PDA

View Full Version : Antivirus Pro malware program on my computer



Bessie Mae
2009-12-02, 00:43
I got the antivirus pro program and it told me everything was infected including my Malware Bytes program. I downloaded rkill to try to get it to work and did two system restores and set the computer back to about a week ago. The antivirus pro program hasn't come back, but my Firefox browser has been opening up an extra tab randomly, usually to a link for a website for Direct TV| American Satellite, but also other pages. And, sometimes a new window with five tabs open and one of the URL's is www.sorry,.com My Malware Bytes keeps saying I have no infections.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:58 PM, on 12/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Angela1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {fe131bd1-a6bc-4b37-9370-5c75330e77a8} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [tofiwanaru] Rundll32.exe "C:\WINNT\system32\higubihu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tofiwanaru] Rundll32.exe "C:\WINNT\system32\higubihu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://games.bigfishgames.com/en_mystery-pi-the-lottery-ticket/online/SpinTopGamesLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: lpxtbj.dll C:\WINNT\system32\yogakomu.dll c:\winnt\system32\gifekuwe.dll
O23 - Service: McAfee Application Installer Cleanup (0192451258615751) (0192451258615751mcinstcleanup) - Unknown owner - C:\WINNT\TEMP\019245~1.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 6196 bytes

Blade81
2009-12-04, 12:30
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Bessie Mae
2009-12-07, 17:00
DDS (Ver_09-12-01.01) - NTFSx86
Run by Angela1 at 17:44:42.90 on Sun 12/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.67 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Angela1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fe131bd1-a6bc-4b37-9370-5c75330e77a8} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://games.bigfishgames.com/en_mystery-pi-the-lottery-ticket/online/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: lpxtbj.dll c:\winnt\system32\yogakomu.dll c:\winnt\system32\gifekuwe.dll
LSA: Notification Packages = scecli c:\winnt\system32\yogakomu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angela1\applic~1\mozilla\firefox\profiles\6amng4v6.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\angela1\application data\mozilla\firefox\profiles\6amng4v6.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winnt\system32\drivers\mfehidk.sys [2009-2-12 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-17 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-12 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winnt\system32\drivers\mfeavfk.sys [2009-2-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\winnt\system32\drivers\mfebopk.sys [2009-2-12 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\winnt\system32\drivers\mferkdk.sys [2009-2-12 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winnt\system32\drivers\mfesmfk.sys [2009-2-12 40552]
S2 0233611259720791mcinstcleanup;McAfee Application Installer Cleanup (0233611259720791);c:\winnt\temp\023361~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\winnt\temp\023361~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2009-2-11 49392]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [2009-2-11 9038]

=============== Created Last 30 ================

2009-11-29 09:40:10 0 d-----w- c:\winnt\system32\wbem\Repository

==================== Find3M ====================

2009-11-29 12:35:40 95360 ----a-w- c:\winnt\system32\drivers\atapi.sys
2009-10-14 22:11:59 23192 ----a-w- c:\winnt\system32\emptyregdb.dat
2009-09-25 05:56:36 662016 ----a-w- c:\winnt\system32\wininet.dll
2009-09-25 05:56:32 81920 ----a-w- c:\winnt\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\winnt\system32\msv1_0.dll
2009-02-12 04:35:33 271 --sh--w- c:\program files\desktop.ini
2009-02-12 04:35:33 21952 ---ha-w- c:\program files\folder.htt

============= FINISH: 17:47:19.19 ===============

Blade81
2009-12-07, 18:11
Hi,

Do you have GMER log available too? :)

Bessie Mae
2009-12-10, 20:13
I have to split the log into two posts.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 19:40:07
Windows 5.1.2600 Service Pack 2
Running: x2bm4wh8.exe; Driver: C:\DOCUME~1\Angela1\LOCALS~1\Temp\pwtdrpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF0D4578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF0D45821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF0D45738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF0D4574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF0D45835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF0D45861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF0D458CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF0D458B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF0D457CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF0D458FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF0D4580D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF0D45710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF0D45724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF0D4579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF0D45937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF0D458A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF0D4588D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF0D4584B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF0D45923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF0D4590F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF0D45776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF0D45762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF0D45877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF0D457F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF0D458E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF0D457E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF0D457B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

Bessie Mae
2009-12-10, 20:15
---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP F0D457B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80567D6B 5 Bytes JMP F0D45811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B173 7 Bytes JMP F0D45891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056BDBD 5 Bytes JMP F0D45766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8056E819 5 Bytes JMP F0D45825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056EC29 7 Bytes JMP F0D4593B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF20 7 Bytes JMP F0D458D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056FC68 5 Bytes JMP F0D4578E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571F61 5 Bytes JMP F0D457E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 805723DC 7 Bytes JMP F0D457CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572D76 5 Bytes JMP F0D45714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80573125 7 Bytes JMP F0D457A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80573CFD 7 Bytes JMP F0D4587B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FBF4 7 Bytes JMP F0D458BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581EFE 7 Bytes JMP F0D45750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805847BC 5 Bytes JMP F0D457FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058C882 5 Bytes JMP F0D45728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590E92 5 Bytes JMP F0D458FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593B28 7 Bytes JMP F0D45865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805951B2 7 Bytes JMP F0D45839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0B24 5 Bytes JMP F0D4573C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C4EB 5 Bytes JMP F0D4577A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064C122 5 Bytes JMP F0D45913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C3F7 7 Bytes JMP F0D458E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CCC4 7 Bytes JMP F0D458A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064D109 7 Bytes JMP F0D4584F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D5FE 5 Bytes JMP F0D45927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Blade81
2009-12-10, 22:27
Hi,

Looks like whole log didn't get posted. Could you archive it into a zip file and attach to your reply, please? :)

Bessie Mae
2009-12-10, 22:53
Okay, it should be attached now.

Blade81
2009-12-10, 23:13
Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Bessie Mae
2009-12-16, 01:35
I got a message saying ComboFix isn't available for download.

Blade81
2009-12-16, 07:59
Hi,

Let's replace instructions in my previous post with this:



Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Copy-paste following contents into custom scan -area:
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Bessie Mae
2009-12-20, 08:40
OTL logfile created on: 12/20/2009 12:24:54 AM - Run 1
OTL by OldTimer - Version 3.1.18.0 Folder = C:\Documents and Settings\Angela1\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.36 Mb Total Physical Memory | 108.86 Mb Available Physical Memory | 24.33% Memory free
1.03 Gb Paging File | 0.49 Gb Available in Paging File | 47.39% Paging File free
Paging file location(s): c:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.56 Gb Total Space | 65.53 Gb Free Space | 87.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANGELA
Current User Name: Angela1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Angela1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\WINNT\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Angela1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (0262791261146564mcinstcleanup) McAfee Application Installer Cleanup (0262791261146564) -- C:\WINNT\Temp\0262791261146564mcinst.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\program files\common files\mcafee\mna\mcnasvc.exe (McAfee, Inc.)
SRV - (NVSvc) -- C:\WINNT\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (UtilMan) -- C:\WINNT\system32\utilman.exe (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINNT\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINNT\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINNT\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINNT\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINNT\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\WINNT\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (nv) -- C:\WINNT\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (NTIDrvr) -- C:\WINNT\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (cmuda) -- C:\WINNT\system32\drivers\cmuda.sys (C-Media Inc)
DRV - (Secdrv) -- C:\WINNT\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINNT\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (UBHelper) -- C:\WINNT\system32\drivers\UBHelper.sys ()
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINNT\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (WUSB54GPV4SRV) -- C:\WINNT\system32\drivers\rt2500usb.sys (Ralink Technology Inc.)
DRV - (SISNIC) -- C:\WINNT\system32\drivers\sisnic.sys (SiS Corporation)
DRV - (viafilter) -- C:\WINNT\System32\Drivers\viausb.sys (VIA Technologies, Inc.)
DRV - (usbhub20) -- C:\WINNT\system32\drivers\usbhub20.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006


FF - HKLM\software\mozilla\Firefox\Extensions\\{1650a312-02bc-40ee-977e-83f158701739}: C:\Program Files\SiteAdvisor\FF1 [2009/02/12 18:01:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/18 08:29:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 15:09:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/16 15:09:04 | 00,000,000 | ---D | M]

[2009/02/12 18:49:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Extensions
[2009/12/18 23:07:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\extensions
[2009/05/18 02:34:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\extensions\moveplayer@movenetworks.com
[2009/02/12 19:44:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\bookmarkbackups\dyifofxg.default\extensions
[2009/02/12 19:44:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\bookmarkbackups\dyifofxg.default\extensions\moveplayer@movenetworks.com
[2009/02/12 19:40:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\dyifofxg.default\extensions
[2009/02/12 19:40:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\dyifofxg.default\extensions\moveplayer@movenetworks.com
[2009/02/15 13:51:14 | 00,000,413 | ---- | M] () -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\searchplugins\angela.xml
[2009/12/18 23:07:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/02/25 13:58:26 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: (848 bytes) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {fe131bd1-a6bc-4b37-9370-5c75330e77a8} - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll (CSEQueryObject Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} http://games.bigfishgames.com/en_mystery-pi-the-lottery-ticket/online/SpinTopGamesLauncher.cab (SpinTop Games Launcher)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab (TikGames Online Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - AppInit_DLLs: (lpxtbj.dll) - File not found
O20 - AppInit_DLLs: (C:\WINNT\system32\yogakomu.dll) - C:\WINNT\System32\yogakomu.dll File not found
O20 - AppInit_DLLs: (c:\winnt\system32\gifekuwe.dll) - C:\WINNT\System32\gifekuwe.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\sdra64.exe) - C:\WINNT\System32\sdra64.exe File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 18:23:33 | 00,000,050 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/18 20:54:45 | 00,564,736 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angela1\Desktop\OTL.exe
[2009/12/18 08:28:55 | 00,000,000 | ---D | C] -- C:\WINNT\LastGood
[2009/12/13 18:22:54 | 00,000,000 | -HSD | C] -- C:\WINNT\System32\lowsec
[2009/12/06 19:39:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/12/01 16:28:25 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Angela1\Desktop\HijackThis.exe
[2009/12/01 01:50:17 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/12/01 01:48:23 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/01 01:45:59 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Angela1\Desktop\erunt-setup.exe
[2009/11/29 03:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/04/28 06:49:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/12 19:03:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/12 19:02:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/02/12 18:57:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/12 18:57:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[9 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/18 20:54:46 | 00,564,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angela1\Desktop\OTL.exe
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\atapi.sys
[2009/12/18 04:33:56 | 00,012,567 | ---- | M] () -- C:\WINNT\System32\Config.MPF
[2009/12/18 04:32:55 | 00,013,722 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/12/18 04:32:55 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/12/18 04:32:52 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/12/17 10:16:40 | 00,000,664 | ---- | M] () -- C:\WINNT\System32\d3d9caps.dat
[2009/12/17 10:14:11 | 02,097,152 | ---- | M] () -- C:\Documents and Settings\Angela1\ntuser.dat
[2009/12/15 17:25:30 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\ComboFix.exe
[2009/12/15 07:49:03 | 00,000,284 | ---- | M] () -- C:\WINNT\tasks\AppleSoftwareUpdate.job
[2009/12/15 01:00:11 | 00,000,264 | ---- | M] () -- C:\WINNT\tasks\McDefragTask.job
[2009/12/14 08:02:25 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Angela1\ntuser.ini
[2009/12/14 08:01:55 | 03,767,670 | -H-- | M] () -- C:\Documents and Settings\Angela1\Local Settings\Application Data\IconCache.db
[2009/12/10 14:51:38 | 00,007,620 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\gmer.zip
[2009/12/09 05:25:40 | 00,363,760 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2009/12/09 05:25:40 | 00,317,330 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2009/12/09 05:25:40 | 00,042,122 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2009/12/09 03:05:30 | 00,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/12/06 18:01:22 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\x2bm4wh8.exe
[2009/12/06 12:11:25 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\dds.scr
[2009/12/01 16:28:26 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Angela1\Desktop\HijackThis.exe
[2009/12/01 01:48:27 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\NTREGOPT.lnk
[2009/12/01 01:48:27 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\ERUNT.lnk
[2009/12/01 01:46:12 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Angela1\Desktop\erunt-setup.exe
[2009/12/01 01:00:32 | 00,000,360 | ---- | M] () -- C:\WINNT\tasks\McQcTask.job
[2009/11/30 20:58:37 | 00,236,544 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\pev.exe
[2009/11/28 03:59:45 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\rkill(2).com
[2009/11/22 01:55:44 | 00,100,864 | ---- | M] () -- C:\Documents and Settings\Angela1\My Documents\Nanowrimo - Ninja Bunnies.doc
[2009/11/22 00:19:37 | 00,002,493 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\Microsoft Office Word 2003.lnk
[2009/11/20 21:53:51 | 00,028,672 | ---- | M] () -- C:\Documents and Settings\Angela1\My Documents\Resume Wizard.doc
[9 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,011,168 | -H-- | C] () -- C:\WINNT\System32\fiwogidu
[2009/12/15 17:25:29 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\ComboFix.exe
[2009/12/10 14:51:38 | 00,007,620 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\gmer.zip
[2009/12/06 18:01:21 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\x2bm4wh8.exe
[2009/12/06 12:11:24 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\dds.scr
[2009/12/01 01:48:27 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\NTREGOPT.lnk
[2009/12/01 01:48:27 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\ERUNT.lnk
[2009/11/30 20:58:37 | 00,236,544 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\pev.exe
[2009/11/28 03:59:42 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\rkill(2).com
[2009/11/22 20:06:46 | 02,097,152 | ---- | C] () -- C:\Documents and Settings\Angela1\ntuser.dat
[2009/11/20 21:53:50 | 00,028,672 | ---- | C] () -- C:\Documents and Settings\Angela1\My Documents\Resume Wizard.doc
[2009/02/21 23:17:05 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\Angela1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/17 16:38:49 | 01,724,416 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[2009/02/17 16:38:49 | 01,101,824 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[2009/02/17 16:38:46 | 00,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[2009/02/17 16:38:40 | 01,507,328 | ---- | C] () -- C:\WINNT\System32\nview.dll
[2009/02/12 18:52:31 | 00,001,793 | ---- | C] () -- C:\WINNT\System32\fxsperf.ini
[2009/02/12 18:24:49 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIDBD32.dll
[2009/02/12 18:24:09 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIBUN4.dll
[2009/02/12 18:22:31 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIMPEG2.dll
[2009/02/12 18:22:31 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIFCD3.dll
[2009/02/12 18:22:31 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTICDMK7.dll
[2009/02/12 18:15:59 | 00,010,240 | ---- | C] () -- C:\WINNT\System32\vidx16.dll
[2009/02/12 18:11:46 | 00,000,626 | ---- | C] () -- C:\WINNT\ODBC.INI
[2009/02/12 17:33:52 | 00,000,271 | ---- | C] () -- C:\WINNT\Ulead32.ini
[2009/02/12 17:19:33 | 00,000,164 | ---- | C] () -- C:\WINNT\avrack.ini
[2009/02/12 17:19:28 | 00,156,672 | ---- | C] () -- C:\WINNT\System32\RtlCPAPI.dll
[2009/02/11 22:35:33 | 00,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2008/10/07 08:13:30 | 00,197,912 | ---- | C] () -- C:\WINNT\System32\physxcudart_20.dll
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelFrench.dll
[2006/02/28 06:00:00 | 00,027,440 | ---- | C] () -- C:\WINNT\System32\drivers\secdrv.sys
[2004/12/17 19:14:44 | 00,013,952 | ---- | C] () -- C:\WINNT\System32\drivers\UBHelper.sys
[2003/02/19 03:26:28 | 00,028,672 | ---- | C] () -- C:\WINNT\System32\cmirmdrv.dll
[2003/01/07 17:05:08 | 00,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI
[2001/12/26 18:12:30 | 00,065,536 | R--- | C] () -- C:\WINNT\System32\multiplex_vcd.dll
[2001/09/04 01:46:38 | 00,110,592 | R--- | C] () -- C:\WINNT\System32\Hmpg12.dll
[2001/07/30 18:33:56 | 00,118,784 | R--- | C] () -- C:\WINNT\System32\HMPV2_ENC.dll
[2001/07/24 00:04:36 | 00,118,784 | R--- | C] () -- C:\WINNT\System32\HMPV2_ENC_MMX.dll
[1999/12/06 22:00:00 | 00,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/09/25 04:36:24 | 00,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 04:36:22 | 00,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== Custom Scans ==========



< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\agp440.sys
[2006/02/28 06:00:00 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINNT\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\atapi.sys
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\system32\dllcache\atapi.sys
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll
[2006/02/28 06:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\system32\dllcache\eventlog.dll
[2006/02/28 06:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\sp2qfe\netlogon.dll
[2006/02/28 06:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\system32\dllcache\netlogon.dll
[2006/02/28 06:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 06:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\system32\dllcache\scecli.dll
[2006/02/28 06:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\system32\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A437AC3
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:102394C6
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4980368
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F1175E1D
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
< End of report >

Bessie Mae
2009-12-20, 08:42
OTL Extras logfile created on: 12/20/2009 12:24:54 AM - Run 1
OTL by OldTimer - Version 3.1.18.0 Folder = C:\Documents and Settings\Angela1\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.36 Mb Total Physical Memory | 108.86 Mb Available Physical Memory | 24.33% Memory free
1.03 Gb Paging File | 0.49 Gb Available in Paging File | 47.39% Paging File free
Paging file location(s): c:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.56 Gb Total Space | 65.53 Gb Free Space | 87.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANGELA
Current User Name: Angela1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox -- (Mozilla Corporation)
"C:\WINNT\explorer.exe" = C:\WINNT\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI DVD-Maker
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 15
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{8FDD2A92-9F75-4706-B8C2-08499A9863E6}" = NTI DriveBackup! 3 Trial
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Aplus DVD Copy_is1" = Aplus DVD Copy 4.0
"BFGC" = Big Fish Games Client
"C-Media Audio Driver" = C-Media WDM Audio Driver
"DVD Shrink_is1" = DVD Shrink 3.2
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI DVD-Maker
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"InstallShield_{8FDD2A92-9F75-4706-B8C2-08499A9863E6}" = NTI DriveBackup! 3 Trial
"iPhoto Plus 4" = iPhoto Plus 4
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaShow" = Medi@Show
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSC" = McAfee SecurityCenter
"NVIDIA Drivers" = NVIDIA Drivers
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/7/2009 12:27:22 PM | Computer Name = ANGELA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/7/2009 12:27:22 PM | Computer Name = ANGELA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/23/2009 3:44:15 AM | Computer Name = ANGELA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x00db6bbc.

Error - 9/24/2009 1:05:32 AM | Computer Name = ANGELA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3523, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/26/2009 3:54:54 AM | Computer Name = ANGELA | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/27/2009 5:36:44 PM | Computer Name = ANGELA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3523, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/27/2009 6:52:27 PM | Computer Name = ANGELA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3523, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/5/2009 6:48:02 PM | Computer Name = ANGELA | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/9/2009 8:36:16 PM | Computer Name = ANGELA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/9/2009 8:36:16 PM | Computer Name = ANGELA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 12/13/2009 8:25:31 PM | Computer Name = ANGELA | Source = DCOM | ID = 10010
Description = The server {76DEF3AC-2910-4234-9EE2-C81B2D45833A} did not register
with DCOM within the required timeout.

Error - 12/14/2009 10:04:32 AM | Computer Name = ANGELA | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 10:04:32 AM | Computer Name = ANGELA | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/14/2009 8:00:59 PM | Computer Name = ANGELA | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 8:00:59 PM | Computer Name = ANGELA | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/14/2009 9:31:28 PM | Computer Name = ANGELA | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/14/2009 9:31:28 PM | Computer Name = ANGELA | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/17/2009 12:21:14 PM | Computer Name = ANGELA | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 12/18/2009 6:33:11 AM | Computer Name = ANGELA | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/18/2009 6:33:11 AM | Computer Name = ANGELA | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >

Blade81
2009-12-20, 12:16
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New OTL.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Bessie Mae
2009-12-24, 21:59
It only gave me the Combofix log. Do I run the OTL program again and paste the new report? Here's the Combofix log.

ComboFix 09-12-24.02 - Angela1 12/24/2009 13:37:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.218 [GMT -6:00]
Running from: c:\documents and settings\Angela1\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\EventSystem.log
c:\winnt\system32\lowsec
c:\winnt\system32\lowsec\local.ds
c:\winnt\system32\lowsec\user.ds
c:\winnt\system32\lowsec\user.ds.lll
c:\winnt\Temp\0262791261146564mcinst.exe
c:\winnt\Web\default.htt

Infected copy of c:\winnt\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETkxqfnyxk
-------\Service_IAS
-------\Service_SKYNETkxqfnyxk


((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-10 15:48 . 2009-12-10 15:48 -------- d-s---w- c:\winnt\system32\config\systemprofile\UserData
2009-12-07 01:39 . 2009-12-07 01:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-12-01 07:48 . 2009-12-01 07:49 -------- d-----w- c:\program files\ERUNT
2009-11-29 09:40 . 2009-11-29 09:40 -------- d-----w- c:\winnt\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 19:31 . 2009-02-12 23:59 -------- d-----w- c:\program files\McAfee
2009-12-23 01:59 . 2009-02-22 00:32 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-12-18 11:30 . 2006-02-28 12:00 95360 -c--a-w- c:\winnt\system32\drivers\atapi.sys
2009-12-18 11:30 . 2006-02-28 12:00 95360 -c--a-w- c:\winnt\system32\drivers\atapi.svs
2009-12-02 02:26 . 2009-02-12 23:59 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-29 09:38 . 2009-02-17 18:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-29 05:48 . 2006-02-28 12:00 662016 ----a-w- c:\winnt\system32\wininet.dll
2009-10-21 06:00 . 2006-02-28 12:00 75776 ----a-w- c:\winnt\system32\strmfilt.dll
2009-10-21 06:00 . 2006-02-28 12:00 25088 ----a-w- c:\winnt\system32\httpapi.dll
2009-10-20 14:58 . 2006-02-28 12:00 263552 ----a-w- c:\winnt\system32\drivers\http.sys
2009-10-14 22:11 . 2009-02-12 04:34 23192 ----a-w- c:\winnt\system32\emptyregdb.dat
2009-10-13 10:53 . 2006-02-28 12:00 266752 ----a-w- c:\winnt\system32\oakley.dll
2009-10-12 13:54 . 2006-02-28 12:00 69632 ----a-w- c:\winnt\system32\raschap.dll
2009-10-12 13:54 . 2006-02-28 12:00 112128 ----a-w- c:\winnt\system32\rastls.dll
2009-02-12 04:35 . 2009-02-12 04:35 21952 ---ha-w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2009-02-17 13680640]
"nwiz"="nwiz.exe" [2009-02-17 1657376]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2009-02-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2006-02-28 44544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\taskmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/17/2009 12:11 AM 93320]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2/11/2009 10:44 PM 49392]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [2/11/2009 10:47 PM 9038]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://games.bigfishgames.com/en_mystery-pi-the-lottery-ticket/online/SpinTopGamesLauncher.cab
FF - ProfilePath - c:\documents and settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{fe131bd1-a6bc-4b37-9370-5c75330e77a8} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
SafeBoot-sglfb.sys
SafeBoot-tga.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 13:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\RunDll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-12-24 13:49:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 19:49

Pre-Run: 70,075,387,904 bytes free
Post-Run: 70,084,853,760 bytes free

- - End Of File - - EA37F63CF0C56CCBCDFE34538817C94C

Blade81
2009-12-25, 11:26
Yes, run OTL again to get a fresh log :)

Bessie Mae
2009-12-28, 21:27
OTL logfile created on: 12/28/2009 1:14:55 PM - Run 2
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Angela1\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 139.00 Mb Available Physical Memory | 31.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): c:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.56 Gb Total Space | 65.11 Gb Free Space | 87.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANGELA
Current User Name: Angela1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Angela1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\WINNT\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Angela1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\program files\common files\mcafee\mna\mcnasvc.exe (McAfee, Inc.)
SRV - (NVSvc) -- C:\WINNT\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (UtilMan) -- C:\WINNT\system32\utilman.exe (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found
DRV - (mfehidk) -- C:\WINNT\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINNT\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINNT\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINNT\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINNT\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\WINNT\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (nv) -- C:\WINNT\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (NTIDrvr) -- C:\WINNT\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (cmuda) -- C:\WINNT\system32\drivers\cmuda.sys (C-Media Inc)
DRV - (Secdrv) -- C:\WINNT\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINNT\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (UBHelper) -- C:\WINNT\system32\drivers\UBHelper.sys ()
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINNT\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (WUSB54GPV4SRV) -- C:\WINNT\system32\drivers\rt2500usb.sys (Ralink Technology Inc.)
DRV - (SISNIC) -- C:\WINNT\system32\drivers\sisnic.sys (SiS Corporation)
DRV - (viafilter) -- C:\WINNT\System32\Drivers\viausb.sys (VIA Technologies, Inc.)
DRV - (usbhub20) -- C:\WINNT\system32\drivers\usbhub20.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006


FF - HKLM\software\mozilla\Firefox\Extensions\\{1650a312-02bc-40ee-977e-83f158701739}: C:\Program Files\SiteAdvisor\FF1 [2009/02/12 18:01:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/25 13:53:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/21 02:57:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/16 15:09:04 | 00,000,000 | ---D | M]

[2009/02/12 18:49:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Extensions
[2009/12/27 20:57:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\extensions
[2009/05/18 02:34:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\extensions\moveplayer@movenetworks.com
[2009/02/12 19:44:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\bookmarkbackups\dyifofxg.default\extensions
[2009/02/12 19:44:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\bookmarkbackups\dyifofxg.default\extensions\moveplayer@movenetworks.com
[2009/02/12 19:40:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\dyifofxg.default\extensions
[2009/02/12 19:40:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\dyifofxg.default\extensions\moveplayer@movenetworks.com
[2009/02/15 13:51:14 | 00,000,413 | ---- | M] () -- C:\Documents and Settings\Angela1\Application Data\Mozilla\Firefox\Profiles\6amng4v6.default\searchplugins\angela.xml
[2009/12/27 20:57:41 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/02/25 13:58:26 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: (27 bytes) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll (CSEQueryObject Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} http://games.bigfishgames.com/en_mystery-pi-the-lottery-ticket/online/SpinTopGamesLauncher.cab (SpinTop Games Launcher)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab (TikGames Online Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 18:23:33 | 00,000,050 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/28 13:01:06 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angela1\Desktop\OTL.exe
[2009/12/24 14:00:46 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/12/24 13:26:39 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/24 13:17:45 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2009/12/24 13:17:45 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2009/12/24 13:17:45 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2009/12/24 13:17:45 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2009/12/24 13:16:01 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/06 19:39:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/12/01 16:28:25 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Angela1\Desktop\HijackThis.exe
[2009/12/01 01:50:17 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/12/01 01:48:23 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/01 01:45:59 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Angela1\Desktop\erunt-setup.exe
[2009/11/29 03:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/04/28 06:49:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/12 19:03:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/12 19:02:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/02/12 18:57:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/02/12 18:57:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[9 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/28 13:01:11 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angela1\Desktop\OTL.exe
[2009/12/25 18:09:14 | 00,000,664 | ---- | M] () -- C:\WINNT\System32\d3d9caps.dat
[2009/12/24 20:43:40 | 00,002,493 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\Microsoft Office Word 2003.lnk
[2009/12/24 14:00:48 | 02,097,152 | ---- | M] () -- C:\Documents and Settings\Angela1\ntuser.dat
[2009/12/24 13:45:57 | 00,012,947 | ---- | M] () -- C:\WINNT\System32\Config.MPF
[2009/12/24 13:45:30 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/12/24 13:45:21 | 00,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2009/12/24 13:44:51 | 00,013,722 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/12/24 13:44:51 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/12/24 13:44:49 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/12/24 13:43:09 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Angela1\ntuser.ini
[2009/12/24 13:26:56 | 00,000,277 | RHS- | M] () -- C:\boot.ini
[2009/12/22 07:49:09 | 00,000,284 | ---- | M] () -- C:\WINNT\tasks\AppleSoftwareUpdate.job
[2009/12/21 21:49:24 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Angela1\My Documents\Reverend Talavera.doc
[2009/12/21 02:59:38 | 03,768,510 | -H-- | M] () -- C:\Documents and Settings\Angela1\Local Settings\Application Data\IconCache.db
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\atapi.sys
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\atapi.svs
[2009/12/15 01:00:11 | 00,000,264 | ---- | M] () -- C:\WINNT\tasks\McDefragTask.job
[2009/12/10 14:51:38 | 00,007,620 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\gmer.zip
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINNT\PEV.exe
[2009/12/09 05:25:40 | 00,363,760 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2009/12/09 05:25:40 | 00,317,330 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2009/12/09 05:25:40 | 00,042,122 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2009/12/09 03:05:30 | 00,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2009/12/06 18:01:22 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\x2bm4wh8.exe
[2009/12/06 12:11:25 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\dds.scr
[2009/12/01 16:28:26 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Angela1\Desktop\HijackThis.exe
[2009/12/01 01:48:27 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\NTREGOPT.lnk
[2009/12/01 01:48:27 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\ERUNT.lnk
[2009/12/01 01:46:12 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Angela1\Desktop\erunt-setup.exe
[2009/12/01 01:00:32 | 00,000,360 | ---- | M] () -- C:\WINNT\tasks\McQcTask.job
[2009/11/30 20:58:37 | 00,236,544 | ---- | M] () -- C:\Documents and Settings\Angela1\Desktop\pev.exe
[9 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,011,168 | -H-- | C] () -- C:\WINNT\System32\fiwogidu
[2009/12/24 13:26:55 | 00,000,207 | ---- | C] () -- C:\Boot.bak
[2009/12/24 13:26:47 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/24 13:17:45 | 00,261,632 | ---- | C] () -- C:\WINNT\PEV.exe
[2009/12/24 13:17:45 | 00,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2009/12/24 13:17:45 | 00,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2009/12/24 13:17:45 | 00,077,312 | ---- | C] () -- C:\WINNT\MBR.exe
[2009/12/24 13:17:45 | 00,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2009/12/21 21:49:23 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Angela1\My Documents\Reverend Talavera.doc
[2009/12/10 14:51:38 | 00,007,620 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\gmer.zip
[2009/12/06 18:01:21 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\x2bm4wh8.exe
[2009/12/06 12:11:24 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\dds.scr
[2009/12/01 01:48:27 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\NTREGOPT.lnk
[2009/12/01 01:48:27 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\ERUNT.lnk
[2009/11/30 20:58:37 | 00,236,544 | ---- | C] () -- C:\Documents and Settings\Angela1\Desktop\pev.exe
[2009/02/21 23:17:05 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\Angela1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/17 16:38:49 | 01,724,416 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[2009/02/17 16:38:49 | 01,101,824 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[2009/02/17 16:38:46 | 00,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[2009/02/17 16:38:40 | 01,507,328 | ---- | C] () -- C:\WINNT\System32\nview.dll
[2009/02/12 18:52:31 | 00,001,793 | ---- | C] () -- C:\WINNT\System32\fxsperf.ini
[2009/02/12 18:24:49 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIDBD32.dll
[2009/02/12 18:24:09 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIBUN4.dll
[2009/02/12 18:22:31 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIMPEG2.dll
[2009/02/12 18:22:31 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTIFCD3.dll
[2009/02/12 18:22:31 | 00,001,024 | RH-- | C] () -- C:\WINNT\System32\NTICDMK7.dll
[2009/02/12 18:15:59 | 00,010,240 | ---- | C] () -- C:\WINNT\System32\vidx16.dll
[2009/02/12 18:11:46 | 00,000,626 | ---- | C] () -- C:\WINNT\ODBC.INI
[2009/02/12 17:33:52 | 00,000,271 | ---- | C] () -- C:\WINNT\Ulead32.ini
[2009/02/12 17:19:33 | 00,000,164 | ---- | C] () -- C:\WINNT\avrack.ini
[2009/02/12 17:19:28 | 00,156,672 | ---- | C] () -- C:\WINNT\System32\RtlCPAPI.dll
[2009/02/11 22:35:33 | 00,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2008/10/07 08:13:30 | 00,197,912 | ---- | C] () -- C:\WINNT\System32\physxcudart_20.dll
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINNT\System32\AgCPanelFrench.dll
[2006/02/28 06:00:00 | 00,027,440 | ---- | C] () -- C:\WINNT\System32\drivers\secdrv.sys
[2004/12/17 19:14:44 | 00,013,952 | ---- | C] () -- C:\WINNT\System32\drivers\UBHelper.sys
[2003/02/19 03:26:28 | 00,028,672 | ---- | C] () -- C:\WINNT\System32\cmirmdrv.dll
[2003/01/07 17:05:08 | 00,002,695 | ---- | C] () -- C:\WINNT\System32\OUTLPERF.INI
[2001/12/26 18:12:30 | 00,065,536 | R--- | C] () -- C:\WINNT\System32\multiplex_vcd.dll
[2001/09/04 01:46:38 | 00,110,592 | R--- | C] () -- C:\WINNT\System32\Hmpg12.dll
[2001/07/30 18:33:56 | 00,118,784 | R--- | C] () -- C:\WINNT\System32\HMPV2_ENC.dll
[2001/07/24 00:04:36 | 00,118,784 | R--- | C] () -- C:\WINNT\System32\HMPV2_ENC_MMX.dll
[1999/12/06 22:00:00 | 00,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/09/25 04:36:24 | 00,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 04:36:22 | 00,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== Custom Scans ==========



< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\agp440.sys
[2006/02/28 06:00:00 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINNT\ERDNT\cache\agp440.sys
[2006/02/28 06:00:00 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINNT\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\atapi.sys
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\ERDNT\cache\atapi.sys
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\system32\dllcache\atapi.sys
[2009/12/18 05:30:54 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll
[2006/02/28 06:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\ERDNT\cache\eventlog.dll
[2006/02/28 06:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\system32\dllcache\eventlog.dll
[2006/02/28 06:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\sp2qfe\netlogon.dll
[2006/02/28 06:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\ERDNT\cache\netlogon.dll
[2006/02/28 06:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\system32\dllcache\netlogon.dll
[2006/02/28 06:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 06:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\ERDNT\cache\scecli.dll
[2006/02/28 06:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\system32\dllcache\scecli.dll
[2006/02/28 06:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\system32\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A437AC3
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:102394C6
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4980368
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F1175E1D
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
< End of report >

Blade81
2009-12-28, 22:20
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



Folder::
C:\WINNT\System32\fiwogidu



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Uninstall your current Macromedia shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.

Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 17 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report and above mentioned ComboFix resultant log. How's the system running?

Blade81
2010-01-05, 20:53
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.