04 06:52 . 2011-10-04 06:52 -------- d-----w- c:\program files\Citrix
    2011-09-26 07:47 . 2011-09-26 07:50 -------- d-----w- c:\documents and settings\Administrator
    2011-09-19 09:43 . 2011-09-19 09:43 -------- d-----w- c:\documents and settings\Kerry and Matt\Local Settings\Application Data\McAfee Anti-Theft
    2011-09-19 07:45 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-09-19 07:43 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-09-11 10:13 . 2011-09-03 06:18 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-09-11 10:13 . 2011-09-03 06:18 713016 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
    2011-09-11 10:13 . 2011-09-03 06:18 19416 ----a-w- c:\program files\Mozilla Firefox\xpcom.dll
    2011-09-11 10:13 . 2011-09-03 06:18 15494104 ----a-w- c:\program files\Mozilla Firefox\xul.dll
    2011-09-11 10:13 . 2011-09-03 06:18 269272 ----a-w- c:\program files\Mozilla Firefox\updater.exe
    2011-09-11 10:13 . 2011-09-03 06:18 142296 ----a-w- c:\program files\Mozilla Firefox\ssl3.dll
    2011-09-11 10:13 . 2011-09-03 06:18 166872 ----a-w- c:\program files\Mozilla Firefox\softokn3.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-03 10:17 . 2004-08-10 04:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-14 23:30 . 2011-03-13 00:50 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-14 23:30 . 2011-03-13 00:50 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-07-15 13:29 . 2004-08-10 04:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2006-11-23 11:48 . 2006-11-23 11:48 317248 ----a-w- c:\program files\dxwebsetup.exe
    2011-09-03 06:18 . 2011-09-11 10:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
    @="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
    [HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
    @="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
    [HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
    @="{b4caf489-1eec-c617-49ad-8d7088598c06}"
    [HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-21 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
    "FPCCSMiddleware"="c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe" [2008-03-06 536184]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk.disabled [2009-4-11 2072]
    Smart Wizard Wireless Settings.lnk.disabled [2005-5-31 1659]
    VideoCam Suite 2.0.lnk.disabled [2011-3-21 1655]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    "updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    "Windows Update"=c:\docume~1\KERRYA~1\LOCALS~1\Temp\amb.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    "CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    "CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
    "Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" start
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    "DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
    "DTVRemote"="c:\program files\LifeView MVP\RemoteControl.exe"
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
    "IJNetworkScanUtility"=c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
    "NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
    "PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "snpstd"=c:\windows\vsnpstd.exe
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    "Windows Services"=amb.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LifeView MVP\\LIFEVIEWMVP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    .
    R1 M9207;LifeView M9207 USB Digital TV BOX;c:\windows\system32\DRIVERS\M9207BDA.sys [2006-03-30 43264]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 135664]
    R3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;D:\BPIKSp50.sys [x]
    R3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\DRIVERS\cmusbnet.sys [2006-11-23 81152]
    R3 cmusbser;%CMUSBSER%;c:\windows\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 135664]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys [2011-08-14 83688]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-14 87808]
    S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2011-04-11 64048]
    S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-08-14 89624]
    S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-08-19 148520]
    S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-14 57432]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-14 338040]
    S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys [2011-08-14 83688]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - JAVAQUICKSTARTERSERVICE
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
    .
    2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
    .
    2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    Trusted Zone: colesonline.com.au\www
    TCP: DhcpNameServer = 10.0.0.138
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\Kerry and Matt\Application Data\Mozilla\Firefox\Profiles\vcr1mlqh.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-MSKAGENTEXE - c:\progra~1\mcafee\SPAMKI~1\mskagent.exe
    HKCU-Run-ieMouse.NET - c:\documents and settings\Kerry and Matt\Local Settings\Application Data\DirectMobilemon\ieMouse.NET.dll
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-08 09:02
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1556)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    Completion time: 2011-10-08 09:27:08
    ComboFix-quarantined-files.txt 2011-10-07 22:56
    .
    Pre-Run: 5,282,209,792 bytes free
    Post-Run: 6,833,889,280 bytes free
    .
    - - End Of File - - A751B6BC57BAD8A174D580DFF465C469
     
  9. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    Hi, I have noticed that at startup today the McAfee says the licence has expired, and therfore not current. I will contact them to see if it is an issue with their subscription. However I will not download anything until I hear a reponse from you so that we dont have to start again

    thanks for your help, it is very much appreciated :)
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, McAfee should still be running, but you won't be able to update it. If you would like to put a free AV on the system now, choose either of the following:
    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =====================================
    Did you intentionally disconnect from the internet before you ran Combofix or did you refuse the Recovery Console?

    Note: Do you realize that you are almost out of hard drive space?
    56 GiB total, 5.631 GiB free.
    We are encouraged to keep the systems as close to 80% free as possible: you have only 10% free. It's time to consider either removing or moving as much as you can in Add/Remove Programs in the Control Panel and/or getting an external hard drive.

    You may want to drop McAfee and use one of the free AV and a free firewall. The standalone programs are not as resource-intensive as the suites like McAfee> that one puts a lot of processes on the system and it a 'large' program.
    =====================================
    The NRCmd error is not unusual here. It is a process used in Combofix. It was most likely caused by a conflict with your security, but it appears that Combofix has run okay.
    ====================================
    I noticed these in the DDS log:
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Smart Wizard Wireless Settings.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VideoCam Suite 2.0.lnk.disabled
    Why don't you just remove these from the Startup Menu instead of loading the 'disabled' shortcut?
    ======================================
    I'm going to check the Combofix log now, but wanted to get the AV info out in case you are online.
    ==================================
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Before I give you the script to run through Combofix, please tell me about the 3 startup processes I asked about. There are some related entries in Combofix.

    Do you just not want them to start on boot? Did you find related Services for them that you Disabled?
    ====================================
    The system is infected by the W32/Sdbot.worm! McAfee should have caught it. Here is a removal:
    W32/Sdbot disinfection instructions- F-SdBot

    Download F-SdBot and save to your desktop.
    • Unpack the F-SdBot utility from the provided ZIP archive
    • Run the unpacked F-SdBot.exe either of the following ways:
      [o] Doubleclick on F-SdBot from Windows explorer.
      [o] Or you can start it from a command prompt: Click on Start> Run> type in F-SdBot> Enter.

    Action:
    • First the F-SdBot utility will kill SdBot backdoor's processes in memory.
    • Then the utility will remove Registry entries created by the backdoor.
    • Finally the utility will scan all hard drives for infected files and delete them.
    • Reboot the computer.
    ==========================================
    The main problem with bots is that they install a Backdoor on the system. Although we my remove all of the entries seen, it is possible the Backdoor can remain or that the system has already been compromised.
    =========================================
    After you run the removal I'd like for you to go ahead with the online Eset virus scan.
    ============================================
    You will need to disinfect any removable drive that has been connected. The protection shouldn't remove the [good] files on it unless they have been infected also..
     
  12. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    I am sorry my reply is long, I am trying to keep things as concise as possible, but give you all the info you need. Thanks for your patience with this, I try to keep on top of it all, but technology has started moving too fast for me to keep up these days.

    My anti virus - I have used McAfee for many years on this laptop (since it was new) I renewed the 12 month licence about 2 weeks ago. Despite slowing down the system, I like having everything in one program, and I hoped I didnt need to worry about it. Pay the money and it keeps me safe :confused: I also run Spybot S&D about once a month. As it is saying it has expired, I cannot get to the options to disable it. Should I just uninstall it, put on one of the free ones for now, and when things are clean go back to McAfee?

    I did not disconnect from the internet, and allowed access when McAfee tried to block it.

    Hard Drives: Due to the limited pace on the internal drive, I have 4 external hard drives that are primarily used for back ups, 3 are essentially mirror images of all my data files, photos etc..... When the internal drive starts to get full I migrate the files accross to these. The 4th one is smaller and has iTunes music, or recorded TV programs.

    I have bought a new laptop with larger internal dive, but not done anything with it until I fix up my existing one that we are working on. I have only connected it to the router and internet, and worry I may have infected it already. I have printed some advise you gave to others in setting up a new PC (settings etc) but lets not confuse things.

    This was my attempt to speed things up at startup. I could not find them in the startup menu, and now I think about it they are probably hidden files :rolleyes:. anyway, I disabled them using Spybot, to check they didnt cause any instability. I do use the programs occasionally.

    I really want to clean up this laptop as there is alot of "Junk" on it. I am happy to un-install anything as I have all the disks to re-install if i need to use the programs later.

    Does it infect the router or just the PC? Can you ensure it is gone by reformating?

    Can you tell how long it has been on the system? My backup drives have not been connected for months, but would still like to check them. When things started playing up I stopped logging into anything, and changed all my bank account, ebay etc.. passwords, through my work's system. My wife kept using facebook, even though I told her not to, and her account was accessed over the weekend, lesson learned for her.

    I will run the items suggested and let you know what happens

    Thankyou
     
  13. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    This scan found no threats

    Below is the .TXT file from ESET scan, it found 1 threat. There was only 1 line in the log:

    C:\Documents and Settings\Kerry and Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfgn.class-4fb4df33-59ef83b0.class probably a variant of Java/TrojanDownloader.OpenStream trojan
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have this temp file in the docs linked with "Windows Update:
    amb.exe

    For one: It is called a >>
    Mail Bomber: Software that will flood a victim's inbox with hundreds or thousands of pieces of mail. Such mail generally does not correctly reveal its source.

    It's listed as loading from the Registry as "Windows Servics"=amb.exe. this is the W32/Sdbot.worm!
     
  15. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    I will run the scans again
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We're crossing paths here. I just noticed this comment"
    Spyware Search & Destroy antimalware program, is a free program.There is a bootable S&D that cost $$, but that is separate from the basic malware program. There are some programs that mock the name of 'Spybot' and doing a search using just that name will bring up those sites. Did you get your program from HERE?
    ===========================================
    Let's do the following:
    1. Disinfect all of the removable drives:
    I can't pin point when the system first got malware, so since you are moving files to external driver, those drives could have also become infected. It's best to go ahead with this:

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    2. If not done yet, please update Java to v6u27: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download.
    =======================================
    The entry that was found by Eset is in the Java cache. This happens frequently when the Java is out of date, so the cache needs to be cleared as follows:
    3. To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =================================
    4. Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    DDS::
    uStart Page = about:blank
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Smart Wizard Wireless Settings.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VideoCam Suite 2.0.lnk.disabled
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Windows Services"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Windows Update"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Windows Services"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  17. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    Spybot I downloaded many years ago uing a URL listed in a PC magazine. Have just done updates ever since.

    I ran the flash drive scanner, nothing found

    Java is updated and cache is deleted

    combo fix log below

    ComboFix 11-10-14.02 - Kerry and Matt 14/10/2011 15:43:10.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.576 [GMT 10.5:30]
    Running from: c:\documents and settings\Kerry and Matt\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Kerry and Matt\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    E:\autorun.inf
    F:\autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-14 05:03 . 2011-10-14 05:03 -------- d-sh--w- c:\documents and settings\Kerry and Matt\UserData
    2011-10-13 11:16 . 2011-10-13 11:16 -------- d-----w- c:\program files\McAfeeMOBK
    2011-10-13 11:16 . 2010-04-13 09:40 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
    2011-10-13 11:15 . 2011-10-13 11:16 -------- d-----w- c:\program files\McAfee Online Backup
    2011-10-13 11:15 . 2011-04-11 03:59 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
    2011-10-13 11:11 . 2011-10-06 06:12 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
    2011-10-13 11:11 . 2011-08-14 23:30 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-13 11:11 . 2011-08-14 23:30 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-13 11:11 . 2011-08-14 23:30 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-13 11:11 . 2011-08-14 23:30 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-13 11:11 . 2011-08-14 23:30 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-13 11:11 . 2011-08-14 23:30 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-13 11:11 . 2011-08-14 23:30 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-13 11:11 . 2011-08-14 23:30 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-13 11:11 . 2011-10-13 11:12 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-10-13 10:55 . 2011-10-06 06:14 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-11 11:00 . 2011-10-11 11:00 -------- d-----w- c:\program files\ESET
    2011-10-07 21:45 . 2011-10-07 21:45 -------- d-----w- c:\program files\Common Files\Java
    2011-10-07 21:44 . 2011-10-07 21:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-07 21:44 . 2011-10-07 21:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-10-07 21:44 . 2011-10-07 21:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-07 21:33 . 2011-10-07 21:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\Kerry and Matt\Application Data\Malwarebytes
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-10-07 08:43 . 2011-08-31 06:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-04 06:52 . 2011-10-04 06:52 -------- d-----w- c:\program files\Citrix
    2011-09-26 07:47 . 2011-09-26 07:50 -------- d-----w- c:\documents and settings\Administrator
    2011-09-19 09:43 . 2011-09-19 09:43 -------- d-----w- c:\documents and settings\Kerry and Matt\Local Settings\Application Data\McAfee Anti-Theft
    2011-09-19 07:45 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-09-19 07:43 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-03 10:17 . 2004-08-10 04:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-14 23:30 . 2011-03-13 00:50 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-14 23:30 . 2011-03-13 00:50 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2006-11-23 11:48 . 2006-11-23 11:48 317248 ----a-w- c:\program files\dxwebsetup.exe
    2011-09-03 06:18 . 2011-09-11 10:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
    @="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
    [HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
    @="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
    [HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
    @="{b4caf489-1eec-c617-49ad-8d7088598c06}"
    [HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-21 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
    "FPCCSMiddleware"="c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe" [2008-03-06 536184]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk.disabled [2009-4-11 2072]
    Smart Wizard Wireless Settings.lnk.disabled [2005-5-31 1659]
    VideoCam Suite 2.0.lnk.disabled [2011-3-21 1655]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    "updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    "CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    "CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
    "Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" start
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    "DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
    "DTVRemote"="c:\program files\LifeView MVP\RemoteControl.exe"
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
    "IJNetworkScanUtility"=c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
    "NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
    "PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "snpstd"=c:\windows\vsnpstd.exe
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LifeView MVP\\LIFEVIEWMVP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    .
    R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [13/10/2011 9:45 PM 64048]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [13/10/2011 9:41 PM 89624]
    R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [13/10/2011 9:46 PM 54776]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [13/10/2011 9:42 PM 160344]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [13/10/2011 9:25 PM 148520]
    R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 8:11 PM 229688]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [13/10/2011 9:41 PM 57432]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [13/10/2011 9:41 PM 338040]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [13/10/2011 9:41 PM 83688]
    S1 M9207;LifeView M9207 USB Digital TV BOX;c:\windows\system32\drivers\M9207BDA.sys [25/01/2007 10:54 PM 43264]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 4:02 PM 135664]
    S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\d:\bpiksp50.sys --> d:\BPIKSp50.sys [?]
    S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [12/12/2007 1:18 PM 81152]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [12/12/2007 1:18 PM 87040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 4:02 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [13/10/2011 9:41 PM 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [13/10/2011 9:41 PM 87808]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
    .
    2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
    .
    2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    Trusted Zone: colesonline.com.au\www
    TCP: DhcpNameServer = 10.0.0.138
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\Kerry and Matt\Application Data\Mozilla\Firefox\Profiles\vcr1mlqh.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-14 15:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1572)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    Completion time: 2011-10-14 16:00:47
    ComboFix-quarantined-files.txt 2011-10-14 05:30
    ComboFix2.txt 2011-10-07 22:57
    .
    Pre-Run: 7,645,872,128 bytes free
    Post-Run: 7,788,720,128 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 1113A5B0AB40F02695AA50FED45298B7
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    These 2 deletions in Combofix indicated infected drives:
    E:\autorun.inf
    F:\autorun.inf
    These are the only 'drives' showing in the DDS log:
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 56 GiB total, 5.631 GiB free.
    D: is CDROM ()
    =====================================================
    Has the redirect been resolved> Is McAfee running?

    .
     
  19. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    McAfee seems to be running ok, I re-installed it prior to running combo fix, and it has started up every time the computer has been turned on.

    I thought the redirect had been fixed, but the other night the internet all went really slow, and one site redirected from the google search. I got fed up with the delays and, just turned it off.

    It seems that IE has been reset to default settings after combo fix.
     
  20. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    The other thing, 2 of the external drives didnt work. One seems to have a powerpack problem, which according to my searches is very comon for this model Lace hard drive.

    The other (Maxtor) was not reconignised by windows, and and error came up to say there was a problem connecting to it.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can use the Edit feature to add a sentence or two. I get email feedback for each reply.

    Does this refer to the two drives below?
    E:\autorun.inf
    F:\autorun.inf

    They must have been 'working' if they got infected.

    What drive is this?
    Regarding this:
    From Combofix Directions:
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

    One site One time. Which browser? Describe the 'redirect.' The 'slow' sounds like it's related to the ISP or connection problem. It can also indicate you don't have enough RAM.
     
  22. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    Thankyou for your help, it is much appreciated, sorry if I have not been clear in my comments, hopefully we are near the end of this.

    These 2 were working ok. would they be clean now?

    Not one of those 2 that were infected, it didnt connect so could not be scanned.

    I was using IE, as firefox wont load.

    The redirect was a google search, for a classifieds website called Gumtree. Went to some other classifieds site in the UK, I back arrowed and re-selected Gumtree and it connected OK.

    Once this computer is clean I will start using my new one which may be a bit faster (AMD A8 with 8 gig RAM), and I can move my files accross.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About the external drives: you mentioned that you have had them connected while you had this problem. But the you mentioned you hadn't connected them for months. The 2 deletions in Combofox suggest that those 2 drives may be infected.

    I recommend tht you disinfect all movable drives to be on the safe side.
    ================================
    About security and Combofix: Instructions are to disable the security when you run the Combofix scan. McAfee is know to cause a problem with these scans when running. You do not need to disconnect from the internet yourself. Conbofix needs the connection to check for the Recovery Console. It will disconnect itself during the scan.
    ================================
    What happens when you try to run Firefox? When you say 'it won't load', do you mean when you try to launch it nothing happens? Error message?
    ================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\docume~1\KERRYA~1\LOCALS~1\Temp\amb.exe
    D:\BPIKSp50.sys
    DDS::
    uStart Page = about:blank
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    mRun: [<NO NAME>] 
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Smart Wizard Wireless Settings.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VideoCam Suite 2.0.lnk.disabled
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Windows Services"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\securitycenter\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\securitycenter\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Windows Update"=-
    Driver::
    BPIKSp50
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ==============================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.Uncheck process for following:
      [o]Logitech Desktop Messenger
      [o]Smart Wizard Wireless Settings.
      [o]VideoCam Suite 2.0.
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ----
    Click on Start> Run> type in services.msc> enter> check for Services related to any of the following:
    [o]Logitech Desktop Messenger
    [o]Smart Wizard Wireless Settings.
    [o]VideoCam Suite 2.0.

    If found> double click to open each> Change Startup Type to Manual for each> Exit when through.
     
  24. bababoo

    bababoo TS Enthusiast Topic Starter Posts: 50

    I was able to connect another of my external drives, it was a faulty USB cable. This was connected as H: and combo fix found Autorun.inf on it, so that means My system has been infected for at least 6 months because I havent used this drive for that long. I had 3 external drives connected during the scan.

    Firefox loaded but wanted to update. I did not update at this time.

    I noticed that amb.exe came up again, which you said was a email spam bomber. I have noticed spam to have disapeared, particually the cheap Viagra. Is there a reason McAfee and spybot S&D wouldnt pick this up?

    I ran msconfig after the scan and removed those settings, does Java and Adobe need to be in startup?

    There was no services relating to the entries that I removed.

    I have disabled McAfee to run combofix. Log below

    ComboFix 11-10-19.03 - Kerry and Matt 19/10/2011 21:52:50.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.579 [GMT 10.5:30]
    Running from: c:\documents and settings\Kerry and Matt\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Kerry and Matt\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    FILE ::
    "c:\docume~1\KERRYA~1\LOCALS~1\Temp\amb.exe"
    "D:\BPIKSp50.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    H:\autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_BPIKSP50
    -------\Service_BPIKSp50
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-19 11:16 . 2011-10-19 11:16 -------- d-sh--w- c:\documents and settings\Kerry and Matt\UserData
    2011-10-13 11:16 . 2011-10-13 11:16 -------- d-----w- c:\program files\McAfeeMOBK
    2011-10-13 11:16 . 2010-04-13 09:40 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
    2011-10-13 11:15 . 2011-10-13 11:16 -------- d-----w- c:\program files\McAfee Online Backup
    2011-10-13 11:15 . 2011-04-11 03:59 64048 ----a-w- c:\windows\system32\drivers\McPvDrv.sys
    2011-10-13 11:11 . 2011-10-06 06:12 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
    2011-10-13 11:11 . 2011-08-14 23:30 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-13 11:11 . 2011-08-14 23:30 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-13 11:11 . 2011-08-14 23:30 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-13 11:11 . 2011-08-14 23:30 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-13 11:11 . 2011-08-14 23:30 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-13 11:11 . 2011-08-14 23:30 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-13 11:11 . 2011-08-14 23:30 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-13 11:11 . 2011-08-14 23:30 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-13 11:11 . 2011-10-13 11:12 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-10-13 10:55 . 2011-10-06 06:14 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-11 11:00 . 2011-10-11 11:00 -------- d-----w- c:\program files\ESET
    2011-10-07 21:45 . 2011-10-07 21:45 -------- d-----w- c:\program files\Common Files\Java
    2011-10-07 21:44 . 2011-10-07 21:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-10-07 21:44 . 2011-10-07 21:43 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-10-07 21:44 . 2011-10-07 21:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-07 21:33 . 2011-10-07 21:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\Kerry and Matt\Application Data\Malwarebytes
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-10-07 08:43 . 2011-08-31 06:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-07 08:43 . 2011-10-07 08:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-04 06:52 . 2011-10-04 06:52 -------- d-----w- c:\program files\Citrix
    2011-09-26 07:47 . 2011-09-26 07:50 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-03 10:17 . 2004-08-10 04:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-08-14 23:30 . 2011-03-13 00:50 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-08-14 23:30 . 2011-03-13 00:50 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2006-11-23 11:48 . 2006-11-23 11:48 317248 ----a-w- c:\program files\dxwebsetup.exe
    2011-09-03 06:18 . 2011-09-11 10:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-14_05.26.10 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-10-19 11:38 . 2011-10-19 11:38 16384 c:\windows\Temp\Perflib_Perfdata_548.dat
    + 2011-10-19 11:38 . 2011-10-19 11:38 16384 c:\windows\Temp\Perflib_Perfdata_4e4.dat
    + 2011-10-19 11:38 . 2011-10-19 11:38 16384 c:\windows\Temp\Perflib_Perfdata_438.dat
    + 2011-10-19 10:21 . 2011-10-19 10:21 16384 c:\windows\Temp\Perflib_Perfdata_208.dat
    + 2005-05-13 11:28 . 2011-10-15 06:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2005-05-13 11:28 . 2011-10-14 01:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2005-05-13 11:28 . 2011-10-14 01:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2005-05-13 11:28 . 2011-10-15 06:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2010-04-01 04:21 . 2011-10-14 01:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    + 2010-04-01 04:21 . 2011-10-15 06:47 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    - 2011-10-07 23:20 . 2011-10-14 01:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2011-10-14 06:10 . 2011-10-15 06:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
    @="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
    [HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
    @="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
    [HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
    @="{b4caf489-1eec-c617-49ad-8d7088598c06}"
    [HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
    2010-04-13 09:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-21 39408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
    "FPCCSMiddleware"="c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe" [2008-03-06 536184]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "McPvTray_exe"="c:\program files\McAfee\MAT\McPvTray.exe" [2011-04-08 419904]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk.disabled [2009-4-11 2072]
    Smart Wizard Wireless Settings.lnk.disabled [2005-5-31 1659]
    VideoCam Suite 2.0.lnk.disabled [2011-3-21 1655]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    "updateMgr"=c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
    "CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    "CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
    "Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" start
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    "DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
    "DTVRemote"="c:\program files\LifeView MVP\RemoteControl.exe"
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
    "IJNetworkScanUtility"=c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
    "NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
    "PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "snpstd"=c:\windows\vsnpstd.exe
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LifeView MVP\\LIFEVIEWMVP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    .
    R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [13/10/2011 9:45 PM 64048]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [13/10/2011 9:41 PM 89624]
    R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [13/10/2011 9:46 PM 54776]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [13/10/2011 9:41 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [13/10/2011 9:42 PM 160344]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [13/10/2011 9:25 PM 148520]
    R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 8:11 PM 229688]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [13/10/2011 9:41 PM 57432]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [13/10/2011 9:41 PM 338040]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [13/10/2011 9:41 PM 83688]
    S1 M9207;LifeView M9207 USB Digital TV BOX;c:\windows\system32\drivers\M9207BDA.sys [25/01/2007 10:54 PM 43264]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 4:02 PM 135664]
    S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [12/12/2007 1:18 PM 81152]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [12/12/2007 1:18 PM 87040]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/06/2010 4:02 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [13/10/2011 9:41 PM 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [13/10/2011 9:41 PM 87808]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
    .
    2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
    .
    2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-21 05:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    Trusted Zone: colesonline.com.au\www
    TCP: DhcpNameServer = 10.0.0.138
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\Kerry and Matt\Application Data\Mozilla\Firefox\Profiles\vcr1mlqh.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: keyword.URL - hxxp://au.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-19 22:10
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1568)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    - - - - - - - > 'explorer.exe'(820)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\program files\McAfee Online Backup\MOBKshell.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
    c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\bgsvcgen.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\wanmpsvc.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
    c:\windows\system32\rundll32.exe
    c:\windows\System32\vssvc.exe
    c:\program files\Apoint\Apntex.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-19 22:21:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-19 11:51
    ComboFix2.txt 2011-10-14 05:30
    ComboFix3.txt 2011-10-07 22:57
    .
    Pre-Run: 7,653,560,320 bytes free
    Post-Run: 7,492,468,736 bytes free
    .
    - - End Of File - - 4FA27C9DC46B264F81194E49D92E5D8D
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay:

    No, neither Java nor the Adobe Reader need to be on Startup. Both also have auto-updates which I discourage. You have the JavaQuickStart Service (jqs) running. I suggest disabling the Service and Stop it.

    I don't know why some security misses some entries. could be the way they are configured, could be from a file attachment you opened from email. And it could be because the malware writers are pretty good at disguising the bad stuff!

    Security needs to be layered to work best: Antivirus, Firewall, 2 or more antimalware programs> those that keep out and those that find.
    =================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\documents and settings\Kerry and Matt\UserData
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ========================================
    Let's run HijackThis and I can have you check the processes to stop and use as a guide:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Edit: H:\autorun.inf>> this drive needs to be disinfected.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...