TechSpot

Possible rootkit infection, Internet Explorer pop ups from Red Orbit/The Rugged

Inactive
By KaptainKristi
Aug 22, 2010
  1. For the past week, I have been getting what looks like pop up ads that randomly appear in IE windows. I know something is wrong since I use Google Chrome. I techie friend of mine told me this was a rootkis infection, and ran a live cd on my computer 2 days ago. Problem is, the "pop ups" are sill appearing,
    They are usually displaying RedOrbit.com or TheRugged, if that info is at all relevant.

    Here is my HiJack This log. Is there anything I can do to remove whatever this malware is? I'm prepared to wipe my hard drive entirely if I have to.
    Thank you in advance to anyone who can offer any help!
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Welcome aboard [​IMG]

    We don't use HJT around here anymore.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html

    Make sure, you disable "word wrap" in Notepad, because your logs will be hard to read.
     
  3. KaptainKristi

    KaptainKristi TS Rookie Topic Starter

    Sorry about that- I really should have browsed for instructions!

    Here are my logs from Malware Bytes, GMER, and DDS. Any help at all is *greatly* appreciated! I have done everything I know to do, but have been unable to get rid of this infection on my own.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4479

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    8/25/2010 8:51:25 PM
    mbam-log-2010-08-25 (20-51-25).txt

    Scan type: Quick scan
    Objects scanned: 141053
    Time elapsed: 9 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ____________________________________________



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-25 20:41:41
    Windows 5.1.2600 Service Pack 3
    Running: 8fugpfox.exe; Driver: C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\fwldqpog.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF73117AE]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF7311708]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF73116F2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF73117EE]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF7311748]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF731164E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF73115D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF73115E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF73117C2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF7311784]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF73116DC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF73116C6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF731163A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF731179A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF7311732]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7311804]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF73117D8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 2100

    ---- EOF - GMER 1.0.15 ----
     
  4. KaptainKristi

    KaptainKristi TS Rookie Topic Starter

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Kristen Lunde at 20:56:03.29 on Wed 08/25/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.420 [GMT -4:00]

    AV: Antivirus Soft *On-access scanning enabled* (Updated) {B316C67E-09F1-44c7-85E0-94F6DA8A4AA1}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe 4
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\WLTRAY.exe
    svchost.exe 4
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Kristen Lunde\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uWindow Title = Windows Internet Explorer provided by Comcast
    mStart Page = hxxp://www.comcast.net/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071129
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    TB: {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - No File
    TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
    uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
    uRun: [ISUSPM] -scheduler
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [dscactivate] c:\dell\dsca.exe 3
    mRun: [<NO NAME>]
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: &Search - ?p=ZJfox000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201316630906
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Notify: AtiExtEvent - Ati2evxx.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\kriste~1\applic~1\mozilla\firefox\profiles\7hpdwmvc.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Web Search
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
    FF - component: c:\documents and settings\kristen lunde\application data\mozilla\firefox\profiles\7hpdwmvc.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll
    FF - component: c:\documents and settings\kristen lunde\application data\mozilla\firefox\profiles\7hpdwmvc.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
    FF - plugin: c:\documents and settings\kristen lunde\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\kristen lunde\application data\mozilla\firefox\profiles\7hpdwmvc.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\documents and settings\kristen lunde\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: google.toolbar.linkdoctor.enabled - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
     
  5. KaptainKristi

    KaptainKristi TS Rookie Topic Starter

    ============= SERVICES / DRIVERS ===============

    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64288]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 343664]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-6 532224]
    R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 26352]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 493032]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-16 103744]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-8-31 66896]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-8-24 70728]
    R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-9-3 444224]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-24 91672]
    S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355416]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 DVOALEADF;DVOALEADF;c:\docume~1\kriste~1\locals~1\temp\dvoaleadf.exe --> c:\docume~1\kriste~1\locals~1\temp\DVOALEADF.exe [?]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-12-16 39048]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-24 43288]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-24 65448]
    S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]

    =============== Created Last 30 ================

    2010-08-25 00:14:22 65448 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-08-25 00:14:21 91672 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-08-25 00:14:21 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-08-25 00:14:21 70728 ----a-w- c:\windows\system32\mfevtps.exe
    2010-08-25 00:14:21 63728 ----a-w- c:\windows\system32\drivers\mfetdik.sys
    2010-08-25 00:14:21 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-08-25 00:14:21 343664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-08-25 00:13:01 0 d-----w- c:\program files\McAfee
    2010-08-25 00:13:01 0 d-----w- c:\program files\common files\McAfee
    2010-08-23 04:09:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-08-21 00:00:05 262144 ---ha-w- c:\documents and settings\kristen lunde\ntuser.dat.LOG1
    2010-08-21 00:00:05 0 ---ha-w- c:\documents and settings\kristen lunde\ntuser.dat.LOG2
    2010-08-09 01:26:45 0 d-----w- c:\docume~1\kriste~1\applic~1\OpenOffice.org
    2010-08-09 01:17:55 0 d-----w- c:\program files\JRE
    2010-08-09 01:17:18 0 d-----w- c:\program files\OpenOffice.org 3
    2010-08-01 00:05:12 0 d-----w- c:\docume~1\kriste~1\applic~1\E-centives

    ==================== Find3M ====================

    2010-08-26 00:47:51 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-12 12:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-24 12:10:44 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-06-24 12:10:44 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
    2010-06-24 12:10:44 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:10:44 667136 ------w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:10:44 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:10:44 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:10:44 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:10:44 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
    2010-06-24 12:10:44 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
    2010-06-23 17:51:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-17 05:09:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

    ============= FINISH: 20:56:47.43 ===============
     
  6. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Attach.txt part of DDS is missing.
    Please, post it.

    =====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. KaptainKristi

    KaptainKristi TS Rookie Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)
    Here's the Attach.txt:


    Microsoft Windows XP Home Edition
    Boot Device: \Device\Harddisk0\DP(2)0x5649600-0xd32e7d800+2
    Install Date: 12/16/2007 12:04:22 PM
    System Uptime: 8/25/2010 8:31:32 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0UW744
    Processor: Mobile AMD Sempron(tm) Processor 3600+ | Socket M2/S1G1 | 1999/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 53 GiB total, 26.32 GiB free.
    D: is CDROM ()
    E: is FIXED (FAT) - 0 GiB total, 0.076 GiB free.
    F: is FIXED (FAT32) - 3 GiB total, 1.15 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Ad-Aware
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 8.2.2
    AikaOnline
    AIM 7
    AIM Toolbar
    AMD Processor Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoImpression 4
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    ATI Catalyst Control Center
    ATI Display Driver
    BitTorrent
    Bonjour
    Canon iP2600 series
    Canon iP2600 series User Registration
    Canon My Printer
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities Solution Menu
    CCleaner
    CCScore
    Comcast Desktop Software (v1.2.0.9)
    Comcast High-Speed Internet Install Wizard
    Comcast Toolbar 3.0
    Conexant HDA D110 MDC V.92 Modem
    Defraggler
    Dell DataSafe Online
    Dell Support Center
    Dell System Restore
    Dell Wireless WLAN Card
    DellSupport
    Desktop Doctor
    Digimax Viewer 2.1
    Digital Line Detect
    DivX Setup
    Documentation & Support Launcher
    Download Updater (AOL LLC)
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    fflink
    Free Mp3 Wma Converter V 1.9
    Games, Music, & Photos Launcher
    Google Chrome
    High Definition Audio Driver Package - KB835221
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Internet Service Offers Launcher
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 18
    Kodak EasyShare software
    LEGO Star Wars II
    Malwarebytes' Anti-Malware
    Mario Forever 4.0
    McAfee Agent
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Office 2000 Disc 2
    Microsoft Office 2000 Premium
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Modem Helper
    Mozilla ActiveX Control v1.7.12
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    netbrdg
    NetWaiting
    OfotoXMI
    OpenOffice.org 3.2
    PIXMA Extended Survey Program
    PowerDVD 5.7
    QuickSet
    QuickTime
    Rosetta Stone Ltd Services
    SearchAssist
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    SFR
    SHASTA
    skin0001
    SKINXSDK
    Sony Digital Voice Editor 2
    SoulSeek 157 NS 13d
    staticcr
    Synaptics Pointing Device Driver
    The Oregon Trail
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.1
    VoiceOver Kit
    VPRINTOL
    WebFldrs XP
    WIAT-III Scoring Assistant
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    WinZip 11.1
    WIRELESS
    ZoneAlarm
    ZoneAlarm Toolbar

    ==== Event Viewer Messages From Past Week ========

    8/25/2010 8:30:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
    8/25/2010 8:30:40 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/25/2010 8:30:05 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    8/25/2010 8:15:15 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:15 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:14 PM, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (ddoctorv2) service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:14 PM, error: Service Control Manager [7034] - The RosettaStoneDaemon service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:13 PM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:08 PM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:08 PM, error: Service Control Manager [7034] - The McAfee Engine Service service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:07 PM, error: Service Control Manager [7034] - The PIXMA Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:07 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:07 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:06 PM, error: Service Control Manager [7034] - The Comcast AntiSpyware service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:06 PM, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:06 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/25/2010 8:15:05 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    8/25/2010 8:15:05 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    8/24/2010 8:07:39 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    8/24/2010 7:50:58 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer PIXIE that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6DE14AB7-E9AF-4051-9A6. The master browser is stopping or an election is being forced.
    8/24/2010 11:52:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'DP(2)0x5649600-0xd32e7d800+2'. It has stopped monitoring the volume.
    8/24/2010 1:01:44 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001E4C4B639E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    8/24/2010 1:01:24 PM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 001E4C4B639E has been denied by the DHCP server 10.75.64.175 (The DHCP Server sent a DHCPNACK message).
    8/24/2010 1:00:03 PM, error: Service Control Manager [7000] - The OfficeScan NT Listener service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/24/2010 1:00:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the OfficeScan NT Listener service to connect.
    8/20/2010 5:06:11 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the OfficeScan NT Firewall service to connect.
    8/20/2010 5:06:11 PM, error: Service Control Manager [7000] - The OfficeScan NT Firewall service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/20/2010 1:21:09 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 001E4C4B639E has been denied by the DHCP server 10.75.129.175 (The DHCP Server sent a DHCPNACK message).
    8/20/2010 1:19:59 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
    8/19/2010 1:03:32 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 001E4C4B639E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    8/18/2010 12:57:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    ==== End Of File ===========================
     
  8. KaptainKristi

    KaptainKristi TS Rookie Topic Starter

    I'll do ComboFix now.
    Here's MBR:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 129):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF7AC4000 \WINDOWS\system32\KDCOM.DLL
    0xF79D4000 \WINDOWS\system32\BOOTVID.dll
    0xF7495000 ACPI.sys
    0xF7AC6000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7484000 pci.sys
    0xF75C4000 isapnp.sys
    0xF79D8000 compbatt.sys
    0xF79DC000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7B8C000 pciide.sys
    0xF7844000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF75D4000 MountMgr.sys
    0xF7465000 ftdisk.sys
    0xF784C000 PartMgr.sys
    0xF79E0000 ACPIEC.sys
    0xF7B8D000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF75E4000 VolSnap.sys
    0xF744D000 atapi.sys
    0xF75F4000 disk.sys
    0xF7604000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF742D000 fltmgr.sys
    0xF7614000 Lbd.sys
    0xF7624000 PxHelp20.sys
    0xF7416000 KSecDD.sys
    0xF7389000 Ntfs.sys
    0xF735C000 NDIS.sys
    0xF7342000 Mup.sys
    0xF72F0000 mfehidk.sys
    0xF77C4000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF7AA4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF692E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF691A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6886000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xF7924000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6862000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF792C000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF77D4000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF77E4000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF77F4000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF683F000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7934000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF6817000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7804000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF793C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF67E8000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7AEC000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7944000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7814000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
    0xF67D4000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xF794C000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0xF7AB0000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF7C8F000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7824000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7AB4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF67BD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7834000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7634000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7954000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF67AC000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7644000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF795C000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7964000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7654000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7AEE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF674E000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7ABC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7664000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7694000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xEE4A8000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    0xEE3B1000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    0xEE2FB000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0xF7974000 \SystemRoot\System32\Drivers\Modem.SYS
    0xEE1E8000 \SystemRoot\system32\drivers\sthda.sys
    0xEE1C4000 \SystemRoot\system32\drivers\portcls.sys
    0xF76C4000 \SystemRoot\system32\drivers\drmk.sys
    0xF6B01000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7B02000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D06000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B04000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7984000 \SystemRoot\System32\drivers\vga.sys
    0xF7B06000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B08000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF798C000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7994000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF6AFD000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEE191000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEE138000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF76D4000 \SystemRoot\system32\drivers\mfetdik.sys
    0xEE0CA000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xEE0A2000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEE021000 \SystemRoot\System32\vsdatant.sys
    0xEDFFF000 \SystemRoot\System32\drivers\afd.sys
    0xF76E4000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xEDFD4000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xEDF64000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF7714000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7A84000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xF7744000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF6695000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xED562000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xED54A000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7B28000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF6B05000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF78DC000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7CFF000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09D000 \SystemRoot\System32\atikvmag.dll
    0xBF0E3000 \SystemRoot\System32\ati3duag.dll
    0xBF34A000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xEB1DE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xED6DE000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
    0xEDC7A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xEDC3D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xED709000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF7B16000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
    0xEDE49000 \SystemRoot\system32\DRIVERS\srv.sys
    0xED897000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xBA79B000 \SystemRoot\system32\drivers\mfeavfk.sys
    0xB9122000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB8F42000 \??\C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\fwldqpog.sys
    0xB8F17000 \SystemRoot\system32\drivers\kmixer.sys
    0xB8F06000 \SystemRoot\system32\drivers\mfeapfk.sys
    0xF6E46000 \SystemRoot\system32\drivers\mfebopk.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 64):
    0 System Idle Process
    4 System
    752 C:\WINDOWS\system32\smss.exe
    816 csrss.exe
    844 C:\WINDOWS\system32\winlogon.exe
    888 C:\WINDOWS\system32\services.exe
    900 C:\WINDOWS\system32\lsass.exe
    1044 C:\WINDOWS\system32\ati2evxx.exe
    1056 C:\WINDOWS\system32\svchost.exe
    1160 svchost.exe
    1200 C:\WINDOWS\system32\svchost.exe
    1252 svchost.exe
    1284 svchost.exe
    1380 C:\WINDOWS\system32\ati2evxx.exe
    1748 C:\WINDOWS\explorer.exe
    2016 C:\WINDOWS\system32\svchost.exe
    2024 C:\WINDOWS\system32\WLTRYSVC.EXE
    2040 C:\WINDOWS\system32\BCMWLTRY.EXE
    140 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
    260 C:\WINDOWS\system32\spoolsv.exe
    360 svchost.exe
    640 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    760 C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
    1000 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    1080 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1088 C:\WINDOWS\system32\WLTRAY.EXE
    1224 C:\WINDOWS\system32\svchost.exe
    1228 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1320 C:\Program Files\Bonjour\mDNSResponder.exe
    1408 C:\WINDOWS\stsystra.exe
    1416 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    932 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
    1612 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    1628 C:\Program Files\Java\jre6\bin\jqs.exe
    1908 C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    1968 C:\Program Files\iTunes\iTunesHelper.exe
    2068 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    2116 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2124 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    2132 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
    2220 C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
    2360 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    2424 C:\WINDOWS\system32\mfevtps.exe
    2444 naPrdMgr.exe
    2492 C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    2576 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    2620 C:\WINDOWS\system32\svchost.exe
    2688 wdfmgr.exe
    2780 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    3060 mfeann.exe
    3092 C:\Program Files\McAfee\Common Framework\McTray.exe
    3584 C:\Program Files\Digital Line Detect\DLG.exe
    2932 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    1424 unsecapp.exe
    2476 C:\Program Files\iPod\bin\iPodService.exe
    3788 wmiprvse.exe
    3824 C:\WINDOWS\system32\wbem\wmiapsrv.exe
    1676 alg.exe
    3520 C:\WINDOWS\system32\svchost.exe
    1516 C:\Documents and Settings\Kristen Lunde\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3228 C:\Documents and Settings\Kristen Lunde\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    652 C:\Documents and Settings\Kristen Lunde\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    236 C:\Documents and Settings\Kristen Lunde\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3340 C:\Documents and Settings\Kristen Lunde\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> error 1
    \\.\E: --> error 1
    \\.\F: --> error 1

    PhysicalDrive0 Model Number: HitachiHTS541660J9SA00, Rev: SBBOC7KP

    Size Device Name MBR Status
    --------------------------------------------
    55 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
    SHA1: 528D76AF92636551CD15423543A72AE085CACA37


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
  9. KaptainKristi

    KaptainKristi TS Rookie Topic Starter

    Help!
    I went to run ComboFix, and it told me that Antivirus Soft was running. I remember that this fake software hijacked my browser before. How do I disable/delete it so ComboFix can run properly?
     
  10. Broni

    Broni Malware Annihilator Posts: 47,995   +271

    Disregard that warning.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.