TechSpot

[Closed] Google redirect virus, scour et. al, part II

By starl1ng
Apr 4, 2011
Topic Status:
Not open for further replies.
  1. Original thread: http://www.techspot.com/vb/topic163104.html#post1021918

    Sorry, Broni - just getting back to the user's machine tonight. Here are our results:

    MBR:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 123):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB7F79000 ACPI.sys
    0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB7F68000 pci.sys
    0xB80A8000 isapnp.sys
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB80B8000 MountMgr.sys
    0xB7F49000 ftdisk.sys
    0xB85AC000 dmload.sys
    0xB7F23000 dmio.sys
    0xB8330000 PartMgr.sys
    0xB80C8000 VolSnap.sys
    0xB7F0B000 atapi.sys
    0xB80D8000 disk.sys
    0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB7EEB000 fltMgr.sys
    0xB7ED9000 sr.sys
    0xB7E7C000 mfehidk.sys
    0xB7E65000 KSecDD.sys
    0xB7E52000 WudfPf.sys
    0xB7DC5000 Ntfs.sys
    0xB7D98000 NDIS.sys
    0xB7D7E000 Mup.sys
    0xB6D15000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB6D01000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB6CD9000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB6CA2000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xB83E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB6C7E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB83E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB81C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xB83F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB8400000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB81D8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xB8584000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB6C6A000 \SystemRoot\system32\DRIVERS\parport.sys
    0xB81E8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB81F8000 \SystemRoot\System32\Drivers\AFS2K.SYS
    0xB8208000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB8218000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB6C47000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8228000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB8798000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB6C33000 \SystemRoot\system32\DRIVERS\mfendisk.sys
    0xB8238000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB859C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB6C1C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xB8248000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xB8258000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB8430000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB6C0B000 \SystemRoot\system32\DRIVERS\psched.sys
    0xB8268000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB6BE7000 \SystemRoot\system32\drivers\mfeavfk.sys
    0xB6B9C000 \SystemRoot\system32\drivers\mfefirek.sys
    0xB8450000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB8460000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB6B44000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xB8278000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB85C8000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB6AE6000 \SystemRoot\system32\DRIVERS\update.sys
    0xB764A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB8298000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB43A4000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB4380000 \SystemRoot\system32\drivers\portcls.sys
    0xB82A8000 \SystemRoot\system32\drivers\drmk.sys
    0xB82B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xB85D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB42F6000 \SystemRoot\system32\DRIVERS\MOBK.sys
    0xB85EE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB86B8000 \SystemRoot\System32\Drivers\Null.SYS
    0xB85F2000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB42DF000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
    0xB8370000 \SystemRoot\System32\drivers\vga.sys
    0xB85F6000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB85FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8380000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8390000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB49DA000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB42AC000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB4253000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB4205000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB41F2000 \SystemRoot\system32\drivers\mfetdi2k.sys
    0xB82C8000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB412A000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB4108000 \SystemRoot\System32\drivers\afd.sys
    0xB82D8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB40DD000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB406D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB83B0000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys
    0xB82E8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB4370000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xB8308000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB4055000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xB8606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB435C000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB83D0000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB8748000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBD623000 \SystemRoot\System32\ATMFD.DLL
    0xB32EF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB3072000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB8652000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB300D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB4172000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB2ECA000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB27E9000 \SystemRoot\system32\drivers\cfwids.sys
    0xB2528000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB1DCC000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awdyqaoc.sys
    0xB1DB6000 \SystemRoot\system32\drivers\mfeapfk.sys
    0xB2589000 \SystemRoot\system32\drivers\mfebopk.sys
    0xB8498000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
    0xB026F000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB2326000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xB8490000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB8480000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xAE530000
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 40):
    0 System Idle Process
    4 System
    1008 C:\WINDOWS\system32\smss.exe
    1076 csrss.exe
    1100 C:\WINDOWS\system32\winlogon.exe
    1144 C:\WINDOWS\system32\services.exe
    1156 C:\WINDOWS\system32\lsass.exe
    1336 C:\WINDOWS\system32\nvsvc32.exe
    1380 C:\WINDOWS\system32\svchost.exe
    1492 svchost.exe
    1668 C:\WINDOWS\system32\svchost.exe
    1712 C:\WINDOWS\system32\svchost.exe
    1840 svchost.exe
    1976 svchost.exe
    308 C:\WINDOWS\system32\spoolsv.exe
    396 svchost.exe
    520 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    716 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    816 C:\WINDOWS\system32\mfevtps.exe
    872 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
    1028 C:\WINDOWS\system32\svchost.exe
    1232 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
    1372 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
    1444 C:\WINDOWS\explorer.exe
    2832 C:\WINDOWS\system32\rundll32.exe
    2936 alg.exe
    3512 C:\WINDOWS\RTHDCPL.EXE
    3616 C:\WINDOWS\system32\rundll32.exe
    3880 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    3988 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    792 C:\Program Files\Palm\Hotsync.exe
    1940 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    2052 C:\Program Files\GoZone\GoZone_iSync.exe
    2096 C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
    2568 C:\WINDOWS\system32\ctfmon.exe
    2668 C:\Program Files\McAfee.com\Agent\mcagent.exe
    888 C:\Program Files\Skyscape\Desktop\smARTalerts\smARTalerts.exe
    1884 C:\Program Files\Mozilla Firefox\firefox.exe
    4044 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2844 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive1 Model Number: ST3500418AS, Rev: CC34

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    ComboFix:

    ComboFix 11-04-04.01 - Administrator 04/04/2011 17:29:20.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2044.1274 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-29 16:22 . 2011-03-29 16:22 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-03-28 23:55 . 2011-03-29 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-03-28 23:55 . 2011-03-28 23:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-28 23:47 . 2011-03-28 23:47 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
    2011-03-28 23:47 . 2011-03-28 23:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\TweakNow RegCleaner 2011
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58 . 2010-10-19 15:06 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-10-19 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-14 03:28 . 2010-12-31 16:14 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-28_23.38.27 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-04 09:14 . 2011-04-04 09:14 16384 c:\windows\Temp\Perflib_Perfdata_4d0.dat
    + 2011-03-29 00:13 . 2011-03-29 00:13 16384 c:\windows\Temp\Perflib_Perfdata_368.dat
    + 2010-12-31 21:08 . 2011-04-04 21:03 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2010-12-31 21:08 . 2011-03-28 23:21 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2010-12-31 21:08 . 2011-04-04 21:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2010-12-31 21:08 . 2011-03-28 23:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
    @="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
    [HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
    2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
    @="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
    [HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
    2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
    @="{b4caf489-1eec-c617-49ad-8d7088598c06}"
    [HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
    2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2010-09-07 19573352]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
    "QuickFinder Scheduler"="c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-07-09 77887]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2010-10-19 431608]
    Palm Registration.lnk - c:\program files\Palm\register.exe [2010-10-25 2494464]
    Skyscape SmartUpdate.lnk - c:\program files\Common Files\Skyscape\SmartUpdate.exe [2010-9-30 12496896]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2010-10-25 28672]
    Event Reminder.lnk - c:\program files\PrintMaster Platinum 17\Remind.exe [2006-2-22 344064]
    HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Worden Brothers, Inc\\stockFinder\\AppBinv5\\stockFinderApp.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/31/2010 12:14 PM 84072]
    R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/31/2010 12:15 PM 54776]
    R1 MpKsl14298079;MpKsl14298079;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys [?]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2/5/2011 4:31 PM 98392]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/31/2010 12:14 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/31/2010 12:04 PM 141792]
    R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 9:11 PM 229688]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/31/2010 12:14 PM 55840]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/31/2010 12:14 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/31/2010 12:14 PM 88544]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2010 12:48 PM 1691480]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/31/2010 12:14 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/31/2010 12:14 PM 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - AWDYQAOC
    *NewlyCreated* - MPKSL8DF18363
    *Deregistered* - awdyqaoc
    *Deregistered* - mfeavfk01
    *Deregistered* - MpKsl8df18363
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{4E856EB8-7DB8-4A03-BF68-C944DD112F3A}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0jji56st.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-04 17:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1644491937-515967899-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(828)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\program files\McAfee Online Backup\MOBKshell.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-04-04 17:33:14
    ComboFix-quarantined-files.txt 2011-04-04 21:33
    ComboFix2.txt 2011-03-28 23:39
    .
    Pre-Run: 466,673,737,728 bytes free
    Post-Run: 466,700,603,392 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 58C45B9536A5AFA9EF2EB4D26D9B115C

    Thanks - sorry for the delay. Likely to be another one after we receive further instructions. I'll be in closer contact, Broni.
  2. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    I'll reopen your original topic.
    Please, post all logs there.

    I'm closing this one.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.