[Inactive] Windows XP - slow performance and _helper.sig pop-up on start-up

[mot45]

Performed the 8-step Viruses/Spyware/Malware Preliminary Removal and logs are attached. Appreciate any help.

Thanks.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4386

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2010 5:44:26 PM
mbam-log-2010-08-03 (17-44-26).txt

Scan type: Quick scan
Objects scanned: 149077
Time elapsed: 15 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common\_helper.sig (Malware.Trace) -> Quarantined and deleted successfully.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-03 19:50:18
Windows 5.1.2600 Service Pack 3
Running: bpmniyc4.exe; Driver: C:\DOCUME~1\DEVYNM~1\LOCALS~1\Temp\fgloapod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF8442DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF8442DC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF8442DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF8442E46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF8442D9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF8442D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF8442D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF8442DDA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF8442E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF8442E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF8442E70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF8442E5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF8442E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-03-17.01) - NTFSx86
Run by <user> at 20:18:28.35 on Tue 08/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.224 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Fast Browser SearchP\FastBrowserSearchProtection.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\<user>\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rr.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dellnet.com
uWindow Title = Microsoft Internet Explorer
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TBSB07183 Class: {6c621f09-dff3-415a-b7d1-142678efeb34} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100717014249.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Fast Browser Search: {c2dca7eb-22d2-4fd2-86a9-f99fcc8122bb} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [FBSearch] c:\program files\fast browser searchp\FastBrowserSearchProtection.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - hxxps://dommlp04.meadwestvaco.com/iNotes.cab
DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - hxxp://64.124.45.181/downloads/ccpm_0237.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://dommlp04.meadwestvaco.com/iNotes6.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/11f9384f4199ba0c8f21/netzip/RdxIE601.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.1881481481
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {53a24151-1b31-4d00-9f41-d7dd9ca3e873} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-17 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-17 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-17 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-17 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-17 141792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-17 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-17 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-17 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-17 312616]
S2 wowsystemcode;Remote TCP/IPv6;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-17 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-17 83496]

=============== Created Last 30 ================

2619-07-22 21:24:55 3120 ----a-w- c:\windows\MF_C421.lfa
2619-07-22 21:24:55 3120 ----a-w- c:\windows\MF_C420.lfa
2010-08-03 22:23:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-03 22:23:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-03 02:25:21 7680 --sha-w- c:\windows\Thumbs.db
2010-08-03 01:14:55 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-03 00:15:16 0 d-----w- c:\docume~1\devynm~1\applic~1\ElevatedDiagnostics
2010-07-26 22:26:35 0 d-----w- c:\program files\iPod
2010-07-23 02:46:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
2010-07-23 00:04:18 0 d-----w- c:\windows\SxsCaPendDel
2010-07-20 00:22:17 123296 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-17 06:46:06 0 d-----w- c:\program files\SiteAdvisor
2010-07-17 06:42:46 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-07-17 06:41:57 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-07-17 06:41:57 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-17 06:41:57 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-07-17 06:41:57 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-07-17 06:41:56 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-07-17 06:41:56 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-17 06:41:56 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-17 06:41:45 0 d-----w- c:\program files\common files\Mcafee
2010-07-17 06:41:40 0 d-----w- c:\program files\McAfee.com
2010-07-17 04:35:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2010-07-17 04:25:37 0 d-----w- c:\program files\Citrix
2010-07-17 04:06:27 103784 ----a-w- c:\documents and settings\<user>\GoToAssistDownloadHelper.exe
2010-07-14 12:44:21 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-07-14 12:18:11 0 d-----w- c:\program files\common files\Intuit
2010-07-14 12:18:10 0 d-----w- c:\program files\Intuit
2010-07-14 12:18:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-07-14 12:16:34 90 ----a-w- c:\windows\QBChanUtil_Trigger.ini
2010-07-14 12:16:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11
2010-07-14 12:16:27 0 d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES
2010-07-14 12:02:14 0 d-----w- c:\program files\MSXML 4.0
2010-07-14 11:52:32 0 d-----w- c:\windows\Intuit
2010-07-14 02:30:44 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 12:18:09 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-13 12:18:09 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-07-13 12:12:44 0 d-----w- c:\program files\iTunes
2010-07-13 12:12:44 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-13 11:52:03 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-08-04 01:04:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-04 01:04:19 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 21:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-10-31 02:57:04 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008103020081031\index.dat

============= FINISH: 20:21:31.81 ===============

(Attach.txt attached)

 

[Broni]

Welcome aboard

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[mot45]

ComboFix.txt posted

Uninstalled Viewpoint.

ComboFix.txt attached.

Computer is already operating better.

Thanks.

 

[Broni]

Good

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad


Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[mot45]

ComboFix log.txt

ComboFix 10-08-04.04 - <user> 08/04/2010 23:24:24.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.183 [GMT -5:00]
Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\logiflt.iad"
"c:\windows\system32\drivers\lvuvc.hs"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1545320459.mtj&p2=0&p3=16650248084013470405391209924949&p4=0
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-174555542.mtj&p2=0&p3=16650248084013470405391209924949&p4=50334584
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-638184800.mtj&p2=0&p3=16650248084013470405391209924949&p4=50334584
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\126360428.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\14685873.mtx
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1484899272.mtj&p2=0&p3=16650248084013470405391209924949&p4=0
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1805579246.mtj&p2=0&p3=16650248084013470405391209924949&p4=16777217
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1066678426.mtj&p2=0&p3=16650248084013470405391209924949&p4=50334584
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1911780387.mts
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
c:\documents and settings\<user>\Recent\Thumbs.db
c:\program files\Viewpoint
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-03 22:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-03 22:23 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-03 01:14 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-03 00:53 . 2010-08-03 00:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-03 00:31 . 2010-08-03 00:31 -------- d-----w- c:\program files\Windows Defender
2010-08-03 00:15 . 2010-08-03 00:15 -------- d-----w- c:\documents and settings\<user>\Application Data\ElevatedDiagnostics
2010-08-02 12:17 . 2010-08-02 12:17 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-26 22:26 . 2010-07-26 22:26 -------- d-----w- c:\program files\iPod
2010-07-23 02:46 . 2010-07-23 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-07-23 00:04 . 2010-08-02 12:19 -------- d-----w- c:\windows\SxsCaPendDel
2010-07-20 00:22 . 2010-07-20 00:22 123296 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-18 02:35 . 2010-07-18 02:35 -------- d-----w- c:\documents and settings\<user>\Local Settings\Application Data\Intuit
2010-07-17 06:46 . 2010-07-17 06:46 -------- d-----w- c:\program files\SiteAdvisor
2010-07-17 06:42 . 2010-06-01 01:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-07-17 06:41 . 2010-06-01 01:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-07-17 06:41 . 2010-06-01 01:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-17 06:41 . 2010-06-01 01:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-07-17 06:41 . 2010-06-01 01:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-07-17 06:41 . 2010-06-01 01:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-07-17 06:41 . 2010-06-01 01:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-17 06:41 . 2010-06-01 01:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-17 06:41 . 2010-07-17 06:44 -------- d-----w- c:\program files\Common Files\Mcafee
2010-07-17 06:41 . 2010-07-17 06:41 -------- d-----w- c:\program files\McAfee.com
2010-07-17 04:35 . 2010-07-17 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-07-17 04:25 . 2010-07-17 04:25 -------- d-----w- c:\program files\Citrix
2010-07-14 13:03 . 2010-07-14 13:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2010-07-14 12:44 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-07-14 12:18 . 2010-07-23 02:55 -------- d-----w- c:\program files\Common Files\Intuit
2010-07-14 12:18 . 2010-07-23 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-07-14 12:18 . 2010-07-14 12:18 -------- d-----w- c:\program files\Intuit
2010-07-14 12:16 . 2010-07-23 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-07-14 12:16 . 2010-07-14 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-07-14 12:02 . 2010-07-14 12:02 -------- d-----w- c:\program files\MSXML 4.0
2010-07-14 11:52 . 2010-07-14 11:52 -------- d-----w- c:\windows\Intuit
2010-07-14 02:30 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 12:18 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-13 12:18 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-07-13 12:12 . 2010-07-26 22:41 -------- d-----w- c:\program files\iTunes
2010-07-13 12:12 . 2010-07-13 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-13 11:52 . 2010-07-13 11:52 -------- d-----w- c:\program files\Bonjour
2010-07-13 11:51 . 2010-07-13 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 22:47 . 2009-12-16 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-03 03:42 . 2003-07-23 07:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Common Files\Real
2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Real
2010-08-03 03:35 . 2010-01-03 05:10 -------- d-----r- c:\program files\Skype
2010-08-02 23:49 . 2010-01-03 05:12 -------- d-----w- c:\documents and settings\<user>\Application Data\Skype
2010-08-02 21:00 . 2010-01-03 05:14 -------- d-----w- c:\documents and settings\<user>\Application Data\skypePM
2010-08-02 01:10 . 2009-01-03 16:08 -------- d-----w- c:\program files\Common Files\Java
2010-08-02 01:07 . 2009-01-03 16:08 -------- d-----w- c:\program files\Java
2010-07-26 22:26 . 2008-10-13 02:35 -------- d-----w- c:\program files\Common Files\Apple
2010-07-23 03:54 . 2003-08-02 13:28 159528 -c--a-w- c:\documents and settings\<user>\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 00:07 . 2004-01-14 01:27 -------- d-----w- c:\program files\Sony Handheld
2010-07-17 10:00 . 2010-04-17 15:13 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 09:46 . 2007-03-01 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-17 07:00 . 2004-10-31 23:02 -------- d-----w- c:\program files\McAfee
2010-07-17 04:47 . 2003-07-23 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-07-17 03:25 . 2004-11-06 05:25 -------- d-----w- c:\program files\Yahoo!
2010-07-17 03:16 . 2010-07-05 00:13 -------- d-----w- c:\documents and settings\<user>\Application Data\Musicmatch
2010-07-17 03:13 . 2003-07-23 07:30 -------- d-----w- c:\program files\MUSICMATCH
2010-07-17 03:00 . 2003-07-23 07:29 -------- d-----w- c:\program files\Microsoft Money
2010-07-16 20:10 . 2004-10-31 23:02 -------- d-----w- c:\documents and settings\<user>\Application Data\McAfee
2010-07-13 22:24 . 2007-06-16 22:06 -------- d-----w- c:\documents and settings\<user>\Application Data\Apple Computer
2010-07-13 12:10 . 2008-10-13 02:29 -------- d-----w- c:\program files\QuickTime
2010-07-13 12:05 . 2007-06-16 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-13 11:54 . 2007-06-16 22:03 -------- d-----w- c:\program files\Apple Software Update
2010-06-14 14:31 . 2002-08-29 10:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 09:14 . 2009-06-14 03:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 01:32 . 2010-06-01 01:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-01 01:32 . 2010-06-01 01:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"FBSearch"="c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe" [2008-11-26 325504]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [7/17/2010 1:41 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [7/17/2010 1:43 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [7/17/2010 1:42 AM 141792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [7/17/2010 1:41 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [7/17/2010 1:41 AM 312616]
S2 wowsystemcode;Remote TCP/IPv6;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 5:00 AM 14336]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [7/17/2010 1:41 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [7/17/2010 1:41 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2003-08-02 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-08-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 00:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSearch = c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe??tem32;c:\windows;c:\WINDOWS\S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Enroute Imaging\QuickStitch\*  "!]
"NumOfRun"="3"
.
Completion time: 2010-08-05 00:08:27
ComboFix-quarantined-files.txt 2010-08-05 05:08
ComboFix2.txt 2010-08-04 23:29

Pre-Run: 11,653,246,976 bytes free
Post-Run: 11,623,985,152 bytes free

- - End Of File - - 8E0AE5F2688EC3283B9E78F0187CD1B3

 

[mot45]

Computer didn't reboot following second run of ComboFix.exe.

"Fast Browser Search Protection" installed itself in the service tray. I received a notification that a program was trying to change the default search engine. A Bing.com text window is now beside the address window in IE8.

 

[Broni]

Thanks for the info

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
c:\program files\Fast Browser SearchP

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FBSearch"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[mot45]

ComboFix.exe log file #3

ComboFix 10-08-04.04 - <user> 08/05/2010 1:03.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.223 [GMT -5:00]
Running from: c:\documents and settings\<user>\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\<user>\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Fast Browser SearchP
c:\program files\Fast Browser SearchP\FastBrowserSearchProtection.exe
c:\program files\Fast Browser SearchP\FBSPlugin.dll
c:\program files\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-03 22:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-03 22:23 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-03 01:14 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-03 00:53 . 2010-08-03 00:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-03 00:31 . 2010-08-03 00:31 -------- d-----w- c:\program files\Windows Defender
2010-08-03 00:15 . 2010-08-03 00:15 -------- d-----w- c:\documents and settings\<user>\Application Data\ElevatedDiagnostics
2010-08-02 12:17 . 2010-08-02 12:17 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-26 22:26 . 2010-07-26 22:26 -------- d-----w- c:\program files\iPod
2010-07-23 02:46 . 2010-07-23 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-07-23 00:04 . 2010-08-02 12:19 -------- d-----w- c:\windows\SxsCaPendDel
2010-07-20 00:22 . 2010-07-20 00:22 123296 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-18 02:35 . 2010-07-18 02:35 -------- d-----w- c:\documents and settings\<user>\Local Settings\Application Data\Intuit
2010-07-17 06:46 . 2010-07-17 06:46 -------- d-----w- c:\program files\SiteAdvisor
2010-07-17 06:42 . 2010-06-01 01:32 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-07-17 06:41 . 2010-06-01 01:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-07-17 06:41 . 2010-06-01 01:32 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-17 06:41 . 2010-06-01 01:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-07-17 06:41 . 2010-06-01 01:32 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-07-17 06:41 . 2010-06-01 01:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-07-17 06:41 . 2010-06-01 01:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-17 06:41 . 2010-06-01 01:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-17 06:41 . 2010-07-17 06:44 -------- d-----w- c:\program files\Common Files\Mcafee
2010-07-17 06:41 . 2010-07-17 06:41 -------- d-----w- c:\program files\McAfee.com
2010-07-17 04:35 . 2010-07-17 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-07-17 04:25 . 2010-07-17 04:25 -------- d-----w- c:\program files\Citrix
2010-07-14 13:03 . 2010-07-14 13:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2010-07-14 12:44 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-07-14 12:18 . 2010-07-23 02:55 -------- d-----w- c:\program files\Common Files\Intuit
2010-07-14 12:18 . 2010-07-23 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-07-14 12:18 . 2010-07-14 12:18 -------- d-----w- c:\program files\Intuit
2010-07-14 12:16 . 2010-07-23 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-07-14 12:16 . 2010-07-14 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-07-14 12:02 . 2010-07-14 12:02 -------- d-----w- c:\program files\MSXML 4.0
2010-07-14 11:52 . 2010-07-14 11:52 -------- d-----w- c:\windows\Intuit
2010-07-14 02:30 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 12:18 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-13 12:18 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-07-13 12:12 . 2010-07-26 22:41 -------- d-----w- c:\program files\iTunes
2010-07-13 12:12 . 2010-07-13 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-13 11:52 . 2010-07-13 11:52 -------- d-----w- c:\program files\Bonjour
2010-07-13 11:51 . 2010-07-13 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 22:47 . 2009-12-16 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-03 03:42 . 2003-07-23 07:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Common Files\Real
2010-08-03 03:40 . 2003-07-23 07:32 -------- d-----w- c:\program files\Real
2010-08-03 03:35 . 2010-01-03 05:10 -------- d-----r- c:\program files\Skype
2010-08-02 23:49 . 2010-01-03 05:12 -------- d-----w- c:\documents and settings\<user>\Application Data\Skype
2010-08-02 21:00 . 2010-01-03 05:14 -------- d-----w- c:\documents and settings\<user>\Application Data\skypePM
2010-08-02 01:10 . 2009-01-03 16:08 -------- d-----w- c:\program files\Common Files\Java
2010-08-02 01:07 . 2009-01-03 16:08 -------- d-----w- c:\program files\Java
2010-07-26 22:26 . 2008-10-13 02:35 -------- d-----w- c:\program files\Common Files\Apple
2010-07-23 03:54 . 2003-08-02 13:28 159528 -c--a-w- c:\documents and settings\<user>\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 00:07 . 2004-01-14 01:27 -------- d-----w- c:\program files\Sony Handheld
2010-07-17 10:00 . 2010-04-17 15:13 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 09:46 . 2007-03-01 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-17 07:00 . 2004-10-31 23:02 -------- d-----w- c:\program files\McAfee
2010-07-17 04:47 . 2003-07-23 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-07-17 03:25 . 2004-11-06 05:25 -------- d-----w- c:\program files\Yahoo!
2010-07-17 03:16 . 2010-07-05 00:13 -------- d-----w- c:\documents and settings\<user>\Application Data\Musicmatch
2010-07-17 03:13 . 2003-07-23 07:30 -------- d-----w- c:\program files\MUSICMATCH
2010-07-17 03:00 . 2003-07-23 07:29 -------- d-----w- c:\program files\Microsoft Money
2010-07-16 20:10 . 2004-10-31 23:02 -------- d-----w- c:\documents and settings\<user>\Application Data\McAfee
2010-07-13 22:24 . 2007-06-16 22:06 -------- d-----w- c:\documents and settings\<user>\Application Data\Apple Computer
2010-07-13 12:10 . 2008-10-13 02:29 -------- d-----w- c:\program files\QuickTime
2010-07-13 12:05 . 2007-06-16 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-13 11:54 . 2007-06-16 22:03 -------- d-----w- c:\program files\Apple Software Update
2010-06-14 14:31 . 2002-08-29 10:00 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 09:14 . 2009-06-14 03:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 01:32 . 2010-06-01 01:32 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-06-01 01:32 . 2010-06-01 01:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-12-03 21:52 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-12-03 670864]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [7/17/2010 1:41 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/17/2010 1:41 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [7/17/2010 1:43 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [7/17/2010 1:42 AM 141792]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [7/17/2010 1:41 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [7/17/2010 1:41 AM 312616]
S2 wowsystemcode;Remote TCP/IPv6;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 5:00 AM 14336]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [7/17/2010 1:41 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [7/17/2010 1:41 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2003-08-02 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-08-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Fast Browser SearchP - c:\program files\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 01:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Enroute Imaging\QuickStitch\*  "!]
"NumOfRun"="3"
.
Completion time: 2010-08-05 01:51:06
ComboFix-quarantined-files.txt 2010-08-05 06:51
ComboFix2.txt 2010-08-05 05:08
ComboFix3.txt 2010-08-04 23:29

Pre-Run: 11,630,743,552 bytes free
Post-Run: 11,621,781,504 bytes free

- - End Of File - - 74DC9AF47A956922630196BBE9491AAC

 

[Broni]

Is Fast Browser Search still bothering you?

How is computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[mot45]

OTL.txt and Extras.txt

Fast Browser is gone. Computer is running much better.

OTL.txt and Extras.txt attached.

Thanks.

 

[Broni]

Cool

Your computer would greatly benefit from adding another 512MB of RAM.

==========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
  O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab (Reg Error: Key error.)
  O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
  O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab (Reg Error: Key error.)
  O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe (Reg Error: Key error.)
  O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.1881481481 (Reg Error: Key error.)
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
  O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
  [4 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
  [2007/03/12 13:44:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\<user>\Application Data\Viewpoint
  [2003/08/02 08:27:33 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
  @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:773DA865
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
  "DisableMonitoring" =-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
  "DisableMonitoring" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[mot45]

OTL Run Fix and Quick Scan logs.

I may have spoken too soon about the computer speed. It seems slow again. IE8 takes a while to fire up and when I open My Computer, the little flashlight appears, looking for files. My Computer does eventually open though.

 

[mot45]

Wsod?

Not looking good.

After posting the OTL Run Fix and Quick Scan logs this morning, I rebooted the computer and left for work.

My wife woke up and used the computer a little (e-mail). Then she came in the room and saw what she termed the White Screen of Death.

- Ctrl-Alt-Delete had no effect
- Pressing and holding the power button on the CPU had no effect
- She unplugged the computer; waited 20-30 seconds and plugged it back in. Upon pushing the power button on the CPU, the white screen reappeared. No opening screens came up, just a white screen.

 

[Broni]

Oh boy, you must have some other issues.
There was not much of any infection present on your computer to start with.

I suspect, you may be dealing with some hardware problem.

If you have Windows XP CD, see, if you can boot to it.

If you don't have Windows CD...
Using another working computer....
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...will it?

 

[mot45]

Sorry.

Should have updated...

After turning the computer off for several hours, it booted. But I know our time is limited.

So as far as the infection, were we finished?

What was I infected with?

Since I can at least temporarily use the computer, did you have a recommendation for the white screen?

Thanks.

 

[Broni]

As I said, it wasn't much there from what i could see.
We can always double check later, but for now, the most important thing is to back up your data, as long, as your computer is up.

Then, we can start testing, what's wrong with it.
The very first step, would be to go with my previous reply.
Depending on, if it boots from a CD, it'll give us more info.
When you're done with backing up your data, restart computer normally and see, if it'll do so.