Solved Followed 8 steps, any assistance appreciated

Status
Not open for further replies.
Ive been using FF for the most part since you've been helping me. Before that I used Chrome almost exclusively. I will do some test surfing on both Chrome and IE tonight and let you know my results tomorrow. Prior to things getting to their worst all three browsers would redirect yet Chrome would place the pop up in another tab opposed to IE and FF sending me straight to the redirect.

As for the pop ups, yes, they only happen when the browser is open. in fact since I have opened this page FF has blocked one from google-analyticsXXXXXX. This is the first time I have noticed FF actually blocking this type pop up specifically.

Something I would like to get your insight on. I think where I got this from (at least the worst of it) was from downloading an e-book called SEO Dart from an online forum (I stupidly went against McAfees suggestion to not). I am not sure if there was malware in the downloaded file, however, I've noticed that one web page I cannot access (from my computer nor my ipod) is localseomatters.com, but I have no issues on my blackberry browser running on the data network. However, I am not 100% confident this is the true source as I was being redirected prior to this specific download. Just throught I would throw that out to you, see if anything adds up.

One last question, before I start your router suggestions, will it matter that it was set up on the computer that no longer shows desktop icons or start bar. I don't want to lock myself out of my network completely.

Paul
 
Okay Ive tried out all three browsers. All three do redirect IE being the worst. Ex: type in google search Gizmodo. I click the link, it will load maybe the banner of the website then take me straight to the redirect. On FF it opens a new window or will show a popup blocked. Chrome puts the redirect in a new tab.

Once I figure out how I can get access to control the network I will run your suggestions and do some more test surfing. I will keep you posted, hopefully within a few hours.

-Paul
 
I think where I got this from (at least the worst of it) was from downloading an e-book called SEO Dart from an online forum
Click to expand...
When exactly did you do it?
Some time in a course of our cleaning process, lately, or...?
 
I downloaded the file no earlier than late August. I used my computer minimally since you have been helping me and have only downloaded or run what you said to do. I deleted the file upon trying to identify the problem. I was about to do a factory reset right before I found this site (I did not preform the reset due to mention of making the issue worse). From that point on I have followed directions as closely as possible. It is just after downloading that file where I noticed things to worsen. But I can't say for sure this is the culprit because the redirects began shortly before the download of SEO Dart file.
 
Well, I've completed the router reset and all three browsers are still redirecting. Any suggestions?

Thanks,
Paul
 
Hmmm...maybe, you got reinfected.
Unfortunately, we'll have to re-run some scans.

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.



DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Alright, I will get on that as soon as Windows finishes installing the latest update which is taking forever.

(Installing Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86 (update 1 of 1)

I will post my results upon completion.
 
I tried to run GMER at least 2 dozen times and everytime it froze. Sometimes it would get far and other times it would freeze after 10 seconds. I tried in safe mode, unchecking devices, making sure that nothing else was running (internet or McAfee).

Here are the MBAM and MBR results.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/5/2010 4:41:56 PM
mbam-log-2010-11-05 (16-41-56).txt

Scan type: Quick scan
Objects scanned: 123705
Time elapsed: 23 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000004

Kernel Drivers (total 169):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7C67000 \WINDOWS\system32\KDCOM.DLL
0xF7B77000 \WINDOWS\system32\BOOTVID.dll
0xF7718000 ACPI.sys
0xF7C69000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7707000 pci.sys
0xF7767000 isapnp.sys
0xF7B7B000 compbatt.sys
0xF7B7F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7D2F000 pciide.sys
0xF79E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7C6B000 aliide.sys
0xF7C6D000 cmdide.sys
0xF7C6F000 toside.sys
0xF7C71000 viaide.sys
0xF7C73000 intelide.sys
0xF7777000 MountMgr.sys
0xF76E8000 ftdisk.sys
0xF7B83000 ACPIEC.sys
0xF7D30000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF79EF000 PartMgr.sys
0xF7787000 VolSnap.sys
0xF7B87000 cpqarray.sys
0xF76D0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF76B8000 atapi.sys
0xF7B8B000 aha154x.sys
0xF79F7000 sparrow.sys
0xF7B8F000 symc810.sys
0xF7797000 aic78xx.sys
0xF7B93000 dac960nt.sys
0xF77A7000 ql10wnt.sys
0xF7B97000 amsint.sys
0xF79FF000 asc.sys
0xF7B9B000 asc3550.sys
0xF7A07000 mraid35x.sys
0xF7A0F000 i2omp.sys
0xF7B9F000 ini910u.sys
0xF77B7000 ql1240.sys
0xF77C7000 aic78u2.sys
0xF7A17000 symc8xx.sys
0xF7A1F000 sym_hi.sys
0xF7A27000 sym_u3.sys
0xF7A2F000 ABP480N5.SYS
0xF7A37000 asc3350p.sys
0xF7C75000 cd20xrnt.sys
0xF77D7000 ultra.sys
0xF769F000 adpu160m.sys
0xF7A3F000 dpti2o.sys
0xF77E7000 ql1080.sys
0xF77F7000 ql1280.sys
0xF7807000 ql12160.sys
0xF7A47000 perc2.sys
0xF7C77000 perc2hib.sys
0xF7A4F000 hpn.sys
0xF7BA3000 cbidf2k.sys
0xF7673000 dac2w2k.sys
0xF7817000 disk.sys
0xF7827000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7653000 fltMgr.sys
0xF7641000 sr.sys
0xF75E4000 mfehidk.sys
0xF75CD000 KSecDD.sys
0xF7540000 Ntfs.sys
0xF7513000 NDIS.sys
0xF7837000 sisagp.sys
0xF7847000 viaagp.sys
0xF74F9000 Mup.sys
0xF7857000 alim1541.sys
0xF7867000 amdagp.sys
0xF7877000 agp440.sys
0xF7887000 agpCPQ.sys
0xF7447000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7C33000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6E31000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6E1D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6DF5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6DDA000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF6C99000 \SystemRoot\system32\DRIVERS\athw.sys
0xF7AB7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C75000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7AE7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7437000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B07000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0xF7B17000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6C3E000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7C83000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B5F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF74C5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7D53000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6C2A000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF7427000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF74B9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6C13000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7417000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7407000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7ADF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6C02000 \SystemRoot\system32\DRIVERS\psched.sys
0xF73F7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF6BDE000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF6B6B000 \SystemRoot\system32\drivers\mfefirek.sys
0xF7B3F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B4F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF73E7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7C8F000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B20000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6AC2000 \SystemRoot\system32\DRIVERS\update.sys
0xF7C4B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF73D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys
0xF78B7000 \SystemRoot\system32\drivers\drmk.sys
0xF74B5000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7C9B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DAC000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C9F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A5F000 \SystemRoot\System32\drivers\vga.sys
0xF7CA3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7CA7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A87000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A97000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6BDA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1BC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA163000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9FB2000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xF78E7000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF7AEF000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0xA9F3C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA9F29000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xF78F7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9F01000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA9EDF000 \SystemRoot\System32\drivers\afd.sys
0xF7907000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9EBD000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xA9F82000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA9E92000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9E22000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7ACF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7937000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA237000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7957000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA9F8A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAA223000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA9DE2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7CD1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6BBA000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7AFF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D3F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9C96000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9A45000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9940000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9AEA000 \SystemRoot\system32\drivers\sysaudio.sys
0xA952C000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8FC0000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8F74000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA9494000 \SystemRoot\system32\drivers\cfwids.sys
0xA8D23000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0xA88AD000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA9995000 \SystemRoot\system32\drivers\mfebopk.sys
0xF7CD5000 \SystemRoot\system32\DRIVERS\psi_mf.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
1104 C:\WINDOWS\system32\smss.exe
1164 csrss.exe
1196 C:\WINDOWS\system32\winlogon.exe
1240 C:\WINDOWS\system32\services.exe
1252 C:\WINDOWS\system32\lsass.exe
1400 C:\WINDOWS\system32\svchost.exe
1520 svchost.exe
1560 C:\WINDOWS\system32\svchost.exe
1696 svchost.exe
1756 svchost.exe
312 C:\WINDOWS\system32\spoolsv.exe
400 svchost.exe
612 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
636 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
728 C:\WINDOWS\system32\mfevtps.exe
844 C:\WINDOWS\system32\svchost.exe
888 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
924 C:\WINDOWS\explorer.exe
1052 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
1088 C:\WINDOWS\system32\igfxtray.exe
1092 C:\WINDOWS\system32\hkcmd.exe
1124 C:\WINDOWS\system32\igfxpers.exe
1384 C:\WINDOWS\RTHDCPL.exe
932 C:\WINDOWS\system32\igfxsrvc.exe
1816 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1944 C:\WINDOWS\system32\wuauclt.exe
2008 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
2196 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
2224 C:\Program Files\McAfee.com\Agent\mcagent.exe
2240 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2332 C:\WINDOWS\system32\ctfmon.exe
2644 C:\Program Files\Secunia\PSI\psi.exe
2740 C:\WINDOWS\system32\igfxext.exe
3104 alg.exe
3688 C:\DOCUME~1\PAULHI~1\LOCALS~1\Temp\RtkBtMnt.exe
2876 C:\Program Files\Internet Explorer\iexplore.exe
1880 C:\Program Files\Internet Explorer\iexplore.exe
3728 C:\Program Files\Internet Explorer\iexplore.exe
3320 C:\WINDOWS\system32\wuauclt.exe
2684 C:\Documents and Settings\Paul Hirko\Local Settings\Temporary Internet Files\Content.IE5\VXC0JZXT\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`768ff800 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543212L9A300, Rev: FBBOC40C

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 6A37CCD118436B688B51F6BD4C2B47A895EBDF7F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
 
Your MBR seems to be infected.

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run MBRCheck again and post its log.
 
Hmmmm heres some intersting news ... and I hope I am not jumping the gun. Buuuut i have not seen a pop up browser etc with any of the browsers at any point while some surfing this morning. I had some serious concern as another computer was brought on to the network. This one has not been operated in near a year let alone has it ever connected to this network. As soon as it was fired up and updated, it was showing the same pop-ups. But that was yesterday and today seems to be different. I wont believe it until you give me an okay!

At any rate as we continue, I have no disk drive to do this next step. Can it be done with with a USB drive? I think because I was runnning both Jolicloud and XP we skipped this step.
 
I never tried to make bootable USB drive with the above program, but we won't know until we try will we?
Let me know.
 
Soooo maybe that was a good idea but not I have no idea how to execute it correctly. I was able to make a cd and copy the files over to a flash drive. However, figuring out how to make it bootable, I fail. Any ideas?

Paul
 
You have to enter BIOS and make sure, USB device is listed 1st in "boot order".
 
Thats where I fail. I've done that and when the pc boots I get a black screen stating: Please remove devices and drives. Press any key to restart. No drives are connected (except for the usb) and pressing any key brings straight into windows login. Usb does not seem to be accessed at any point (the LED on the drive does not flash) during this screen.
 
I must be tired and I'm not thinking clearly...LOL

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.
If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

fixmbr

(If it asks you if you are sure then say "Y".)

exit

Reboot computer.

Post fresh MBRCheck log.
 
Man, take a break, enjoy your weekend. I didn't think I'd hear from you until Monday. Well I think what you suggested worked but I'll let you're the judge. Here are the results:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 165):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7C67000 \WINDOWS\system32\KDCOM.DLL
0xF7B77000 \WINDOWS\system32\BOOTVID.dll
0xF7718000 ACPI.sys
0xF7C69000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7707000 pci.sys
0xF7767000 isapnp.sys
0xF7B7B000 compbatt.sys
0xF7B7F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7D2F000 pciide.sys
0xF79E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7C6B000 aliide.sys
0xF7C6D000 cmdide.sys
0xF7C6F000 toside.sys
0xF7C71000 viaide.sys
0xF7C73000 intelide.sys
0xF7777000 MountMgr.sys
0xF76E8000 ftdisk.sys
0xF7B83000 ACPIEC.sys
0xF7D30000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF79EF000 PartMgr.sys
0xF7787000 VolSnap.sys
0xF7B87000 cpqarray.sys
0xF76D0000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF76B8000 atapi.sys
0xF7B8B000 aha154x.sys
0xF79F7000 sparrow.sys
0xF7B8F000 symc810.sys
0xF7797000 aic78xx.sys
0xF7B93000 dac960nt.sys
0xF77A7000 ql10wnt.sys
0xF7B97000 amsint.sys
0xF79FF000 asc.sys
0xF7B9B000 asc3550.sys
0xF7A07000 mraid35x.sys
0xF7A0F000 i2omp.sys
0xF7B9F000 ini910u.sys
0xF77B7000 ql1240.sys
0xF77C7000 aic78u2.sys
0xF7A17000 symc8xx.sys
0xF7A1F000 sym_hi.sys
0xF7A27000 sym_u3.sys
0xF7A2F000 ABP480N5.SYS
0xF7A37000 asc3350p.sys
0xF7C75000 cd20xrnt.sys
0xF77D7000 ultra.sys
0xF769F000 adpu160m.sys
0xF7A3F000 dpti2o.sys
0xF77E7000 ql1080.sys
0xF77F7000 ql1280.sys
0xF7807000 ql12160.sys
0xF7A47000 perc2.sys
0xF7C77000 perc2hib.sys
0xF7A4F000 hpn.sys
0xF7BA3000 cbidf2k.sys
0xF7673000 dac2w2k.sys
0xF7817000 disk.sys
0xF7827000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7653000 fltMgr.sys
0xF7641000 sr.sys
0xF75E4000 mfehidk.sys
0xF75CD000 KSecDD.sys
0xF7540000 Ntfs.sys
0xF7513000 NDIS.sys
0xF7837000 sisagp.sys
0xF7847000 viaagp.sys
0xF74F9000 Mup.sys
0xF7857000 alim1541.sys
0xF7867000 amdagp.sys
0xF7877000 agp440.sys
0xF7887000 agpCPQ.sys
0xF7447000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7C33000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6E31000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6E1D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6DF5000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6DDA000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF6C99000 \SystemRoot\system32\DRIVERS\athw.sys
0xF7AAF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C75000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7ADF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7437000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7AFF000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0xF7B0F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6C3E000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7C87000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B57000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF74C5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7D74000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6C2A000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF7427000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF74B5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6C13000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7417000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7407000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7AD7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BDA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF73F7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF6BB6000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF6B6B000 \SystemRoot\system32\drivers\mfefirek.sys
0xF7B37000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B47000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF73E7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7C91000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B20000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6AC2000 \SystemRoot\system32\DRIVERS\update.sys
0xF7C53000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF73D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys
0xF78B7000 \SystemRoot\system32\drivers\drmk.sys
0xF74B1000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7C9D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DCA000 \SystemRoot\System32\Drivers\Null.SYS
0xF7CA1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B6F000 \SystemRoot\System32\drivers\vga.sys
0xF7CA5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7CA9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A7F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A8F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7494000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1BC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA163000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA150000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xAA12A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF78E7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA102000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7AF7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAA090000 \SystemRoot\System32\drivers\afd.sys
0xF7907000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9EBD000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7B5F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA9E92000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9E22000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7937000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9DD6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA9DBE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7CC5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6B5F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B4F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D94000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9CA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9A21000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA99E4000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7967000 \SystemRoot\system32\drivers\sysaudio.sys
0xA95AA000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8DF1000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8E5A000 \SystemRoot\system32\drivers\cfwids.sys
0xA8C28000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0xA8BC2000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA8E8A000 \SystemRoot\system32\drivers\mfebopk.sys
0xF7C8B000 \SystemRoot\system32\DRIVERS\psi_mf.sys
0xA821C000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA97AC000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF7A9F000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
1104 C:\WINDOWS\system32\smss.exe
1172 csrss.exe
1204 C:\WINDOWS\system32\winlogon.exe
1248 C:\WINDOWS\system32\services.exe
1260 C:\WINDOWS\system32\lsass.exe
1408 C:\WINDOWS\system32\svchost.exe
1528 svchost.exe
1568 C:\WINDOWS\system32\svchost.exe
1704 svchost.exe
1756 svchost.exe
2044 C:\WINDOWS\system32\spoolsv.exe
264 svchost.exe
700 C:\WINDOWS\explorer.exe
748 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
776 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
848 C:\WINDOWS\system32\mfevtps.exe
880 C:\WINDOWS\system32\svchost.exe
924 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
1460 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
292 C:\WINDOWS\system32\igfxtray.exe
1776 C:\WINDOWS\system32\hkcmd.exe
532 C:\WINDOWS\system32\igfxpers.exe
904 C:\WINDOWS\system32\igfxsrvc.exe
892 C:\WINDOWS\RTHDCPL.exe
992 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2128 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
2268 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
2280 C:\Program Files\McAfee.com\Agent\mcagent.exe
2288 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2300 C:\WINDOWS\system32\ctfmon.exe
2684 C:\Program Files\Secunia\PSI\psi.exe
2844 C:\WINDOWS\system32\igfxext.exe
3256 alg.exe
424 C:\DOCUME~1\PAULHI~1\LOCALS~1\Temp\RtkBtMnt.exe
4056 C:\WINDOWS\system32\wuauclt.exe
2236 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3508 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3100 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3868 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4036 C:\Program Files\Mozilla Firefox\firefox.exe
1072 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2792 C:\Program Files\Mozilla Firefox\plugin-container.exe
2916 C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2344 C:\Documents and Settings\Paul Hirko\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`768ff800 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543212L9A300, Rev: FBBOC40C

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Much appreciated,
Paul

P.S. No redirects, or pop ups on any computer any time today.
 
Good job and good news :)

I can't take a break, because there are too many bad guys out there to kill....LOL

We'll run couple more scans to make sure, all is cool :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Does this look like a full combofix run:


ComboFix 10-11-07.01 - Paul Hirko 11/06/2010 22:18:28.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.649 [GMT -4:00]
Running from: C:\Documents and Settings\Paul Hirko\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
 
and here is the rkill:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Paul Hirko on 11/06/2010 at 22:53:37.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\DOCUME~1\PAULHI~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\My Documents\Downloads\rkill.com


Rkill completed on 11/06/2010 at 22:53:49.
 
Here's the combofix run, looks much better than last time. I didn't realize but I got the blue screen of death the first time I ran it. I deleted it and re-downloaded it.

ComboFix 10-11-07.04 - Paul Hirko 11/07/2010 13:03:17.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.579 [GMT -5:00]
Running from: c:\documents and settings\Paul Hirko\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-11-07 17:56 . 2010-11-07 17:56 -------- d-----w- C:\c7f2cae681e19342cb805e1614177499
2010-11-07 16:58 . 2010-11-07 16:58 -------- d-----w- C:\3b5dbbff8213111a0fabea2b
2010-11-06 22:23 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-11-06 22:22 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-11-06 22:22 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-11-06 22:22 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-05 18:28 . 2010-11-05 18:28 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-05 18:28 . 2010-11-05 18:28 -------- d-----w- c:\program files\MSBuild
2010-11-05 18:27 . 2010-11-05 18:27 -------- d-----w- c:\program files\Reference Assemblies
2010-11-05 18:26 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-05 18:24 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-05 18:24 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-05 18:24 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-05 18:24 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-05 18:24 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-05 18:24 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-05 18:24 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-05 18:24 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-05 18:24 . 2010-11-05 18:26 -------- d-----w- C:\d74f1a4f90b880523d77c467b01d5b7f
2010-11-05 16:45 . 2010-11-05 16:46 -------- d-----w- C:\2706fec52d06eafcff73d7a7f852a7fa
2010-11-05 16:45 . 2010-11-05 17:12 -------- d-----w- C:\2b9becaaa34d5018922d1b12
2010-11-04 15:39 . 2010-11-04 15:39 -------- d-----w- c:\program files\Common Files\Skype
2010-11-04 15:38 . 2010-11-04 19:49 -------- d-----r- c:\program files\Skype
2010-11-04 15:06 . 2010-10-27 06:09 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 14:51 . 2010-11-04 14:51 -------- d-----w- c:\program files\FileHippo.com
2010-11-04 01:49 . 2010-11-04 01:49 -------- d-----w- c:\program files\Secunia
2010-11-02 14:31 . 2010-11-02 14:29 75208 ----a-w- c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
2010-11-02 14:31 . 2010-11-02 14:31 -------- d-----w- c:\program files\Foxit Software
2010-11-02 01:11 . 2010-11-02 01:11 -------- d-----w- c:\program files\ESET
2010-10-28 22:27 . 2008-04-15 03:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-28 22:25 . 2010-10-28 22:25 -------- d-----w- c:\windows\system32\LogFiles
2010-10-22 15:48 . 2010-10-22 15:48 -------- d-----w- C:\jolicloud
2010-10-20 15:37 . 2010-10-20 15:37 -------- d-----w- c:\windows\system32\NtmsData
2010-10-20 05:17 . 2010-10-20 05:17 -------- d-----w- c:\program files\Google
2010-10-20 05:15 . 2010-10-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-14 03:25 . 2010-10-14 03:25 -------- d-----w- c:\documents and settings\Administrator
2010-10-13 22:24 . 2008-03-02 10:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-10-13 22:20 . 2010-10-13 22:20 -------- d-----w- c:\documents and settings\Paul Hirko\log
2010-10-13 21:59 . 2010-11-04 19:51 -------- d-----w- c:\program files\Trend Micro
2010-10-13 18:19 . 2010-10-13 18:19 -------- d-----w- c:\documents and settings\Paul Hirko\Application Data\Malwarebytes
2010-10-13 18:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 18:19 . 2010-10-13 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 18:19 . 2010-11-05 20:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 18:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 16:59 . 2010-10-12 16:59 -------- d-----w- c:\windows\Sun
2010-10-12 16:17 . 2010-10-12 16:17 -------- d-----w- c:\program files\Common Files\Java
2010-10-12 16:16 . 2010-09-15 11:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-12 16:16 . 2010-09-15 11:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-12 16:16 . 2010-09-15 09:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-12 16:15 . 2010-10-30 03:00 -------- d-----w- c:\program files\Java
2010-10-12 15:56 . 2010-10-12 15:56 -------- d-----w- c:\documents and settings\Paul Hirko\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 02:28 . 2010-10-06 03:51 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-14 02:28 . 2010-10-06 03:51 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-14 02:28 . 2010-10-06 03:51 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-14 02:28 . 2010-10-06 03:51 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-14 02:28 . 2010-10-06 03:51 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-14 02:28 . 2010-10-06 03:51 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-14 02:28 . 2010-10-06 03:51 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-14 02:28 . 2010-10-06 03:51 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-14 02:28 . 2010-10-06 03:38 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-14 02:28 . 2010-08-24 21:57 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-14 02:28 . 2010-08-24 21:57 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-10-06 02:50 . 2008-07-08 18:17 125 ----a-w- c:\windows\xUninstall.bat
2010-10-06 01:00 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat
2010-10-06 01:00 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat
2010-09-18 19:23 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-15 03:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-15 03:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2008-04-15 03:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-15 03:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2008-04-15 03:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2008-04-15 03:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-15 03:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-15 03:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-15 03:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-15 03:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-10-06 03:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-15 03:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-15 03:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-15 03:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-10-14 02:28 . 2010-10-06 03:51 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-05 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Paul Hirko\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-10-11 20:49 14940040 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/5/2010 10:51 PM 84072]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/5/2010 10:51 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/5/2010 10:51 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/5/2010 10:51 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [10/5/2010 10:52 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/5/2010 10:38 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/5/2010 10:51 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/5/2010 10:51 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/5/2010 10:51 PM 88544]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 9:05 AM 14904]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/5/2010 10:51 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/5/2010 10:51 PM 84264]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [10/13/2010 5:24 PM 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [10/13/2010 5:24 PM 206608]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1387451018-1133999177-4260046075-1006Core.job
- c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-05 01:22]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1387451018-1133999177-4260046075-1006UA.job
- c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-05 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Paul Hirko\Application Data\Mozilla\Firefox\Profiles\kbeud32e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Paul Hirko\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-TMRUBottedTray - c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-07 13:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-11-07 13:30:02
ComboFix-quarantined-files.txt 2010-11-07 18:29

Pre-Run: 79,046,062,080 bytes free
Post-Run: 78,964,752,384 bytes free

- - End Of File - - AC276C0980F5FA33BBADEAE78CCA5797
 
and here is rkill log. Let me know what you think.


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Paul Hirko on 11/07/2010 at 13:34:30.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Paul Hirko\Desktop\rkill.com


Rkill completed on 11/07/2010 at 13:34:37.


Thanks,
Paul
 
It looks fine.

No redirections?

You can delete Combofix file.

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
792
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back