Internet security virus

Microsoft Windows xp home edition
January 3, 2010 at 08:35:33
Specs: Windows XP home dition
I noticed the other day; around the sametime that my comp started locking up, that my toolbar was sporting two new starnge logos. I tried to open the task manager to end whatever process the problem was to remove it and once I couldn't, went to download AnVir Task Manager Pro. I managed to ris myself of a fake securitycenter that constantly prompted me to download antispyware but still haven't managed to open my task manager with a warning that says it can't be opened because its infected along with my system restore, notepad, and windows updates.

I ran a few full scans through McAfee but it doesn't seem to have gotten the job done...

help?


See More: Internet security virus

Report •


#1
January 3, 2010 at 08:41:32
Don't restart the computer once you run Rkill or the baddie willl restart also.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.


Report •

#2
January 3, 2010 at 10:29:04
ExeHelper Log


exeHelper by Raktor
Build 20091220
Run at 11:22:54 on 01/03/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process winupdate86.exe
Checking for bad files...
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\msa.exe
Deleting file C:\WINDOWS\system32\winupdate86.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


Mbam log

Malwarebytes' Anti-Malware 1.43
Database version: 3488
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/3/2010 11:50:26 AM
mbam-log-2010-01-03 (11-50-26).txt

Scan type: Quick Scan
Objects scanned: 117228
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 43

Memory Processes Infected:
C:\Documents and Settings\Sarasdfghjkl\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\dmstyle32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\3A1.tmp (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18bf6302-3424-49a5-b224-7c75f682ec4f} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{18bf6302-3424-49a5-b224-7c75f682ec4f} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\e87ffcb8724 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18bf6302-3424-49a5-b224-7c75f682ec4f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18bf6302-3424-49a5-b224-7c75f682ec4f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PUT2VIDQLG (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\B1RQJ7YJ0U (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Inject) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\put2vidqlg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\dmstyle32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\dmstyle32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ctl3dv232.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dmstyle32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\3A1.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Sarasdfghjkl\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarasdfghjkl\Local Settings\Temp\c.exe (Trojan.Fraudpack) -> Delete on reboot.
C:\WINDOWS\system32\winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bszip.dll (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhcpqec32.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dnsrslvr32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gcdef32.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarasdfghjkl\Local Settings\Temp\519.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarasdfghjkl\Local Settings\Temp\a.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarasdfghjkl\Local Settings\Temporary Internet Files\Content.IE5\85YZCT6F\update4303[1].exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\alvi1368.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi841328354v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi841328354v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi841328354v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi841328354v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi841328354v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi841328354v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu841328354v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu841328354v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu841328354v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\outlook\p.zip (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmd.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netstat.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ping.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taskkill.com (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tasklist.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tracert.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarasdfghjkl\Local Settings\Temp\b.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sarasdfghjkl\Local Settings\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\confin.sys (Malware.Trace) -> Quarantined and deleted successfully.


Report •

#3
January 3, 2010 at 10:31:19
AAAAAAAAAAAAnd randoms log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Sarasdfghjkl at 2010-01-03 12:03:13
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 41 GB (70%) free of 59 GB
Total RAM: 1535 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:27 PM, on 1/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1252539966\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\AnVir Task Manager Pro\AnVir.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sarasdfghjkl\My Documents\My Pictures\cvjghj\RSIT.exe
C:\Program Files\trend micro\Sarasdfghjkl.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -

C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1252539966\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [AnVir Task Manager Pro] "C:\Program Files\AnVir Task Manager Pro\AnVir.exe" Minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application

Data\AOL\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/re...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/g...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7570 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Windows Media Player.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-09-08 279944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
AOL Toolbar Loader - C:\Program Files\AOL Toolbar\aoltb.dll [2008-10-21 1275176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-11-04 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-14 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-14 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-09-08 279944]
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar - C:\Program Files\AOL Toolbar\aoltb.dll [2008-10-21 1275176]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"HostManager"=C:\Program Files\Common Files\AOL\1252539966\ee\AOLSoftware.exe [2008-06-24 41824]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-08-20 118784]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-08-20 155648]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-14 149280]
"Zune Launcher"=c:\Program Files\Zune\ZuneLauncher.exe [2009-09-04 158448]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager Pro"=C:\Program Files\AnVir Task Manager Pro\AnVir.exe [2008-11-13 2743008]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-08-20 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"NoFolderOptions"=
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplic

ations\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL

Loader"
"C:\WINDOWS\system32\lxcrcoms.exe"="C:\WINDOWS\system32\lxcrcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\The Sara Emerson\Application Data\MySpace\IM\bin\MySpaceIM.exe"="C:\Documents and Settings\The

Sara Emerson\Application Data\MySpace\IM\bin\MySpaceIM.exe:*:Disabled:MySpace Instant Messenger"
"C:\WINDOWS\system32\a.exe"="C:\WINDOWS\system32\a.exe:*:Disabled:a"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Starcraft\StarCraft.exe"="C:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\Program Files\Common Files\AOL\acs\AOLDial.exe"="C:\Program Files\Common Files\AOL\acs\AOLDial.exe:*:Enabled:AOL

Connectivity Service Dialer"
"C:\Program Files\Common Files\AOL\acs\AOLacsd.exe"="C:\Program Files\Common Files\AOL\acs\AOLacsd.exe:*:Enabled:AOL

Connectivity Service"
"C:\Program Files\Common Files\AOL\1252539966\ee\aolsoftware.exe"="C:\Program Files\Common

Files\AOL\1252539966\ee\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\Program Files\AOL 9.1\waol.exe"="C:\Program Files\AOL 9.1\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Common

Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System

Information\sinf.exe:*:Enabled:AOL System Information"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee

Network Agent"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplicat

ions\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be79b778-a09f-11dd-9a7e-0018391cfd63}]
shell\AutoRun\command - I:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-01-03 12:02:36 ----D---- C:\Program Files\trend micro
2010-01-03 12:02:35 ----D---- C:\rsit
2010-01-03 11:39:46 ----D---- C:\Documents and Settings\Sarasdfghjkl\Application Data\Malwarebytes
2010-01-03 11:39:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-03 11:39:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-03 11:11:34 ----A---- C:\WINDOWS\system32\11538.exe
2010-01-03 10:51:33 ----A---- C:\WINDOWS\system32\14771.exe
2010-01-03 10:31:33 ----A---- C:\WINDOWS\system32\21726.exe
2010-01-03 10:11:32 ----A---- C:\WINDOWS\system32\5447.exe
2010-01-03 09:51:32 ----A---- C:\WINDOWS\system32\19895.exe
2010-01-03 09:31:32 ----A---- C:\WINDOWS\system32\19718.exe
2010-01-03 09:11:31 ----A---- C:\WINDOWS\system32\18716.exe
2010-01-03 08:51:31 ----A---- C:\WINDOWS\system32\17421.exe
2010-01-03 08:31:31 ----A---- C:\WINDOWS\system32\12382.exe
2010-01-03 08:11:31 ----A---- C:\WINDOWS\system32\292.exe
2010-01-03 07:51:31 ----A---- C:\WINDOWS\system32\153.exe
2010-01-03 07:31:31 ----A---- C:\WINDOWS\system32\3902.exe
2010-01-03 07:11:27 ----A---- C:\WINDOWS\system32\14604.exe
2010-01-03 06:51:24 ----A---- C:\WINDOWS\system32\32391.exe
2010-01-03 01:10:19 ----A---- C:\WINDOWS\system32\r3r286a.vbs
2010-01-02 22:05:20 ----A---- C:\WINDOWS\system32\6334.exe
2010-01-02 21:45:19 ----A---- C:\WINDOWS\system32\18467.exe
2010-01-02 21:29:56 ----A---- C:\WINDOWS\system32\G0MYu.vbs
2010-01-02 15:29:14 ----A---- C:\WINDOWS\system32\wWnBp.vbs
2010-01-02 04:57:04 ----A---- C:\WINDOWS\system32\5436.exe
2010-01-02 04:37:04 ----A---- C:\WINDOWS\system32\4827.exe
2010-01-02 04:17:03 ----A---- C:\WINDOWS\system32\11942.exe
2010-01-02 03:57:03 ----A---- C:\WINDOWS\system32\2995.exe
2010-01-02 03:37:02 ----A---- C:\WINDOWS\system32\491.exe
2010-01-02 03:17:02 ----A---- C:\WINDOWS\system32\9961.exe
2010-01-02 02:57:02 ----A---- C:\WINDOWS\system32\16827.exe
2010-01-02 02:37:01 ----A---- C:\WINDOWS\system32\23281.exe
2010-01-02 02:17:01 ----A---- C:\WINDOWS\system32\28145.exe
2010-01-02 01:57:00 ----A---- C:\WINDOWS\system32\5705.exe
2010-01-02 01:37:00 ----A---- C:\WINDOWS\system32\24464.exe
2010-01-02 01:17:00 ----A---- C:\WINDOWS\system32\26962.exe
2010-01-02 00:56:59 ----A---- C:\WINDOWS\system32\29358.exe
2010-01-02 00:36:59 ----A---- C:\WINDOWS\system32\11478.exe
2010-01-02 00:16:58 ----A---- C:\WINDOWS\system32\15724.exe
2010-01-01 23:56:58 ----A---- C:\WINDOWS\system32\19169.exe
2010-01-01 23:36:57 ----A---- C:\WINDOWS\system32\26500.exe
2010-01-01 23:23:12 ----D---- C:\Program Files\AnVir Task Manager Pro
2010-01-01 23:20:59 ----D---- C:\Documents and Settings\Sarasdfghjkl\Application Data\GetRightToGo
2010-01-01 22:55:07 ----D---- C:\Program Files\Windows Live Safety Center
2010-01-01 20:44:00 ----SHD---- C:\Documents and Settings\Sarasdfghjkl\Application Data\SystemProc
2010-01-01 18:24:55 ----A---- C:\WINDOWS\system32\HGxdd.vbs
2010-01-01 16:07:51 ----D---- C:\Documents and Settings\Sarasdfghjkl\Application Data\.BitTornado
2010-01-01 15:18:34 ----D---- C:\Documents and Settings\Sarasdfghjkl\Application Data\WinRAR
2010-01-01 15:09:16 ----SH---- C:\WINDOWS\system32\unrar.exe
2010-01-01 15:09:16 ----D---- C:\WINDOWS\system32\1515035615
2010-01-01 15:08:42 ----A---- C:\WINDOWS\system32\WJRBf15N5uf7e.vbs
2009-12-31 20:57:09 ----D---- C:\Program Files\FrostWire
2009-12-31 20:07:59 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2009-12-31 03:24:46 ----D---- C:\Program Files\Common Files\McAfee
2009-12-31 03:24:44 ----D---- C:\Program Files\McAfee.com
2009-12-31 03:24:07 ----D---- C:\Program Files\McAfee
2009-12-31 02:50:32 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-12-31 02:14:03 ----A---- C:\aolconnfix.txt
2009-12-31 02:14:03 ----A---- C:\aolconnfix.exe
2009-12-31 00:45:23 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-12-31 00:45:11 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-31 00:45:05 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-12-31 00:45:01 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-31 00:44:56 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-12-31 00:44:52 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-12-31 00:44:48 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-12-31 00:44:13 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-12-31 00:44:07 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-12-31 00:43:59 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2009-12-31 00:43:48 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-31 00:43:39 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-31 00:43:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-31 00:42:40 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-12-31 00:42:33 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-12-31 00:40:45 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-12-31 00:40:39 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-12-12 01:59:05 ----HDC---- C:\WINDOWS\$NtUninstallwinusb0100$
2009-12-12 01:58:10 ----HDC---- C:\WINDOWS\$NtUninstallWudf01009$
2009-12-12 00:35:41 ----N---- C:\WINDOWS\system32\spmsgXP_2k3.dll
2009-12-12 00:35:40 ----HDC---- C:\WINDOWS\$NtUninstallWdf01009$
2009-12-12 00:35:17 ----D---- C:\Program Files\Zune
2009-12-12 00:34:38 ----HDC---- C:\WINDOWS\$NtUninstallKB932716-v2$
2009-12-12 00:34:08 ----N---- C:\WINDOWS\system32\imapi2fs.dll
2009-12-12 00:34:08 ----N---- C:\WINDOWS\system32\imapi2.dll
2009-12-07 19:34:17 ----D---- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2009-12-07 19:33:44 ----D---- C:\Documents and Settings\Sarasdfghjkl\Application Data\AVS4YOU
2009-12-07 19:33:37 ----D---- C:\Program Files\Common Files\AVSMedia
2009-12-07 19:33:37 ----A---- C:\WINDOWS\system32\GdiPlus.dll
2009-12-07 19:33:36 ----D---- C:\Program Files\AVS4YOU
2009-12-07 19:33:36 ----A---- C:\WINDOWS\system32\msxml3a.dll

======List of files/folders modified in the last 1 months======

2010-01-03 12:02:36 ----RD---- C:\Program Files
2010-01-03 11:57:34 ----D---- C:\Program Files\Mozilla Firefox
2010-01-03 11:55:11 ----D---- C:\WINDOWS\Temp
2010-01-03 11:53:29 ----D---- C:\WINDOWS
2010-01-03 11:53:20 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-03 11:52:37 ----SHD---- C:\WINDOWS\system32
2010-01-03 11:52:37 ----D---- C:\WINDOWS\system32\drivers
2010-01-03 11:51:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-03 11:50:25 ----SD---- C:\WINDOWS\Tasks
2010-01-03 11:50:07 ----D---- C:\WINDOWS\Prefetch
2010-01-02 05:18:04 ----D---- C:\WINDOWS\Registration
2010-01-02 05:15:58 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-01-02 05:03:38 ----D---- C:\Documents and Settings\Sarasdfghjkl\Application Data\FrostWire
2010-01-01 22:56:27 ----D---- C:\Program Files\AskBarDis
2010-01-01 22:55:44 ----HD---- C:\WINDOWS\inf
2010-01-01 22:55:09 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-01 22:36:50 ----A---- C:\WINDOWS\win.ini
2010-01-01 21:52:41 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-01 10:54:18 ----D---- C:\Documents and Settings
2009-12-31 20:18:40 ----D---- C:\WINDOWS\AppPatch
2009-12-31 20:08:07 ----A---- C:\WINDOWS\imsins.BAK
2009-12-31 20:08:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-31 20:07:12 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-31 05:07:19 ----D---- C:\Program Files\Starcraft
2009-12-31 03:30:28 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-31 03:24:46 ----D---- C:\Program Files\Common Files
2009-12-31 03:24:46 ----D---- C:\mcafee_mcpr
2009-12-31 01:43:10 ----HD---- C:\Config.Msi
2009-12-31 00:56:06 ----D---- C:\WINDOWS\Microsoft.NET
2009-12-31 00:56:03 ----RSD---- C:\WINDOWS\assembly
2009-12-31 00:49:48 ----SHD---- C:\WINDOWS\Installer
2009-12-31 00:48:55 ----D---- C:\WINDOWS\WinSxS
2009-12-31 00:44:38 ----D---- C:\Program Files\Internet Explorer
2009-12-31 00:44:25 ----D---- C:\WINDOWS\ie8updates
2009-12-23 13:21:15 ----D---- C:\WINDOWS\Minidump
2009-12-12 02:34:34 ----SD---- C:\Documents and Settings\Sarasdfghjkl\Application Data\Microsoft
2009-12-09 08:03:38 ----D---- C:\My Recordings
2009-12-09 01:11:56 ----AC---- C:\WINDOWS\SIERRA.INI
2009-12-09 01:09:36 ----D---- C:\SIERRA
2009-12-07 19:33:47 ----RSD---- C:\WINDOWS\Fonts

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2009-11-04 214664]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2009-07-16 120136]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-06-12 20747]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys [2009-09-02 40832]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-03 701440]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2009-11-04 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2009-11-04 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2009-11-04 40552]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RT61;Linksys Wireless-G PCI Adapter Driver(RT61); C:\WINDOWS\system32\DRIVERS\RT61.sys [2005-10-27 356096]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13

30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13

20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2009-07-14 444136]
R3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys

[2009-07-13 91904]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04

36224]
S3 BCM42RLY;BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 COH_Mon;COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys []
S3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

[]
S3 HSF_DPV;HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2005-07-22 231168]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-08-20 737874]
S3 idrmkl;idrmkl; \??\C:\DOCUME~1\SARASD~1\LOCALS~1\Temp\idrmkl.sys []
S3 JL2005C;Dual Mode Camera; C:\WINDOWS\System32\Drivers\jl2005c.sys [2007-01-26 68954]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2009-11-04 34248]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 QCDonner;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\OVCD.sys [2001-08-17 28032]
S3 RTL8023xp;TRENDnet TE100 PCBUSR PC Card; C:\WINDOWS\System32\DRIVERS\TE100XP.SYS [2006-04-18 78720]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS

[2004-08-03 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S3 WinUSB;WinUSB; C:\WINDOWS\system32\DRIVERS\WinUSB.sys [2006-11-02 39368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys

[2009-07-13 132224]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-14 153376]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-10-29 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-04 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 ZuneBusEnum;Zune Bus Enumerator; c:\WINDOWS\system32\ZuneBusEnum.exe [2009-09-04 58592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-04 606736]
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-08-12

72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86;

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;

c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

[2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29

881664]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-10-28 365072]
S3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-10-11 1245064]
S3 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04

24652]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18

913408]
S3 ZuneNetworkSvc;Zune Network Sharing Service; c:\Program Files\Zune\ZuneNss.exe [2009-09-04 5893360]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service; c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2009-09-04 447216]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication

Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Popups and such have ceased and there aren't any wierd logos lodged in my toolbar.

I can enter my task manager and so on as well...


am I out of the woods?


Report •

Related Solutions

#4
January 3, 2010 at 14:43:58
Please download Combofix with internet explorer instead of FireFox please.

Remember..your McAfee antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

Link1
Link 2
Link 3
Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#5
January 3, 2010 at 19:39:31
ComboFix 10-01-03.03 - Sarasdfghjkl 01/03/2010 21:07:49.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1105 [GMT -6:00]
Running from: c:\documents and settings\Sarasdfghjkl\My Documents\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Incomplete\T-10492994-Doom 95.exe
c:\documents and settings\Incomplete\T-11437521-Half Life 2.exe
c:\documents and settings\Incomplete\T-11837681-Half Life Pc.exe
c:\documents and settings\Incomplete\T-11850550-Half Life Game.exe
c:\documents and settings\Incomplete\T-12211197-Half Life 1.exe
c:\documents and settings\Incomplete\T-12351258-Half Life Full.exe
c:\documents and settings\Sarasdfghjkl\Application Data\020000007cee9c68724C.manifest
c:\documents and settings\Sarasdfghjkl\Application Data\020000007cee9c68724O.manifest
c:\documents and settings\Sarasdfghjkl\Application Data\020000007cee9c68724P.manifest
c:\documents and settings\Sarasdfghjkl\Application Data\020000007cee9c68724S.manifest
c:\documents and settings\Sarasdfghjkl\Application Data\Mozilla\Firefox\Profiles\eazq3r35.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}
c:\documents and settings\Sarasdfghjkl\Application Data\Mozilla\Firefox\Profiles\eazq3r35.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\chrome.manifest
c:\documents and settings\Sarasdfghjkl\Application Data\Mozilla\Firefox\Profiles\eazq3r35.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\chrome\xulcache.jar
c:\documents and settings\Sarasdfghjkl\Application Data\Mozilla\Firefox\Profiles\eazq3r35.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\defaults\preferences\xulcache.js
c:\documents and settings\Sarasdfghjkl\Application Data\Mozilla\Firefox\Profiles\eazq3r35.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\install.rdf
c:\documents and settings\Sarasdfghjkl\Application Data\SystemProc
c:\documents and settings\The Sara Emerson\Application Data\Mozilla\Firefox\Profiles\gq8zkscd.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}
c:\documents and settings\The Sara Emerson\Application Data\Mozilla\Firefox\Profiles\gq8zkscd.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\chrome.manifest
c:\documents and settings\The Sara Emerson\Application Data\Mozilla\Firefox\Profiles\gq8zkscd.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\chrome\xulcache.jar
c:\documents and settings\The Sara Emerson\Application Data\Mozilla\Firefox\Profiles\gq8zkscd.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\defaults\preferences\xulcache.js
c:\documents and settings\The Sara Emerson\Application Data\Mozilla\Firefox\Profiles\gq8zkscd.default\extensions\{c2d46d28-250f-4529-8453-bb1ea74db728}\install.rdf
c:\program files\outlook
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\1515035615
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\G0MYu.vbs
c:\windows\system32\HGxdd.vbs
c:\windows\system32\r3r286a.vbs
c:\windows\system32\unrar.exe
c:\windows\system32\WJRBf15N5uf7e.vbs
c:\windows\system32\wWnBp.vbs

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-03 18:02 . 2010-01-03 20:55 -------- d-----w- c:\program files\trend micro
2010-01-03 18:02 . 2010-01-03 18:03 -------- d-----w- C:\rsit
2010-01-03 17:39 . 2010-01-03 17:39 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\Malwarebytes
2010-01-03 17:39 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 17:39 . 2010-01-03 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-03 17:39 . 2010-01-03 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 17:39 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 05:23 . 2010-01-02 07:12 -------- d-----w- c:\program files\AnVir Task Manager Pro
2010-01-02 05:23 . 2010-01-03 22:58 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Local Settings\Application Data\AnVir
2010-01-02 05:20 . 2010-01-02 05:23 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\GetRightToGo
2010-01-02 04:55 . 2010-01-02 04:55 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-01 22:07 . 2010-01-01 22:07 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\.BitTornado
2010-01-01 20:32 . 2010-01-01 21:45 -------- d-----w- c:\documents and settings\Frost Music\Programs
2010-01-01 15:04 . 2010-01-01 15:04 -------- d-----w- c:\documents and settings\Incomplete\PUBU5PLJ7RTQQLR3TITDV3WCKAVHMW35
2010-01-01 15:04 . 2010-01-04 03:12 -------- d-----w- c:\documents and settings\Incomplete
2010-01-01 02:57 . 2010-01-01 15:04 -------- d-----w- c:\program files\FrostWire
2010-01-01 02:05 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-31 09:26 . 2009-11-04 22:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-31 09:26 . 2009-11-04 22:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-31 09:26 . 2009-11-04 22:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-31 09:26 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-31 09:24 . 2009-12-31 09:26 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-31 09:24 . 2009-12-31 09:25 -------- d-----w- c:\program files\McAfee.com
2009-12-31 09:24 . 2009-12-31 23:15 -------- d-----w- c:\program files\McAfee
2009-12-31 09:09 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-31 08:50 . 2009-12-31 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-31 08:14 . 2009-12-31 08:14 10920 ----a-w- C:\aolconnfix.exe
2009-12-12 06:35 . 2008-11-08 00:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-12-12 06:35 . 2009-12-12 06:36 -------- d-----w- c:\program files\Zune
2009-12-12 06:34 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-12-12 06:34 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-12-12 06:34 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2009-12-12 06:34 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-12-12 06:34 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2009-12-09 07:11 . 2009-12-09 07:11 -------- d-----w- c:\documents and settings\Sarasdfghjkl\WINDOWS
2009-12-08 01:34 . 2009-12-08 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-12-08 01:33 . 2009-12-08 01:33 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\AVS4YOU
2009-12-08 01:33 . 2009-12-08 01:34 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-08 01:33 . 2003-05-22 06:50 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-12-08 01:33 . 2009-12-08 01:34 -------- d-----w- c:\program files\AVS4YOU
2009-12-08 01:33 . 2003-05-21 18:50 24576 ----a-w- c:\windows\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 21:23 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-03 16:12 . 2010-01-03 16:12 195584 ----a-w- c:\documents and settings\Sarasdfghjkl\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-68f5b93d-n\WMINative.dll
2010-01-02 11:03 . 2009-09-05 01:39 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\FrostWire
2010-01-02 04:56 . 2009-09-05 01:39 -------- d-----w- c:\program files\AskBarDis
2009-12-31 11:07 . 2009-05-14 04:20 -------- d-----w- c:\program files\Starcraft
2009-12-12 07:59 . 2009-12-12 07:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-12-12 07:59 . 2009-12-12 07:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-12-12 07:58 . 2009-12-12 07:58 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-12-12 06:35 . 2009-12-12 06:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-12-12 06:35 . 2009-12-12 06:35 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-12-08 01:34 . 2008-10-18 05:34 14576 -c--a-w- c:\documents and settings\Sarasdfghjkl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 09:36 . 2009-01-17 04:38 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\Skype
2009-11-23 22:09 . 2008-10-26 01:38 -------- d-----w- c:\documents and settings\Sarasdfghjkl\Application Data\skypePM
2009-11-21 15:51 . 2002-03-25 19:01 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2004-01-08 20:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2001-08-23 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2001-08-23 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 03:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2008-11-14 2743008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HostManager"="c:\program files\Common Files\AOL\1252539966\ee\AOLSoftware.exe" [2008-06-24 41824]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1252539966\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys --> c:\windows\system32\Drivers\COH_Mon.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 idrmkl;idrmkl;\??\c:\docume~1\SARASD~1\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\SARASD~1\LOCALS~1\Temp\idrmkl.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/3/2010 11:39 AM 38224]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/19/2008 4:12 AM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2001-08-23 00:12]

2010-01-04 c:\windows\Tasks\Windows Media Player.job
- c:\progra~1\WINDOW~3\wmplayer.exe [2007-04-28 03:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\Sarasdfghjkl\Application Data\Mozilla\Firefox\Profiles\eazq3r35.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-ab-en-us&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-DreamSuite - c:\windows\unvise32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1664)
c:\windows\system32\WININET.dll
c:\program files\AnVir Task Manager Pro\AnvirHook54.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\ZuneBusEnum.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-03 21:25:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-04 03:25

Pre-Run: 42,608,103,424 bytes free
Post-Run: 43,507,654,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 01F328B09B996F639C054468A7F2C67F


Report •

#6
January 3, 2010 at 19:43:53
If I do CTRL ALT DEL it shows this program running now.

Mc_Agent Main Hidden Window


Report •

#7
January 3, 2010 at 19:45:23
Please disregard this. I accidentally was reading other issues and thought i was in mine

Sorry


Report •

#8
January 3, 2010 at 20:06:41
If your computer is operating properly now go to add/remove programs and uninstall this program:


Ask Toolbar (know to harbor spyware)

You need to download Nortons removal tool and run it as you have some remnants of it on your system. Just do a goole search for "Nortons removal tool" aand follow the directions.

A little clean-up to do.

Delete RSIT from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#9
January 4, 2010 at 19:10:06
Thanks a load, I appreciate your help to the fullest extent!

Report •

#10
January 5, 2010 at 17:29:21
Glad we could help.

Report •

Ask Question