Original thread: https://www.techspot.com/vb/topic163104.html#post1021918
Sorry, Broni - just getting back to the user's machine tonight. Here are our results:
MBR:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c
Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EEB000 fltMgr.sys
0xB7ED9000 sr.sys
0xB7E7C000 mfehidk.sys
0xB7E65000 KSecDD.sys
0xB7E52000 WudfPf.sys
0xB7DC5000 Ntfs.sys
0xB7D98000 NDIS.sys
0xB7D7E000 Mup.sys
0xB6D15000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6D01000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB6CD9000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB6CA2000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB83E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6C7E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB83F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8400000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8584000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB6C6A000 \SystemRoot\system32\DRIVERS\parport.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB81F8000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xB8208000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8218000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB6C47000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8228000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8798000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB6C33000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xB8238000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB859C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6C1C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8248000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8258000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8430000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6C0B000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8268000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB6BE7000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB6B9C000 \SystemRoot\system32\drivers\mfefirek.sys
0xB8450000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8460000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6B44000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8278000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB85C8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6AE6000 \SystemRoot\system32\DRIVERS\update.sys
0xB764A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8298000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB43A4000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB4380000 \SystemRoot\system32\drivers\portcls.sys
0xB82A8000 \SystemRoot\system32\drivers\drmk.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB42F6000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xB85EE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB86B8000 \SystemRoot\System32\Drivers\Null.SYS
0xB85F2000 \SystemRoot\System32\Drivers\Beep.SYS
0xB42DF000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xB8370000 \SystemRoot\System32\drivers\vga.sys
0xB85F6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8380000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8390000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB49DA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB42AC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4253000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4205000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB41F2000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB412A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB4108000 \SystemRoot\System32\drivers\afd.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB40DD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB406D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB83B0000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys
0xB82E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB4370000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB8308000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB4055000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB8606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB435C000 \SystemRoot\System32\drivers\Dxapi.sys
0xB83D0000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8748000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD623000 \SystemRoot\System32\ATMFD.DLL
0xB32EF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3072000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8652000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB300D000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4172000 \SystemRoot\system32\drivers\sysaudio.sys
0xB2ECA000 \SystemRoot\system32\DRIVERS\srv.sys
0xB27E9000 \SystemRoot\system32\drivers\cfwids.sys
0xB2528000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1DCC000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awdyqaoc.sys
0xB1DB6000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB2589000 \SystemRoot\system32\drivers\mfebopk.sys
0xB8498000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
0xB026F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB2326000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB8490000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8480000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAE530000
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 40):
0 System Idle Process
4 System
1008 C:\WINDOWS\system32\smss.exe
1076 csrss.exe
1100 C:\WINDOWS\system32\winlogon.exe
1144 C:\WINDOWS\system32\services.exe
1156 C:\WINDOWS\system32\lsass.exe
1336 C:\WINDOWS\system32\nvsvc32.exe
1380 C:\WINDOWS\system32\svchost.exe
1492 svchost.exe
1668 C:\WINDOWS\system32\svchost.exe
1712 C:\WINDOWS\system32\svchost.exe
1840 svchost.exe
1976 svchost.exe
308 C:\WINDOWS\system32\spoolsv.exe
396 svchost.exe
520 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
716 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
816 C:\WINDOWS\system32\mfevtps.exe
872 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
1028 C:\WINDOWS\system32\svchost.exe
1232 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
1372 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
1444 C:\WINDOWS\explorer.exe
2832 C:\WINDOWS\system32\rundll32.exe
2936 alg.exe
3512 C:\WINDOWS\RTHDCPL.EXE
3616 C:\WINDOWS\system32\rundll32.exe
3880 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3988 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
792 C:\Program Files\Palm\Hotsync.exe
1940 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
2052 C:\Program Files\GoZone\GoZone_iSync.exe
2096 C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
2568 C:\WINDOWS\system32\ctfmon.exe
2668 C:\Program Files\McAfee.com\Agent\mcagent.exe
888 C:\Program Files\Skyscape\Desktop\smARTalerts\smARTalerts.exe
1884 C:\Program Files\Mozilla Firefox\firefox.exe
4044 C:\Program Files\Mozilla Firefox\plugin-container.exe
2844 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive1 Model Number: ST3500418AS, Rev: CC34
Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!
ComboFix:
ComboFix 11-04-04.01 - Administrator 04/04/2011 17:29:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2044.1274 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-03-29 16:22 . 2011-03-29 16:22 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-28 23:55 . 2011-03-29 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-28 23:55 . 2011-03-28 23:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-28 23:47 . 2011-03-28 23:47 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
2011-03-28 23:47 . 2011-03-28 23:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\TweakNow RegCleaner 2011
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-10-19 15:06 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-10-19 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-14 03:28 . 2010-12-31 16:14 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-28_23.38.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-04 09:14 . 2011-04-04 09:14 16384 c:\windows\Temp\Perflib_Perfdata_4d0.dat
+ 2011-03-29 00:13 . 2011-03-29 00:13 16384 c:\windows\Temp\Perflib_Perfdata_368.dat
+ 2010-12-31 21:08 . 2011-04-04 21:03 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-12-31 21:08 . 2011-03-28 23:21 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-12-31 21:08 . 2011-04-04 21:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-12-31 21:08 . 2011-03-28 23:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-07 19573352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-07-09 77887]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2010-10-19 431608]
Palm Registration.lnk - c:\program files\Palm\register.exe [2010-10-25 2494464]
Skyscape SmartUpdate.lnk - c:\program files\Common Files\Skyscape\SmartUpdate.exe [2010-9-30 12496896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2010-10-25 28672]
Event Reminder.lnk - c:\program files\PrintMaster Platinum 17\Remind.exe [2006-2-22 344064]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Worden Brothers, Inc\\stockFinder\\AppBinv5\\stockFinderApp.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/31/2010 12:14 PM 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/31/2010 12:15 PM 54776]
R1 MpKsl14298079;MpKsl14298079;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys [?]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2/5/2011 4:31 PM 98392]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/31/2010 12:14 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/31/2010 12:04 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 9:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/31/2010 12:14 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/31/2010 12:14 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/31/2010 12:14 PM 88544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2010 12:48 PM 1691480]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/31/2010 12:14 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/31/2010 12:14 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AWDYQAOC
*NewlyCreated* - MPKSL8DF18363
*Deregistered* - awdyqaoc
*Deregistered* - mfeavfk01
*Deregistered* - MpKsl8df18363
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{4E856EB8-7DB8-4A03-BF68-C944DD112F3A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0jji56st.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 17:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-515967899-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(828)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-04 17:33:14
ComboFix-quarantined-files.txt 2011-04-04 21:33
ComboFix2.txt 2011-03-28 23:39
.
Pre-Run: 466,673,737,728 bytes free
Post-Run: 466,700,603,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 58C45B9536A5AFA9EF2EB4D26D9B115C
Thanks - sorry for the delay. Likely to be another one after we receive further instructions. I'll be in closer contact, Broni.
Sorry, Broni - just getting back to the user's machine tonight. Here are our results:
MBR:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c
Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EEB000 fltMgr.sys
0xB7ED9000 sr.sys
0xB7E7C000 mfehidk.sys
0xB7E65000 KSecDD.sys
0xB7E52000 WudfPf.sys
0xB7DC5000 Ntfs.sys
0xB7D98000 NDIS.sys
0xB7D7E000 Mup.sys
0xB6D15000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6D01000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB6CD9000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB6CA2000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB83E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6C7E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB83F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8400000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8584000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB6C6A000 \SystemRoot\system32\DRIVERS\parport.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB81F8000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xB8208000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8218000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB6C47000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8228000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8798000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB6C33000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xB8238000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB859C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6C1C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8248000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8258000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8430000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6C0B000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8268000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB6BE7000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB6B9C000 \SystemRoot\system32\drivers\mfefirek.sys
0xB8450000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8460000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6B44000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8278000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB85C8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6AE6000 \SystemRoot\system32\DRIVERS\update.sys
0xB764A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8298000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB43A4000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB4380000 \SystemRoot\system32\drivers\portcls.sys
0xB82A8000 \SystemRoot\system32\drivers\drmk.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB42F6000 \SystemRoot\system32\DRIVERS\MOBK.sys
0xB85EE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB86B8000 \SystemRoot\System32\Drivers\Null.SYS
0xB85F2000 \SystemRoot\System32\Drivers\Beep.SYS
0xB42DF000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xB8370000 \SystemRoot\System32\drivers\vga.sys
0xB85F6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8380000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8390000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB49DA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB42AC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4253000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4205000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB41F2000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB412A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB4108000 \SystemRoot\System32\drivers\afd.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB40DD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB406D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB83B0000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys
0xB82E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB4370000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB8308000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB4055000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB8606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB435C000 \SystemRoot\System32\drivers\Dxapi.sys
0xB83D0000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8748000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD623000 \SystemRoot\System32\ATMFD.DLL
0xB32EF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB3072000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8652000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB300D000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4172000 \SystemRoot\system32\drivers\sysaudio.sys
0xB2ECA000 \SystemRoot\system32\DRIVERS\srv.sys
0xB27E9000 \SystemRoot\system32\drivers\cfwids.sys
0xB2528000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1DCC000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awdyqaoc.sys
0xB1DB6000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB2589000 \SystemRoot\system32\drivers\mfebopk.sys
0xB8498000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys
0xB026F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB2326000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB8490000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8480000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAE530000
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 40):
0 System Idle Process
4 System
1008 C:\WINDOWS\system32\smss.exe
1076 csrss.exe
1100 C:\WINDOWS\system32\winlogon.exe
1144 C:\WINDOWS\system32\services.exe
1156 C:\WINDOWS\system32\lsass.exe
1336 C:\WINDOWS\system32\nvsvc32.exe
1380 C:\WINDOWS\system32\svchost.exe
1492 svchost.exe
1668 C:\WINDOWS\system32\svchost.exe
1712 C:\WINDOWS\system32\svchost.exe
1840 svchost.exe
1976 svchost.exe
308 C:\WINDOWS\system32\spoolsv.exe
396 svchost.exe
520 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
716 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
816 C:\WINDOWS\system32\mfevtps.exe
872 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
1028 C:\WINDOWS\system32\svchost.exe
1232 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
1372 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
1444 C:\WINDOWS\explorer.exe
2832 C:\WINDOWS\system32\rundll32.exe
2936 alg.exe
3512 C:\WINDOWS\RTHDCPL.EXE
3616 C:\WINDOWS\system32\rundll32.exe
3880 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3988 C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
792 C:\Program Files\Palm\Hotsync.exe
1940 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
2052 C:\Program Files\GoZone\GoZone_iSync.exe
2096 C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
2568 C:\WINDOWS\system32\ctfmon.exe
2668 C:\Program Files\McAfee.com\Agent\mcagent.exe
888 C:\Program Files\Skyscape\Desktop\smARTalerts\smARTalerts.exe
1884 C:\Program Files\Mozilla Firefox\firefox.exe
4044 C:\Program Files\Mozilla Firefox\plugin-container.exe
2844 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive1 Model Number: ST3500418AS, Rev: CC34
Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!
ComboFix:
ComboFix 11-04-04.01 - Administrator 04/04/2011 17:29:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2044.1274 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-03-29 16:22 . 2011-03-29 16:22 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-28 23:55 . 2011-03-29 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-28 23:55 . 2011-03-28 23:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-28 23:47 . 2011-03-28 23:47 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
2011-03-28 23:47 . 2011-03-28 23:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\TweakNow RegCleaner 2011
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-10-19 15:06 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-10-19 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-14 03:28 . 2010-12-31 16:14 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-28_23.38.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-04 09:14 . 2011-04-04 09:14 16384 c:\windows\Temp\Perflib_Perfdata_4d0.dat
+ 2011-03-29 00:13 . 2011-03-29 00:13 16384 c:\windows\Temp\Perflib_Perfdata_368.dat
+ 2010-12-31 21:08 . 2011-04-04 21:03 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-12-31 21:08 . 2011-03-28 23:21 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-12-31 21:08 . 2011-04-04 21:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-12-31 21:08 . 2011-03-28 23:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-07 19573352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-07-09 77887]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2010-10-19 431608]
Palm Registration.lnk - c:\program files\Palm\register.exe [2010-10-25 2494464]
Skyscape SmartUpdate.lnk - c:\program files\Common Files\Skyscape\SmartUpdate.exe [2010-9-30 12496896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2010-10-25 28672]
Event Reminder.lnk - c:\program files\PrintMaster Platinum 17\Remind.exe [2006-2-22 344064]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Worden Brothers, Inc\\stockFinder\\AppBinv5\\stockFinderApp.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/31/2010 12:14 PM 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [12/31/2010 12:15 PM 54776]
R1 MpKsl14298079;MpKsl14298079;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53BE1125-75C8-4BFE-8294-3794CDEF45D4}\MpKsl14298079.sys [?]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2/5/2011 4:31 PM 98392]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/31/2010 12:14 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/31/2010 12:14 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/31/2010 12:04 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 9:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/31/2010 12:14 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/31/2010 12:14 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/31/2010 12:14 PM 88544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/19/2010 12:48 PM 1691480]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/31/2010 12:14 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/31/2010 12:14 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AWDYQAOC
*NewlyCreated* - MPKSL8DF18363
*Deregistered* - awdyqaoc
*Deregistered* - mfeavfk01
*Deregistered* - MpKsl8df18363
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{4E856EB8-7DB8-4A03-BF68-C944DD112F3A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0jji56st.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 17:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-515967899-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,36,41,49,f2,af,3b,4f,ae,05,a7,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(828)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-04 17:33:14
ComboFix-quarantined-files.txt 2011-04-04 21:33
ComboFix2.txt 2011-03-28 23:39
.
Pre-Run: 466,673,737,728 bytes free
Post-Run: 466,700,603,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 58C45B9536A5AFA9EF2EB4D26D9B115C
Thanks - sorry for the delay. Likely to be another one after we receive further instructions. I'll be in closer contact, Broni.
