Vista Security Alert and Generic.dropper1F3 issues [Archive]

View Full Version : Vista Security Alert and Generic.dropper1F3 issues

Mike T

2011-12-26, 09:43

Hi,

The family desk top computer was hit with the Vista Secirty 2012 Alert while Blade and I were cleaning my laptop. Besides the security warnings and McAfee anti-virus and firewall shutting off, this computer has suffered a major slowdown, memory is being used up by something and CPU usage runs 80% or more immediately after loading up at start up (in safe mode usage is less than 10% and memory is OK).

Besides those issues something is blocking a number of Windows applications at start-up. I ran Spybot and it found and quarantined a Generic.Dropper1F3. Malwarebytes and McAfee both took over 8 hours to perform their scan but Malwarebytes locked up and failed to complete. I was watching the file names during the scans and noticed that the McAfee Quarantine files numbers in the 100's of thousands (more than 200,000, closer to 300,000).

The MS updates should all be current and I did update to IE 9, but have not updated to Mozilla 9 yet.

Here is the DDS log from before I shut the computer down.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by Viki at 16:28:53 on 2011-12-23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1068 [GMT -8:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxbccoms.exe
C:\Windows\system32\lxducoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111108133852.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.1.9)_Gecko/20100315_Firefox/3.5.9_GTB7.1_(.NET_CLR_3.5.30729)" -"http://www.southparkstudios.com/games/cc/playset/playset2.html"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"
mRun: [Lexmark 5600-6600 Series Fax Server] "c:\program files\lexmark 5600-6600 series\fm3032.exe" /s
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\viki\appdata\roaming\micros~1\windows\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
StartupFolder: c:\users\viki\appdata\roaming\micros~1\windows\startm~1\programs\startup\connec~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
StartupFolder: c:\users\viki\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3CDC994C-DF2B-4F5C-B570-2F186D7BA060} : DhcpNameServer = 192.168.2.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\viki\appdata\roaming\mozilla\firefox\profiles\geuuomh9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - component: c:\users\viki\appdata\roaming\mozilla\firefox\profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\viki\appdata\roaming\mozilla\firefox\profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-26 464176]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-4-26 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-4-26 165680]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-26 57600]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-8-1 45288]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-4-19 5504]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-22 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-26 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-26 338176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-26 87656]
.
=============== Created Last 30 ================
.
2011-12-24 00:09:43 476904 ----a-w- c:\program files\mozilla firefox\plugins\REN61ED.tmp
2011-12-20 19:34:25 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-20 19:34:25 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-20 19:34:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-20 19:34:22 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-20 19:34:22 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-20 19:34:22 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-20 19:34:22 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-20 19:34:22 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-20 02:52:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 02:52:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-19 19:57:44 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-12-19 19:33:20 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-12-19 19:33:19 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-12-18 08:59:04 -------- d-----w- c:\program files\iPod
2011-12-18 08:58:59 -------- d-----w- c:\program files\iTunes
2011-12-18 08:50:25 -------- d-----w- c:\program files\Bonjour
2011-12-13 19:56:59 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 19:56:59 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 19:56:57 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 19:56:56 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 19:56:55 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-12-13 19:56:54 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 19:56:51 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-27 20:11:56 -------- d-----w- c:\program files\Apex Fitness
2011-11-27 19:20:30 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-11-27 19:20:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
==================== Find3M ====================
.
2011-12-22 00:02:50 0 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-27 19:29:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-15 21:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 21:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 21:16:16 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 21:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 21:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 21:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 21:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 21:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 21:16:16 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 21:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
============= FINISH: 16:31:04.96 ===============

Hopefully this one will be as easy to clean as my laptop.

Thanks,
Mike

oldman960

2011-12-28, 08:29

Hi Mike T,

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

If you are asked to dwonload Avast's definition database when using this next tool please do so.

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Right click aswMBR.exe and click "Run as Adminstrator" to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post back with
aswMBR log
mbr.zip (attached)

Mike T

2011-12-28, 12:48

Oldman,

I just got home from work and have moved a copy of aswMBR.exe to the infected computer via flash drive. I'll start the scan, hit the rack and post the logs after I wake up.

The affected computer has been isolated and not on my home network so I can do all the scans etc in an environment that isn't safe mode.

Mike

Mike T

2011-12-28, 19:47

Oldman,

Here is the aswMBR log and attached MBR.zip as requested.

aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
Run date: 2011-12-28 03:48:40
-----------------------------
03:48:40.383 OS Version: Windows 6.0.6002 Service Pack 2
03:48:40.383 Number of processors: 2 586 0xF02
03:48:40.383 ComputerName: MIKE-PC UserName: Viki
03:49:10.943 Initialize success
03:51:01.640 AVAST engine defs: 11122800
03:52:01.404 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
03:52:01.404 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
03:52:01.450 Disk 0 MBR read successfully
03:52:01.450 Disk 0 MBR scan
03:52:01.450 Disk 0 Windows VISTA default MBR code
03:52:01.482 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
03:52:01.497 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
03:52:01.513 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
03:52:01.513 Disk 0 scanning sectors +488278016
03:52:01.575 Disk 0 scanning C:\Windows\system32\drivers
03:52:19.562 Service scanning
03:52:21.387 Modules scanning
03:52:28.906 Disk 0 trace - called modules:
03:52:29.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
03:52:29.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86807ac8]
03:52:29.437 3 CLASSPNP.SYS[837ab8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85cf1030]
03:52:30.279 AVAST engine scan C:\Windows
03:52:39.343 AVAST engine scan C:\Windows\system32
03:56:13.627 AVAST engine scan C:\Windows\system32\drivers
03:56:27.012 AVAST engine scan C:\Users\Viki
04:20:51.039 AVAST engine scan C:\ProgramData
09:44:35.679 Scan finished successfully
10:36:00.497 Disk 0 MBR has been saved successfully to "C:\Users\Viki\Desktop\MBR.dat"
10:36:00.497 The log file has been saved successfully to "C:\Users\Viki\Desktop\aswMBR.txt"

Mike

oldman960

2011-12-28, 23:00

Hi Mike T,

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Mike T

2011-12-29, 19:50

Good Day Oldman,

I got home from work at about 0400, transferred ComboFix to the affected computer and started running it, I waited until Stage 1 completed to be sure it was running. I went to bed expecting to post a log after waking up but instead of a log I had a dialog box from ComboFix stating "ComboFix has detected root kit activity and needs to reboot".

System has been rebooted and upon initialization ComboFix began running. Right now we have completed through Stage 3 and seem to be hanging on Stage 4, but it has only been on Stage 4 for about 10 minutes. Hopefully I will be able to post the log before I leave for work.

Mike

Mike T

2011-12-29, 20:26

Well, ComboFix ran fairly quickly this morning, at just under an hour.

Here is the log.
__________________________________

ComboFix 11-12-29.01 - Viki 12/29/2011 10:33:47.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1404 [GMT -8:00]
Running from: c:\users\Viki\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\SPL184E.tmp
c:\programdata\SPL36A6.tmp
c:\programdata\SPL425D.tmp
c:\programdata\SPL7BCF.tmp
c:\programdata\SPL9972.tmp
c:\programdata\SPL9CF1.tmp
c:\programdata\SPLA20D.tmp
c:\programdata\SPLD751.tmp
c:\programdata\SPLF546.tmp
c:\users\Michelle.Mike-PC\Desktop\Internet Explorer.lnk
c:\windows\$NtUninstallKB33243$
c:\windows\$NtUninstallKB33243$\1536496831
c:\windows\$NtUninstallKB33243$\3126475649\@
c:\windows\$NtUninstallKB33243$\3126475649\bckfg.tmp
c:\windows\$NtUninstallKB33243$\3126475649\cfg.ini
c:\windows\$NtUninstallKB33243$\3126475649\Desktop.ini
c:\windows\$NtUninstallKB33243$\3126475649\keywords
c:\windows\$NtUninstallKB33243$\3126475649\kwrd.dll
c:\windows\$NtUninstallKB33243$\3126475649\L\qnbwvoto
c:\windows\$NtUninstallKB33243$\3126475649\lsflt7.ver
c:\windows\$NtUninstallKB33243$\3126475649\U\00000001.@
c:\windows\$NtUninstallKB33243$\3126475649\U\00000002.@
c:\windows\$NtUninstallKB33243$\3126475649\U\00000004.@
c:\windows\$NtUninstallKB33243$\3126475649\U\80000000.@
c:\windows\$NtUninstallKB33243$\3126475649\U\80000004.@
c:\windows\$NtUninstallKB33243$\3126475649\U\80000032.@
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.016\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.015\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.001\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.000\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\Michelle.Mike-PC\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Barbara.Mike-PC\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:11 -------- d-----w- c:\users\Viki\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Mike\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Michelle\AppData\Local\temp
2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Barbara\AppData\Local\temp
2011-12-24 02:02 . 2011-10-18 22:29 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-12-24 01:02 . 2011-12-24 01:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-20 19:34 . 2011-12-20 19:34 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-20 19:34 . 2011-12-20 19:34 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-20 19:34 . 2011-12-20 19:34 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-20 19:34 . 2011-12-20 19:34 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-20 19:34 . 2011-12-20 19:34 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-20 19:34 . 2011-12-20 19:34 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-20 19:34 . 2011-12-20 19:34 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-20 19:34 . 2011-12-20 19:34 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-20 02:52 . 2011-12-20 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-20 02:52 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-19 19:57 . 2011-12-19 19:58 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-12-19 19:33 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-12-19 19:33 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-12-18 08:59 . 2011-12-18 08:59 -------- d-----w- c:\program files\iPod
2011-12-18 08:58 . 2011-12-18 09:01 -------- d-----w- c:\program files\iTunes
2011-12-18 08:50 . 2011-12-18 08:50 -------- d-----w- c:\program files\Bonjour
2011-12-18 08:43 . 2011-12-18 08:43 -------- d-----w- c:\program files\Apple Software Update
2011-12-15 19:29 . 2011-12-15 19:31 -------- d-----w- c:\programdata\WinZip
2011-12-13 19:56 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 19:56 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 19:56 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 19:56 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 19:56 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-13 19:56 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 19:56 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-22 00:02 . 2011-06-15 21:16 0 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-27 19:29 . 2011-05-18 05:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 13:54 . 2011-11-27 19:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-15 21:16 . 2011-09-22 09:38 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 21:16 . 2010-04-26 10:43 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 21:16 . 2010-04-26 10:43 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 21:16 . 2010-04-26 10:43 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 21:16 . 2010-04-26 10:43 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 21:16 . 2010-04-26 10:43 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 21:16 . 2010-04-26 10:43 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 21:16 . 2010-04-26 10:43 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 21:16 . 2010-04-26 10:43 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 21:16 . 2010-04-26 10:43 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-12-20 19:34 . 2011-12-20 19:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 21:01 . 2010-04-28 15:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-26 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-19 17360520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]
"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-09-10 311976]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-03-17 1141144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\Michelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-8 111376]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Viki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [N/A]
Connect - Shortcut.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-19 45056]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [2010-03-22 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [2010-03-22 49152]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-08-01 45288]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 02:32]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 02:32]
.
2011-12-29 c:\windows\Tasks\User_Feed_Synchronization-{9D83C039-4455-43FE-9639-F72933194517}.job
- c:\windows\system32\msfeedssync.exe [2011-12-23 23:46]
.
2011-12-29 c:\windows\Tasks\User_Feed_Synchronization-{B0136D5F-0293-42B0-A82F-F0BC3FA7D4F6}.job
- c:\windows\system32\msfeedssync.exe [2011-12-23 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Viki\AppData\Roaming\Mozilla\Firefox\Profiles\geuuomh9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 11:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-29 11:17:31
ComboFix-quarantined-files.txt 2011-12-29 19:17
.
Pre-Run: 111,366,881,280 bytes free
Post-Run: 117,862,313,984 bytes free
.
- - End Of File - - F513352A60E0867774386F2318964145

Patiently waiting for the next instructions.

Thanks.

oldman960

2011-12-30, 01:08

Hi Mike T,

The combofix log looks good. I think we got it.

Click on the Start button > Control Panel

Depending on your setings, either
click on the Uninstall a program option under the Programs category.
If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
Uninstall the following program

Java(TM) SE Runtime Environment 6

Do not uninstall Java(TM) 6 Update 30

Next

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Right click the TFC icon and click:Run as Administrator"to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Next

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

One more to check for stragglers.

As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
Do not use this instance of your browser for anything besides doing this scan
When the scan is complete and the results saved, close that instance of your browser
Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

Push the back button.
Push Finish
Re-enable your Antivirus software.

Please post back with
MBAM log
ESET log if one was produced
How's the computer?

Mike T

2011-12-30, 23:03

Good afternoon Oldman,

I uninstalled the Java program and ran the TFC when I got home from work. That cleaned up a lot of temp files from all user accounts. After running that cleaner, nearly 8GB of hard drive space was freed up.

I am currently running the ESET scan, but a log from that will be delayed. I was almost an hour into the scan when I had a power interruption and have had to restart the scan, maybe 20 minutes into the second scan now.

I updated Malwarebytes and ran the quick scan, here is the log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.30.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Viki :: MIKE-PC [administrator]

12/30/2011 11:52:28 AM
mbam-log-2011-12-30 (11-52-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 354494
Time elapsed: 12 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

while we're waiting for the ESET scan to complete here are a couple observations on how the computer is running today.

Boot-up seems faster. After the initial symptoms of the infection I was getting notification that Windows has blocked a number of strat-up programs, after cleaning I am still getting that message. When I open that dialog box I have the option of disabling or enabling the programs. My gut says that I can now enable all of the programs but didn't want to until I had the chance to ask.

I also noticed while ESET was running, before the interruption, that the McAfee\Virusscan\quarantine files still number in the 100's of thousands. The second run of the scan is currently going through those files. This mass of files also causes a full Malwarebytes scan to take over 8 hours to complete. Any suggestions?

As soon as ESET has completed I will post the results & log.

Mike

oldman960

2011-12-30, 23:46

Hi Mike T,

After the initial symptoms of the infection I was getting notification that Windows has blocked a number of strat-up programs, after cleaning I am still getting that message. When I open that dialog box I have the option of disabling or enabling the programs. Would the message be from Windows Defender or UAC? Do you know the program names?

After we are finished you can empty the McAfee quarantined folder. Seems like it's supposed to do that after 30 days on it's own.

Depending on the version of McAfee you have you should be able to use the steps to delete the files HERE (https://community.mcafee.com/message/175379) or HERE (http://www.ehow.com/how_8296932_delete-mcafee-quarantined.html)

I'll have a look at the ESET log when you post it. If everything seems ok we'll clean up the tools.

Mike T

2011-12-31, 01:07

Oldman,

I tried to see which programs are being blocked but I no longer see the icon in the systray. I'll try to get a full list when I reboot, but I thought it was system security that was blocking the programs. We should know after a reboot.

ESET is still running, this is going to take a while. I did have a chance to look at the quarantine folder size and it is in excess of 450,000 files and somewhere in the vicinity of 2.5+GB. I get the feeling it hasn't been self deleting ;). The earliest quarantine file starts in 2009, right after the last time this computer had a virus that we cleaned up here on the forum.

I am posting from my laptop while ESET runs om the other computer. The other has been on-line with my wireless router since I woke up and I have not seen any signs of McAfee shutting itself down or any unexplained traffic.

I'll check out the McAfee links while waiting for ESET to complete (it is still stuck at about 34%) and post the log as soon as it is done.

Mike

Mike T

2011-12-31, 10:13

Good evening Oldman,

ESET took forever to run, compliments of the quarantine folder, but it finished earlier this evening. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0f4644fb83c39c4287a68ac8189d9d2c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-30 10:48:57
# local_time=2011-12-30 02:48:57 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777213 100 75 710395 25657985 0 0
# compatibility_mode=5892 16776638 66 100 52068009 161892851 0 0
# compatibility_mode=8192 67108863 100 0 64716753 64716753 0 0
# scanned=1062
# found=0
# cleaned=0
# scan_time=15
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0f4644fb83c39c4287a68ac8189d9d2c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-31 05:31:29
# local_time=2011-12-30 09:31:29 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777213 100 75 711998 25659588 0 0
# compatibility_mode=5892 16776638 66 100 52069612 161894454 0 0
# compatibility_mode=8192 67108863 100 0 64718356 64718356 0 0
# scanned=1197804
# found=0
# cleaned=0
# scan_time=22563

I have followed the directions posted earlier regarding deleting the quarantine files. Unfortunately I have been unsuccessful in emptying that folder. About the only thing I can do is try deleting one file at a time. Every time I try deleting a block of files, or the select all option the folder stops responding. Also, the delete files option through the McAfee console just gives the working/waiting icon and nothing happens. Of course, I have only let that run for an hour, twice, with no luck. I may try letting it work all night and see if there is any headway in the morning.

Regarding the blocked start up programs, the icon in the system tray is for the Windows System Configuration Utility. A partial list of the programs blocked are:
RAID event monitor
Intel Viv Software
Groove Monitor
Lexmark printer
Fax solutions
NVIDIA
McAfee
Adobe
Quick Time
Itunes
Intellipoint (mouse)
Malwarebytes

Not a complete list but enough to give the idea of what is currently being blocked at start up. I do get the option of enabling these items and wonder if all I have to do is enable them. Suspecting that the rootkit may have changed the setting. Your thoughts?

oldman960

2011-12-31, 18:42

Hi Mike T,

Windows System Configuration Utility aka msconfig
http://support.microsoft.com/kb/310560/

It's a windows utility which allows you to control what you want or don't want to start up when you turn on your computer. To access it click Start, type msconfig When the interface opens click the startup tab.

A database of startup items, what they are and if they can be disabled can be found HERE (http://www.pacs-portal.co.uk/startup_search.php) You can find the items by clicking the respective letter for the first letter in the filename. You can find the filename in the msconfig's Command column. You may need to expand the column by using your left mouse button and click and hold the edge of the column at the top and sliding it to the right.

Looking at the list it hard to say if they all should be enabled as some programs have components that do not need to be loaded at startup so you should check the database. I can't say whether it was malware or a person that set them to disabled but if it is the entire list as viewed on the startup tab then it may have been malware related.

Did you try the steps in the McAfee link to empty the quarantined folder by unchecking "Use Access Protection"?

Mike T

2011-12-31, 20:56

Oldman,

I believe the blocked start up list is a result of the malware as that icon/message was not present prior to the attack. I'll look through the list at the link you provided and see what I should re-enable.

As for the McAfee deletion problem, yes I foloowed the steps in the prior link. I don't know if it was the sheer size of that file or if the malware caused some issue but nothing worked. I tried deleting the file through the McAfee dashboard and manually throgh the Program Data\mcafee\virus scan\quarantine folder either method simply stalled the computer. When attempting manually, I would wait until all 480,000 files had loaded, then as soon as I would use the "select all" function or select a single file by right clicking the computer would stall and I could not delete any file(s). I believe the McAfee file had been corrupted by the malware, possibly to facilitate the malware shutting down the virus scan and firewall programs.

My work around was to uninstall McAfee then run MPCR to completely remove the McAfee files and folders. That completed last night and I am in the process of re-installing McAfee on the affected computer as I type this from my laptop.

After everything we've done the computer was coming up pretty quick on strat-up, but this morning everything loaded lightning fast. A quick look at the size od the c:drive shows that getting rid of the quarantine folder freed up almost 3GB of drive space.

I'll let you know how my blocked program look compared to the list you referenced.

Mike

Mike T

2011-12-31, 21:14

Interesting.

I wanted to double check the list of blocked programs on the affected computer and the icon was not there. I rebooted the system, which usually brought the list up for viewing, and the list is still not there. Bringing up the list manually shows that none of the listed files are disabled. Completely opposite of yesterday.

Mike

oldman960

2011-12-31, 23:06

Hi Mike T,

Well your work around would definately be effective :bigthumb: .

As far as the blocked list that could have been malware disguised as the legitamate msconfig showing you how well it was "protecting" you.

Looks like everything is ok.

From your desktop, please delete, if present
any notepads/logs that we created
DDS.scr
mbr.zip
mbr.dat
aswMBR.exe

Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK

Combofix /uninstall

I suggest you keep MBAM. Keep it updated and use it regularly.

You can keep TFC and use it from time to time.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have those.

You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS (http://www.mvps.org/winhelp2002/hosts.htm)

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us)(using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Updates tab

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE (http://forums.whatthetech.com/Preventing_Malware_Tools_Practices_Safe_Computing_t98700.html)

Please post back if you have any problems.

Take care

Mike T

2012-01-01, 00:53

I think we've got it beat.

All logs and tools have been removed. I always have MBAM and SBS&D, those and my AV generally keep me free of problems but this one snuck in on two computers. The TFC seems like a nice handy "keep the files in check" tool, glad I can use that one for regular maintenance.

All IE setting are as suggested and the last of the windows updates (new in the last week) are loading now.

Once they're done I can connect the 1TB external drive and get everything backed up and safe.

Have a safe and happy New Year.

Thanks,
Mike

oldman960

2012-01-01, 00:59

Hi Mike T,

Glad it worked out. Happy New Year to you.

Take care.

oldman960

2012-01-04, 23:08

Since this issue appears to be resolved ... this Topic has been closed.