Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Vista Security Alert and Generic.dropper1F3 issues

  1. 2011-12-26, 09:43 #1
    Mike T
    Mike T is offline
    Member
    Join Date
    Nov 2009
    Location
    California USA
    Posts
    65

    Default Vista Security Alert and Generic.dropper1F3 issues

    Hi,

    The family desk top computer was hit with the Vista Secirty 2012 Alert while Blade and I were cleaning my laptop. Besides the security warnings and McAfee anti-virus and firewall shutting off, this computer has suffered a major slowdown, memory is being used up by something and CPU usage runs 80% or more immediately after loading up at start up (in safe mode usage is less than 10% and memory is OK).

    Besides those issues something is blocking a number of Windows applications at start-up. I ran Spybot and it found and quarantined a Generic.Dropper1F3. Malwarebytes and McAfee both took over 8 hours to perform their scan but Malwarebytes locked up and failed to complete. I was watching the file names during the scans and noticed that the McAfee Quarantine files numbers in the 100's of thousands (more than 200,000, closer to 300,000).

    The MS updates should all be current and I did update to IE 9, but have not updated to Mozilla 9 yet.

    Here is the DDS log from before I shut the computer down.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
    Run by Viki at 16:28:53 on 2011-12-23
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1068 [GMT -8:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\LEXBCES.EXE
    C:\Windows\System32\LEXPPS.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\system32\lxbccoms.exe
    C:\Windows\system32\lxducoms.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
    C:\Windows\sttray.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\WinZip\WZQKPICK32.EXE
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Bar = Preserve
    uWindow Title = Internet Explorer provided by Dell
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111108133852.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.1.9)_Gecko/20100315_Firefox/3.5.9_GTB7.1_(.NET_CLR_3.5.30729)" -"http://www.southparkstudios.com/games/cc/playset/playset2.html"
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
    mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
    mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"
    mRun: [Lexmark 5600-6600 Series Fax Server] "c:\program files\lexmark 5600-6600 series\fm3032.exe" /s
    mRun: [SigmatelSysTrayApp] sttray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\users\viki\appdata\roaming\micros~1\windows\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
    StartupFolder: c:\users\viki\appdata\roaming\micros~1\windows\startm~1\programs\startup\connec~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
    StartupFolder: c:\users\viki\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    LSP: c:\windows\system32\wpclsp.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{3CDC994C-DF2B-4F5C-B570-2F186D7BA060} : DhcpNameServer = 192.168.2.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\viki\appdata\roaming\mozilla\firefox\profiles\geuuomh9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
    FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
    FF - component: c:\users\viki\appdata\roaming\mozilla\firefox\profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\users\viki\appdata\roaming\mozilla\firefox\profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-26 464176]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-4-26 64880]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-4-26 165680]
    R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-26 57600]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-8-1 45288]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-4-19 5504]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-22 180816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-26 59456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-26 338176]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-26 87656]
    .
    =============== Created Last 30 ================
    .
    2011-12-24 00:09:43 476904 ----a-w- c:\program files\mozilla firefox\plugins\REN61ED.tmp
    2011-12-20 19:34:25 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-12-20 19:34:25 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-12-20 19:34:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-12-20 19:34:22 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-12-20 19:34:22 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-12-20 19:34:22 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-12-20 19:34:22 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-12-20 19:34:22 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-12-20 02:52:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-20 02:52:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-19 19:57:44 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-12-19 19:33:20 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-12-19 19:33:19 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-12-18 08:59:04 -------- d-----w- c:\program files\iPod
    2011-12-18 08:58:59 -------- d-----w- c:\program files\iTunes
    2011-12-18 08:50:25 -------- d-----w- c:\program files\Bonjour
    2011-12-13 19:56:59 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-13 19:56:59 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-13 19:56:57 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-13 19:56:56 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-13 19:56:55 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-12-13 19:56:54 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-13 19:56:51 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-27 20:11:56 -------- d-----w- c:\program files\Apex Fitness
    2011-11-27 19:20:30 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-11-27 19:20:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ==================== Find3M ====================
    .
    2011-12-22 00:02:50 0 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-11-27 19:29:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 21:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 21:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 21:16:16 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 21:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 21:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 21:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 21:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 21:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 21:16:16 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 21:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    .
    ============= FINISH: 16:31:04.96 ===============

    Hopefully this one will be as easy to clean as my laptop.

    Thanks,
    Mike
  2. 2011-12-28, 08:29 #2
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Mike T,

    To make cleaning this machine easier
    • Please do not uninstall/install any programs unless asked to
      It is more difficult when files/programs are appearing in/disappearing from the logs.
    • Please do not run any scans other than those requested
    • Please follow all instructions in the order posted
    • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
    • Do not attach any logs/reports, etc.. unless specifically requested to do so.
    • If you have problems with or do not understand the instructions, Please ask before continuing.
    • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.




    If you are asked to dwonload Avast's definition database when using this next tool please do so.

    Download aswMBR.exe to your desktop.

    Right click aswMBR.exe and click "Run as Adminstrator" to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply


    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

    Please post back with
    • aswMBR log
    • mbr.zip (attached)
    Member of UNITE and ASAP
  3. 2011-12-28, 12:48 #3
    Mike T
    Mike T is offline
    Member
    Join Date
    Nov 2009
    Location
    California USA
    Posts
    65

    Default

    Oldman,

    I just got home from work and have moved a copy of aswMBR.exe to the infected computer via flash drive. I'll start the scan, hit the rack and post the logs after I wake up.

    The affected computer has been isolated and not on my home network so I can do all the scans etc in an environment that isn't safe mode.

    Mike
  4. 2011-12-28, 19:47 #4
    Mike T
    Mike T is offline
    Member
    Join Date
    Nov 2009
    Location
    California USA
    Posts
    65

    Default

    Oldman,

    Here is the aswMBR log and attached MBR.zip as requested.

    aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-28 03:48:40
    -----------------------------
    03:48:40.383 OS Version: Windows 6.0.6002 Service Pack 2
    03:48:40.383 Number of processors: 2 586 0xF02
    03:48:40.383 ComputerName: MIKE-PC UserName: Viki
    03:49:10.943 Initialize success
    03:51:01.640 AVAST engine defs: 11122800
    03:52:01.404 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    03:52:01.404 Disk 0 Vendor: ST325082 3.AD Size: 238418MB BusType: 3
    03:52:01.450 Disk 0 MBR read successfully
    03:52:01.450 Disk 0 MBR scan
    03:52:01.450 Disk 0 Windows VISTA default MBR code
    03:52:01.482 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
    03:52:01.497 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
    03:52:01.513 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
    03:52:01.513 Disk 0 scanning sectors +488278016
    03:52:01.575 Disk 0 scanning C:\Windows\system32\drivers
    03:52:19.562 Service scanning
    03:52:21.387 Modules scanning
    03:52:28.906 Disk 0 trace - called modules:
    03:52:29.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
    03:52:29.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86807ac8]
    03:52:29.437 3 CLASSPNP.SYS[837ab8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85cf1030]
    03:52:30.279 AVAST engine scan C:\Windows
    03:52:39.343 AVAST engine scan C:\Windows\system32
    03:56:13.627 AVAST engine scan C:\Windows\system32\drivers
    03:56:27.012 AVAST engine scan C:\Users\Viki
    04:20:51.039 AVAST engine scan C:\ProgramData
    09:44:35.679 Scan finished successfully
    10:36:00.497 Disk 0 MBR has been saved successfully to "C:\Users\Viki\Desktop\MBR.dat"
    10:36:00.497 The log file has been saved successfully to "C:\Users\Viki\Desktop\aswMBR.txt"


    Mike
  5. 2011-12-28, 23:00 #5
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Mike T,

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
    • Right click on ComboFix.exe, click Run as Administrator & follow the prompts.


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please post back with the combofix log.

    Thanks
    Member of UNITE and ASAP
  6. 2011-12-29, 19:50 #6
    Mike T
    Mike T is offline
    Member
    Join Date
    Nov 2009
    Location
    California USA
    Posts
    65

    Default

    Good Day Oldman,

    I got home from work at about 0400, transferred ComboFix to the affected computer and started running it, I waited until Stage 1 completed to be sure it was running. I went to bed expecting to post a log after waking up but instead of a log I had a dialog box from ComboFix stating "ComboFix has detected root kit activity and needs to reboot".

    System has been rebooted and upon initialization ComboFix began running. Right now we have completed through Stage 3 and seem to be hanging on Stage 4, but it has only been on Stage 4 for about 10 minutes. Hopefully I will be able to post the log before I leave for work.

    Mike
  7. 2011-12-29, 20:26 #7
    Mike T
    Mike T is offline
    Member
    Join Date
    Nov 2009
    Location
    California USA
    Posts
    65

    Default

    Well, ComboFix ran fairly quickly this morning, at just under an hour.

    Here is the log.
    __________________________________

    ComboFix 11-12-29.01 - Viki 12/29/2011 10:33:47.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1404 [GMT -8:00]
    Running from: c:\users\Viki\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\programdata\SPL184E.tmp
    c:\programdata\SPL36A6.tmp
    c:\programdata\SPL425D.tmp
    c:\programdata\SPL7BCF.tmp
    c:\programdata\SPL9972.tmp
    c:\programdata\SPL9CF1.tmp
    c:\programdata\SPLA20D.tmp
    c:\programdata\SPLD751.tmp
    c:\programdata\SPLF546.tmp
    c:\users\Michelle.Mike-PC\Desktop\Internet Explorer.lnk
    c:\windows\$NtUninstallKB33243$
    c:\windows\$NtUninstallKB33243$\1536496831
    c:\windows\$NtUninstallKB33243$\3126475649\@
    c:\windows\$NtUninstallKB33243$\3126475649\bckfg.tmp
    c:\windows\$NtUninstallKB33243$\3126475649\cfg.ini
    c:\windows\$NtUninstallKB33243$\3126475649\Desktop.ini
    c:\windows\$NtUninstallKB33243$\3126475649\keywords
    c:\windows\$NtUninstallKB33243$\3126475649\kwrd.dll
    c:\windows\$NtUninstallKB33243$\3126475649\L\qnbwvoto
    c:\windows\$NtUninstallKB33243$\3126475649\lsflt7.ver
    c:\windows\$NtUninstallKB33243$\3126475649\U\00000001.@
    c:\windows\$NtUninstallKB33243$\3126475649\U\00000002.@
    c:\windows\$NtUninstallKB33243$\3126475649\U\00000004.@
    c:\windows\$NtUninstallKB33243$\3126475649\U\80000000.@
    c:\windows\$NtUninstallKB33243$\3126475649\U\80000004.@
    c:\windows\$NtUninstallKB33243$\3126475649\U\80000032.@
    c:\windows\system32\drivers\etc\lmhosts
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.016\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.015\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.001\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\TEMP.Mike-PC.000\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-12-29 19:10 . 2011-12-29 19:10 -------- d-----w- c:\users\Michelle.Mike-PC\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Barbara.Mike-PC\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:11 -------- d-----w- c:\users\Viki\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Mike\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Michelle\AppData\Local\temp
    2011-12-29 19:09 . 2011-12-29 19:09 -------- d-----w- c:\users\Barbara\AppData\Local\temp
    2011-12-24 02:02 . 2011-10-18 22:29 28760 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
    2011-12-24 01:02 . 2011-12-24 01:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-12-20 19:34 . 2011-12-20 19:34 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-12-20 19:34 . 2011-12-20 19:34 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-12-20 19:34 . 2011-12-20 19:34 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-12-20 19:34 . 2011-12-20 19:34 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-12-20 19:34 . 2011-12-20 19:34 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-12-20 19:34 . 2011-12-20 19:34 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-12-20 19:34 . 2011-12-20 19:34 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-12-20 19:34 . 2011-12-20 19:34 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-12-20 02:52 . 2011-12-20 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-20 02:52 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-19 19:57 . 2011-12-19 19:58 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-12-19 19:33 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-12-19 19:33 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-12-18 08:59 . 2011-12-18 08:59 -------- d-----w- c:\program files\iPod
    2011-12-18 08:58 . 2011-12-18 09:01 -------- d-----w- c:\program files\iTunes
    2011-12-18 08:50 . 2011-12-18 08:50 -------- d-----w- c:\program files\Bonjour
    2011-12-18 08:43 . 2011-12-18 08:43 -------- d-----w- c:\program files\Apple Software Update
    2011-12-15 19:29 . 2011-12-15 19:31 -------- d-----w- c:\programdata\WinZip
    2011-12-13 19:56 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-13 19:56 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-13 19:56 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-13 19:56 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-13 19:56 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-12-13 19:56 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-13 19:56 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-22 00:02 . 2011-06-15 21:16 0 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-11-27 19:29 . 2011-05-18 05:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-10 13:54 . 2011-11-27 19:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 21:16 . 2011-09-22 09:38 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 21:16 . 2010-04-26 10:43 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 21:16 . 2010-04-26 10:43 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 21:16 . 2010-04-26 10:43 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 21:16 . 2010-04-26 10:43 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 21:16 . 2010-04-26 10:43 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 21:16 . 2010-04-26 10:43 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 21:16 . 2010-04-26 10:43 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 21:16 . 2010-04-26 10:43 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 21:16 . 2010-04-26 10:43 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-12-20 19:34 . 2011-12-20 19:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 21:01 . 2010-04-28 15:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-26 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-19 17360520]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
    "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]
    "lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]
    "Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-09-10 311976]
    "SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-03-17 1141144]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\users\Michelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-8 111376]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\users\Viki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Belkin Network USB Hub Control Center.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [N/A]
    Connect - Shortcut.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-19 45056]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [2010-03-22 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [2010-03-22 49152]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-08-01 45288]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 02:32]
    .
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 02:32]
    .
    2011-12-29 c:\windows\Tasks\User_Feed_Synchronization-{9D83C039-4455-43FE-9639-F72933194517}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-23 23:46]
    .
    2011-12-29 c:\windows\Tasks\User_Feed_Synchronization-{B0136D5F-0293-42B0-A82F-F0BC3FA7D4F6}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-23 23:46]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\users\Viki\AppData\Roaming\Mozilla\Firefox\Profiles\geuuomh9.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-29 11:11
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="YMP.Media"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="FirefoxHTML"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-12-29 11:17:31
    ComboFix-quarantined-files.txt 2011-12-29 19:17
    .
    Pre-Run: 111,366,881,280 bytes free
    Post-Run: 117,862,313,984 bytes free
    .
    - - End Of File - - F513352A60E0867774386F2318964145


    Patiently waiting for the next instructions.

    Thanks.
  8. 2011-12-30, 01:08 #8
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Mike T,

    The combofix log looks good. I think we got it.

    Click on the Start button > Control Panel

    Depending on your setings, either
    • click on the Uninstall a program option under the Programs category.
    • If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
    Uninstall the following program

    Java(TM) SE Runtime Environment 6

    Do not uninstall Java(TM) 6 Update 30


    Next

    Download TFC to your desktop
    • Close any open windows.
    • Right click the TFC icon and click:Run as Administrator"to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean



    Next

    You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

    Open MBAM

    • Click the Update tab
    • Click Check for Updates
    • If an update is found, it will download and install the latest version.
    • The program will close to update and reopen.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



    One more to check for stragglers.

    As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
    • Do not use this instance of your browser for anything besides doing this scan
    • When the scan is complete and the results saved, close that instance of your browser
    • Open a new one the usual way and post the results in this topic.


    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


    Go here to run an online scannner from
    ESET

    (Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
    • Click Scan.
    • Wait for the scan to finish.
    • When the scan completes, click List of found threats
    • click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
    • Include the contents of this report in your next reply

      Note - when ESET doesn't find any threats, no report will be created.
    • Push the back button.
    • Push Finish
    • Re-enable your Antivirus software.


    Please post back with
    • MBAM log
    • ESET log if one was produced
    How's the computer?
    Member of UNITE and ASAP
  9. 2011-12-30, 23:03 #9
    Mike T
    Mike T is offline
    Member
    Join Date
    Nov 2009
    Location
    California USA
    Posts
    65

    Default

    Good afternoon Oldman,

    I uninstalled the Java program and ran the TFC when I got home from work. That cleaned up a lot of temp files from all user accounts. After running that cleaner, nearly 8GB of hard drive space was freed up.

    I am currently running the ESET scan, but a log from that will be delayed. I was almost an hour into the scan when I had a power interruption and have had to restart the scan, maybe 20 minutes into the second scan now.

    I updated Malwarebytes and ran the quick scan, here is the log:

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2011.12.30.03

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Viki :: MIKE-PC [administrator]

    12/30/2011 11:52:28 AM
    mbam-log-2011-12-30 (11-52-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 354494
    Time elapsed: 12 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    while we're waiting for the ESET scan to complete here are a couple observations on how the computer is running today.

    Boot-up seems faster. After the initial symptoms of the infection I was getting notification that Windows has blocked a number of strat-up programs, after cleaning I am still getting that message. When I open that dialog box I have the option of disabling or enabling the programs. My gut says that I can now enable all of the programs but didn't want to until I had the chance to ask.

    I also noticed while ESET was running, before the interruption, that the McAfee\Virusscan\quarantine files still number in the 100's of thousands. The second run of the scan is currently going through those files. This mass of files also causes a full Malwarebytes scan to take over 8 hours to complete. Any suggestions?

    As soon as ESET has completed I will post the results & log.

    Mike
  10. 2011-12-30, 23:46 #10
    oldman960
    oldman960 is offline
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi Mike T,

    After the initial symptoms of the infection I was getting notification that Windows has blocked a number of strat-up programs, after cleaning I am still getting that message. When I open that dialog box I have the option of disabling or enabling the programs.
    Would the message be from Windows Defender or UAC? Do you know the program names?

    After we are finished you can empty the McAfee quarantined folder. Seems like it's supposed to do that after 30 days on it's own.

    Depending on the version of McAfee you have you should be able to use the steps to delete the files HERE or HERE

    I'll have a look at the ESET log when you post it. If everything seems ok we'll clean up the tools.
    Last edited by oldman960; 2011-12-30 at 23:50.
    Member of UNITE and ASAP
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules