[Inactive] Windows XP - slow performance and _helper.sig pop-up on start-up

By mot45
Aug 3, 2010
Topic Status:
Not open for further replies.
  1. Performed the 8-step Viruses/Spyware/Malware Preliminary Removal and logs are attached. Appreciate any help.

    Thanks.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4386

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/3/2010 5:44:26 PM
    mbam-log-2010-08-03 (17-44-26).txt

    Scan type: Quick scan
    Objects scanned: 149077
    Time elapsed: 15 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\Common\_helper.sig (Malware.Trace) -> Quarantined and deleted successfully.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-03 19:50:18
    Windows 5.1.2600 Service Pack 3
    Running: bpmniyc4.exe; Driver: C:\DOCUME~1\DEVYNM~1\LOCALS~1\Temp\fgloapod.sys

    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF8442DB0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF8442DC4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF8442DF0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF8442E46]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF8442D9C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF8442D74]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF8442D88]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF8442DDA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF8442E1C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF8442E06]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF8442E70]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF8442E5C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF8442E30]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by <user> at 20:18:28.35 on Tue 08/03/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.224 [GMT -5:00]

    AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
    C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\<user>\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.rr.com/
    uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    uDefault_Page_URL = hxxp://www.dellnet.com
    uWindow Title = Microsoft Internet Explorer
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: H - No File
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: TBSB07183 Class: {6c621f09-dff3-415a-b7d1-142678efeb34} - c:\program files\fast browser search\ie\FBStoolbar.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100717014249.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Fast Browser Search: {c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb} - c:\program files\fast browser search\ie\FBStoolbar.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [DVDSentry] c:\windows\system32\DSentry.exe
    mRun: [FBSearch] c:\program files\fast browser searchp\FastBrowserSearchProtection.exe
    mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    mPolicies-explorer: <NO NAME> =
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - hxxps://dommlp04.meadwestvaco.com/iNotes.cab
    DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - hxxp://64.124.45.181/downloads/ccpm_0237.cab
    DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
    DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab
    DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://dommlp04.meadwestvaco.com/iNotes6.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/11f9384f4199ba0c8f21/netzip/RdxIE601.cab
    DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.1881481481
    DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: text/html - {53a24151-1b31-4d00-9f41-d7dd9ca3e873} -
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 385880]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-17 82952]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-17 170144]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-17 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-17 141792]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-17 55456]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-17 152320]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-17 51688]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-17 312616]
    S2 wowsystemcode;Remote TCP/IPv6;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-17 88480]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-17 83496]

    =============== Created Last 30 ================

    2619-07-22 21:24:55 3120 ----a-w- c:\windows\MF_C421.lfa
    2619-07-22 21:24:55 3120 ----a-w- c:\windows\MF_C420.lfa
    2010-08-03 22:23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-03 22:23:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-03 02:25:21 7680 --sha-w- c:\windows\Thumbs.db
    2010-08-03 01:14:55 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-03 00:15:16 0 d-----w- c:\docume~1\devynm~1\applic~1\ElevatedDiagnostics
    2010-07-26 22:26:35 0 d-----w- c:\program files\iPod
    2010-07-23 02:46:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
    2010-07-23 00:04:18 0 d-----w- c:\windows\SxsCaPendDel
    2010-07-20 00:22:17 123296 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-17 06:46:06 0 d-----w- c:\program files\SiteAdvisor
    2010-07-17 06:42:46 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-07-17 06:41:57 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2010-07-17 06:41:57 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-07-17 06:41:57 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2010-07-17 06:41:57 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2010-07-17 06:41:56 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-07-17 06:41:56 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-07-17 06:41:56 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-07-17 06:41:45 0 d-----w- c:\program files\common files\Mcafee
    2010-07-17 06:41:40 0 d-----w- c:\program files\McAfee.com
    2010-07-17 04:35:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix
    2010-07-17 04:25:37 0 d-----w- c:\program files\Citrix
    2010-07-17 04:06:27 103784 ----a-w- c:\documents and settings\<user>\GoToAssistDownloadHelper.exe
    2010-07-14 12:44:21 4194304 ----a-w- c:\windows\system32\cdintf400.dll
    2010-07-14 12:18:11 0 d-----w- c:\program files\common files\Intuit
    2010-07-14 12:18:10 0 d-----w- c:\program files\Intuit
    2010-07-14 12:18:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
    2010-07-14 12:16:34 90 ----a-w- c:\windows\QBChanUtil_Trigger.ini
    2010-07-14 12:16:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11
    2010-07-14 12:16:27 0 d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES
    2010-07-14 12:02:14 0 d-----w- c:\program files\MSXML 4.0
    2010-07-14 11:52:32 0 d-----w- c:\windows\Intuit
    2010-07-14 02:30:44 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-13 12:18:09 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-07-13 12:18:09 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-07-13 12:12:44 0 d-----w- c:\program files\iTunes
    2010-07-13 12:12:44 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-13 11:52:03 0 d-----w- c:\program files\Bonjour

    ==================== Find3M ====================

    2010-08-04 01:04:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
    2010-08-04 01:04:19 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
    2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 21:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2010-05-18 21:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2008-10-31 02:57:04 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103020081031\index.dat

    ============= FINISH: 20:21:31.81 ===============

    (Attach.txt attached)

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    Welcome aboard [​IMG]

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. mot45

    mot45 Newcomer, in training Topic Starter

    ComboFix.txt posted

    Uninstalled Viewpoint.

    ComboFix.txt attached.

    Computer is already operating better.

    Thanks.

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    Good :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\lvuvc.hs
    c:\windows\system32\drivers\logiflt.iad
    
    
    Folder::
    c:\program files\Viewpoint
    c:\documents and settings\All Users\Application Data\Viewpoint
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. mot45

    mot45 Newcomer, in training Topic Starter

    ComboFix log.txt

    ComboFix 10-08-04.04 - <user> 08/04/2010 23:24:24.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.183 [GMT -5:00]
    Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\windows\system32\drivers\logiflt.iad"
    "c:\windows\system32\drivers\lvuvc.hs"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1545320459.mtj&p2=0&p3=16650248084013470405391209924949&p4=0
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-174555542.mtj&p2=0&p3=16650248084013470405391209924949&p4=50334584
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-638184800.mtj&p2=0&p3=16650248084013470405391209924949&p4=50334584
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\126360428.mtx
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\14685873.mtx
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1484899272.mtj&p2=0&p3=16650248084013470405391209924949&p4=0
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1805579246.mtj&p2=0&p3=16650248084013470405391209924949&p4=16777217
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1066678426.mtj&p2=0&p3=16650248084013470405391209924949&p4=50334584
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1911780387.mts
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
    c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
    c:\documents and settings\<user>\Recent\Thumbs.db
    c:\program files\Viewpoint
    c:\windows\system32\drivers\logiflt.iad
    c:\windows\system32\drivers\lvuvc.hs

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
    .

    2010-08-03 22:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-03 22:23 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-03 01:14 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-03 00:53 . 2010-08-03 00:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-08-03 00:31 . 2010-08-03 00:31 -------- d-----w- c:\program files\Windows Defender
    2010-08-03 00:15 . 2010-08-03 00:15 -------- d-----w- c:\documents and settings\<user>\Application Data\ElevatedDiagnostics
    2010-08-02 12:17 . 2010-08-02 12:17 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-07-26 22:26 . 2010-07-26 22:26 -------- d-----w- c:\program files\iPod
    2010-07-23 02:46 . 2010-07-23 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
    2010-07-23 00:04 . 2010-08-02 12:19 -------- d-----w- c:\windows\SxsCaPendDel
    2010-07-20 00:22 . 2010-07-20 00:22 123296 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-18 02:35 . 2010-07-18 02:35 -------- d-----w- c:\documents and settings\<user>\Local Settings\Application Data\Intuit
    2010-07-17 06:46 . 2010-07-17 06:46 -------- d-----w- c:\program files\SiteAdvisor
    2010-07-17 06:42 . 2010-06-01 01:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-07-17 06:41 . 2010-06-01 01:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2010-07-17 06:41 . 2010-06-01 01:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-07-17 06:41 . 2010-06-01 01:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2010-07-17 06:41 . 2010-06-01 01:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2010-07-17 06:41 . 2010-06-01 01:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-07-17 06:41 . 2010-06-01 01:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-07-17 06:41 . 2010-06-01 01:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-07-17 06:41 . 2010-07-17 06:44 -------- d-----w- c:\program files\Common Files\Mcafee
    2010-07-17 06:41 . 2010-07-17 06:41 -------- d-----w- c:\program files\McAfee.com
    2010-07-17 04:35 . 2010-07-17 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
    2010-07-17 04:25 . 2010-07-17 04:25 -------- d-----w- c:\program files\Citrix
    2010-07-14 13:03 . 2010-07-14 13:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
    2010-07-14 12:44 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
    2010-07-14 12:18 . 2010-07-23 02:55 -------- d-----w- c:\program files\Common Files\Intuit
    2010-07-14 12:18 . 2010-07-23 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
    2010-07-14 12:18 . 2010-07-14 12:18 -------- d-----w- c:\program files\Intuit
    2010-07-14 12:16 . 2010-07-23 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
    2010-07-14 12:16 . 2010-07-14 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
    2010-07-14 12:02 . 2010-07-14 12:02 -------- d-----w- c:\program files\MSXML 4.0
    2010-07-14 11:52 . 2010-07-14 11:52 -------- d-----w- c:\windows\Intuit
    2010-07-14 02:30 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-13 12:18 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-07-13 12:18 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-07-13 12:12 . 2010-07-26 22:41 -------- d-----w- c:\program files\iTunes
    2010-07-13 12:12 . 2010-07-13 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-13 11:52 . 2010-07-13 11:52 -------- d-----w- c:\program files\Bonjour
    2010-07-13 11:51 . 2010-07-13 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-03 22:47 . 2009-12-16 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-03 03:42 . 2003-07-23 07:20 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Common Files\Real
    2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Real
    2010-08-03 03:35 . 2010-01-03 05:10 -------- d-----r- c:\program files\Skype
    2010-08-02 23:49 . 2010-01-03 05:12 -------- d-----w- c:\documents and settings\<user>\Application Data\Skype
    2010-08-02 21:00 . 2010-01-03 05:14 -------- d-----w- c:\documents and settings\<user>\Application Data\skypePM
    2010-08-02 01:10 . 2009-01-03 16:08 -------- d-----w- c:\program files\Common Files\Java
    2010-08-02 01:07 . 2009-01-03 16:08 -------- d-----w- c:\program files\Java
    2010-07-26 22:26 . 2008-10-13 02:35 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-23 03:54 . 2003-08-02 13:28 159528 -c--a-w- c:\documents and settings\<user>\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-23 00:07 . 2004-01-14 01:27 -------- d-----w- c:\program files\Sony Handheld
    2010-07-17 10:00 . 2010-04-17 15:13 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-17 09:46 . 2007-03-01 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-07-17 07:00 . 2004-10-31 23:02 -------- d-----w- c:\program files\McAfee
    2010-07-17 04:47 . 2003-07-23 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
    2010-07-17 03:25 . 2004-11-06 05:25 -------- d-----w- c:\program files\Yahoo!
    2010-07-17 03:16 . 2010-07-05 00:13 -------- d-----w- c:\documents and settings\<user>\Application Data\Musicmatch
    2010-07-17 03:13 . 2003-07-23 07:30 -------- d-----w- c:\program files\MUSICMATCH
    2010-07-17 03:00 . 2003-07-23 07:29 -------- d-----w- c:\program files\Microsoft Money
    2010-07-16 20:10 . 2004-10-31 23:02 -------- d-----w- c:\documents and settings\<user>\Application Data\McAfee
    2010-07-13 22:24 . 2007-06-16 22:06 -------- d-----w- c:\documents and settings\<user>\Application Data\Apple Computer
    2010-07-13 12:10 . 2008-10-13 02:29 -------- d-----w- c:\program files\QuickTime
    2010-07-13 12:05 . 2007-06-16 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-07-13 11:54 . 2007-06-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2010-06-14 14:31 . 2002-08-29 10:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-11 09:14 . 2009-06-14 03:01 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-01 01:32 . 2010-06-01 01:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-06-01 01:32 . 2010-06-01 01:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 21:35 . 2010-05-18 21:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
    @="{95A27763-F62A-4114-9072-E81D87DE3B68}"
    [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
    2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
    @="{E300CD91-100F-4E67-9AF3-1384A6124015}"
    [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
    2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
    @="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
    [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
    2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
    "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
    "FBSearch"="c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe" [2008-11-26 325504]
    "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Outlook Express\\msimn.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [7/17/2010 1:41 AM 82952]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [7/17/2010 1:43 AM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [7/17/2010 1:42 AM 141792]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [7/17/2010 1:41 AM 55456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [7/17/2010 1:41 AM 312616]
    S2 wowsystemcode;Remote TCP/IPv6;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 5:00 AM 14336]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [7/17/2010 1:41 AM 88480]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [7/17/2010 1:41 AM 83496]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    wowsystemcode
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

    2003-08-02 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

    2010-08-04 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.rr.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
    DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-05 00:02
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    FBSearch = c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe??tem32;c:\windows;c:\WINDOWS\S

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Enroute Imaging\QuickStitch\*  "!]
    "NumOfRun"="3"
    .
    Completion time: 2010-08-05 00:08:27
    ComboFix-quarantined-files.txt 2010-08-05 05:08
    ComboFix2.txt 2010-08-04 23:29

    Pre-Run: 11,653,246,976 bytes free
    Post-Run: 11,623,985,152 bytes free

    - - End Of File - - 8E0AE5F2688EC3283B9E78F0187CD1B3
  6. mot45

    mot45 Newcomer, in training Topic Starter

    Computer didn't reboot following second run of ComboFix.exe.

    "Fast Browser Search Protection" installed itself in the service tray. I received a notification that a program was trying to change the default search engine. A Bing.com text window is now beside the address window in IE8.
  7. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    Thanks for the info :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\program files\Fast Browser SearchP
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FBSearch"=-
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  8. mot45

    mot45 Newcomer, in training Topic Starter

    ComboFix.exe log file #3

    ComboFix 10-08-04.04 - <user> 08/05/2010 1:03.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.223 [GMT -5:00]
    Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Fast Browser SearchP
    c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe
    c:\program files\Fast Browser SearchP\FBSPlugin.dll
    c:\program files\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
    .

    2010-08-03 22:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-03 22:23 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-03 01:14 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-03 00:53 . 2010-08-03 00:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-08-03 00:31 . 2010-08-03 00:31 -------- d-----w- c:\program files\Windows Defender
    2010-08-03 00:15 . 2010-08-03 00:15 -------- d-----w- c:\documents and settings\<user>\Application Data\ElevatedDiagnostics
    2010-08-02 12:17 . 2010-08-02 12:17 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-07-26 22:26 . 2010-07-26 22:26 -------- d-----w- c:\program files\iPod
    2010-07-23 02:46 . 2010-07-23 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
    2010-07-23 00:04 . 2010-08-02 12:19 -------- d-----w- c:\windows\SxsCaPendDel
    2010-07-20 00:22 . 2010-07-20 00:22 123296 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-18 02:35 . 2010-07-18 02:35 -------- d-----w- c:\documents and settings\<user>\Local Settings\Application Data\Intuit
    2010-07-17 06:46 . 2010-07-17 06:46 -------- d-----w- c:\program files\SiteAdvisor
    2010-07-17 06:42 . 2010-06-01 01:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-07-17 06:41 . 2010-06-01 01:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2010-07-17 06:41 . 2010-06-01 01:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-07-17 06:41 . 2010-06-01 01:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2010-07-17 06:41 . 2010-06-01 01:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2010-07-17 06:41 . 2010-06-01 01:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-07-17 06:41 . 2010-06-01 01:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-07-17 06:41 . 2010-06-01 01:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-07-17 06:41 . 2010-07-17 06:44 -------- d-----w- c:\program files\Common Files\Mcafee
    2010-07-17 06:41 . 2010-07-17 06:41 -------- d-----w- c:\program files\McAfee.com
    2010-07-17 04:35 . 2010-07-17 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
    2010-07-17 04:25 . 2010-07-17 04:25 -------- d-----w- c:\program files\Citrix
    2010-07-14 13:03 . 2010-07-14 13:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
    2010-07-14 12:44 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
    2010-07-14 12:18 . 2010-07-23 02:55 -------- d-----w- c:\program files\Common Files\Intuit
    2010-07-14 12:18 . 2010-07-23 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
    2010-07-14 12:18 . 2010-07-14 12:18 -------- d-----w- c:\program files\Intuit
    2010-07-14 12:16 . 2010-07-23 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
    2010-07-14 12:16 . 2010-07-14 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
    2010-07-14 12:02 . 2010-07-14 12:02 -------- d-----w- c:\program files\MSXML 4.0
    2010-07-14 11:52 . 2010-07-14 11:52 -------- d-----w- c:\windows\Intuit
    2010-07-14 02:30 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-13 12:18 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2010-07-13 12:18 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2010-07-13 12:12 . 2010-07-26 22:41 -------- d-----w- c:\program files\iTunes
    2010-07-13 12:12 . 2010-07-13 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-13 11:52 . 2010-07-13 11:52 -------- d-----w- c:\program files\Bonjour
    2010-07-13 11:51 . 2010-07-13 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-03 22:47 . 2009-12-16 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-03 03:42 . 2003-07-23 07:20 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Common Files\Real
    2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Real
    2010-08-03 03:35 . 2010-01-03 05:10 -------- d-----r- c:\program files\Skype
    2010-08-02 23:49 . 2010-01-03 05:12 -------- d-----w- c:\documents and settings\<user>\Application Data\Skype
    2010-08-02 21:00 . 2010-01-03 05:14 -------- d-----w- c:\documents and settings\<user>\Application Data\skypePM
    2010-08-02 01:10 . 2009-01-03 16:08 -------- d-----w- c:\program files\Common Files\Java
    2010-08-02 01:07 . 2009-01-03 16:08 -------- d-----w- c:\program files\Java
    2010-07-26 22:26 . 2008-10-13 02:35 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-23 03:54 . 2003-08-02 13:28 159528 -c--a-w- c:\documents and settings\<user>\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-23 00:07 . 2004-01-14 01:27 -------- d-----w- c:\program files\Sony Handheld
    2010-07-17 10:00 . 2010-04-17 15:13 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-17 09:46 . 2007-03-01 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-07-17 07:00 . 2004-10-31 23:02 -------- d-----w- c:\program files\McAfee
    2010-07-17 04:47 . 2003-07-23 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
    2010-07-17 03:25 . 2004-11-06 05:25 -------- d-----w- c:\program files\Yahoo!
    2010-07-17 03:16 . 2010-07-05 00:13 -------- d-----w- c:\documents and settings\<user>\Application Data\Musicmatch
    2010-07-17 03:13 . 2003-07-23 07:30 -------- d-----w- c:\program files\MUSICMATCH
    2010-07-17 03:00 . 2003-07-23 07:29 -------- d-----w- c:\program files\Microsoft Money
    2010-07-16 20:10 . 2004-10-31 23:02 -------- d-----w- c:\documents and settings\<user>\Application Data\McAfee
    2010-07-13 22:24 . 2007-06-16 22:06 -------- d-----w- c:\documents and settings\<user>\Application Data\Apple Computer
    2010-07-13 12:10 . 2008-10-13 02:29 -------- d-----w- c:\program files\QuickTime
    2010-07-13 12:05 . 2007-06-16 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-07-13 11:54 . 2007-06-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2010-06-14 14:31 . 2002-08-29 10:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-11 09:14 . 2009-06-14 03:01 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-01 01:32 . 2010-06-01 01:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-06-01 01:32 . 2010-06-01 01:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 21:35 . 2010-05-18 21:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
    @="{95A27763-F62A-4114-9072-E81D87DE3B68}"
    [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
    2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
    @="{E300CD91-100F-4E67-9AF3-1384A6124015}"
    [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
    2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
    @="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
    [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
    2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
    "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
    "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Outlook Express\\msimn.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [7/17/2010 1:41 AM 82952]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [7/17/2010 1:43 AM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [7/17/2010 1:42 AM 141792]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [7/17/2010 1:41 AM 55456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [7/17/2010 1:41 AM 312616]
    S2 wowsystemcode;Remote TCP/IPv6;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 5:00 AM 14336]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [7/17/2010 1:41 AM 88480]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [7/17/2010 1:41 AM 83496]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    wowsystemcode
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

    2003-08-02 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

    2010-08-04 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.rr.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
    DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Fast Browser SearchP - c:\program files\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-05 01:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Enroute Imaging\QuickStitch\*  "!]
    "NumOfRun"="3"
    .
    Completion time: 2010-08-05 01:51:06
    ComboFix-quarantined-files.txt 2010-08-05 06:51
    ComboFix2.txt 2010-08-05 05:08
    ComboFix3.txt 2010-08-04 23:29

    Pre-Run: 11,630,743,552 bytes free
    Post-Run: 11,621,781,504 bytes free

    - - End Of File - - 74DC9AF47A956922630196BBE9491AAC
  9. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    Is Fast Browser Search still bothering you?

    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  10. mot45

    mot45 Newcomer, in training Topic Starter

    OTL.txt and Extras.txt

    Fast Browser is gone. Computer is running much better.

    OTL.txt and Extras.txt attached.

    Thanks.

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    Cool :)

    Your computer would greatly benefit from adding another 512MB of RAM.

    ==========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
      O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab (Reg Error: Key error.)
      O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
      O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab (Reg Error: Key error.)
      O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe (Reg Error: Key error.)
      O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.1881481481 (Reg Error: Key error.)
      O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
      [2007/03/12 13:44:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\<user>\Application Data\Viewpoint
      [2003/08/02 08:27:33 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
      @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:773DA865
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  12. mot45

    mot45 Newcomer, in training Topic Starter

    OTL Run Fix and Quick Scan logs.

    I may have spoken too soon about the computer speed. It seems slow again. IE8 takes a while to fire up and when I open My Computer, the little flashlight appears, looking for files. My Computer does eventually open though.

    Attached Files:

  13. mot45

    mot45 Newcomer, in training Topic Starter

    Wsod?

    Not looking good.

    After posting the OTL Run Fix and Quick Scan logs this morning, I rebooted the computer and left for work.

    My wife woke up and used the computer a little (e-mail). Then she came in the room and saw what she termed the White Screen of Death.

    - Ctrl-Alt-Delete had no effect
    - Pressing and holding the power button on the CPU had no effect
    - She unplugged the computer; waited 20-30 seconds and plugged it back in. Upon pushing the power button on the CPU, the white screen reappeared. No opening screens came up, just a white screen.
  14. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    Oh boy, you must have some other issues.
    There was not much of any infection present on your computer to start with.

    I suspect, you may be dealing with some hardware problem.

    If you have Windows XP CD, see, if you can boot to it.

    If you don't have Windows CD...
    Using another working computer....
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...will it?
  15. mot45

    mot45 Newcomer, in training Topic Starter

    Sorry.

    Should have updated...

    After turning the computer off for several hours, it booted. But I know our time is limited.

    So as far as the infection, were we finished?

    What was I infected with?

    Since I can at least temporarily use the computer, did you have a recommendation for the white screen?

    Thanks.
  16. Broni

    Broni Malware Annihilator Posts: 46,167   +251

    As I said, it wasn't much there from what i could see.
    We can always double check later, but for now, the most important thing is to back up your data, as long, as your computer is up.

    Then, we can start testing, what's wrong with it.
    The very first step, would be to go with my previous reply.
    Depending on, if it boots from a CD, it'll give us more info.
    When you're done with backing up your data, restart computer normally and see, if it'll do so.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.