Can't get valid Google Search results

C

cool2024

New member
Let me first say, you guys are great for helping us out. Thanks in advance for everything. Onto the issue ...

I stupidly went onto a site that is known for infecting computers and got infected with malware.

My McAfee AV detected that something was wrong and immediately rebooted my computer.

After reboot, I did a scan using McAfee and found 4 files in my Local Settings / Temporary Internet Files and Local Settings / Temp folder. I immediately delete the contents of the 2 folders.

Then I updated Spybot S&D and did a scan and it found a couple of items and removed them.

After that I rebooted again and whenever I go to google.com and do a search using Firefox, the malware returns some weird Google search results that aren't very useful.

Here is my DDS log, and thanks again.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 0:13:51.75 on Tue 08/10/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.368 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Prolific\One Button\OneBtn.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Chris\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Lock Computer on Starup] rundll32.exe user32.dll, LockWorkStation
uRun: [Google Update] "c:\documents and settings\chris\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Prolific_OneButton] c:\program files\prolific\one button\OneBtn.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: En&queue current page with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open &link target with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with Bulk I&mage Downloader - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\uexsl.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\iqkv9dh5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/#General
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-9-16 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-9-16 5248]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-4-3 10112]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 214664]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2004-4-4 151476]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-5 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-3-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-3-5 144704]
R2 TCPIP Pass-through Filter;TCPIP Pass-through Filter;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-3-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-3-5 40552]
R3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [2004-4-4 18272]
R3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [2004-4-4 21184]
S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-5 34248]
S3 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-6-28 241731]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-4 223128]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-8 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-08-09 21:18:53 8192 ----a-w- c:\windows\system32\uexsl.dll
2010-08-09 21:18:53 8192 ----a-w- c:\windows\system32\qxdqei.dll
2010-08-09 21:18:53 19456 ----a-w- c:\windows\system32\msippsth.dll
2010-08-09 21:18:15 0 d-----w- c:\docume~1\chris\applic~1\B4EDEAF43A12AE939F3D7AD57EDBA29E

==================== Find3M ====================

2010-07-15 22:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-26 07:24:48 99756 ----a-w- c:\windows\War3Unin.dat
2004-10-11 00:49:20 457 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 0:15:27.17 ===============
 
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

  • If you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus

I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

After that:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006
 
Unfortunately my machine will no longer boot windows normally and is in an infinite loop of "We apologize for the inconvenience, but windows did not start normally" message -> Start Windows Normally -> Windows logo appears -> machine suddenly reboots -> "We apologize for the inconvenience, but windows did not start normally" message etc.

Steps taken:
I've uninstalled Azureus
Then I went ahead and downloaded Combofix
Then I disabled my McAfee, but i mistakenly disabled it until next reboot :oops:
Ran Combofix
ComboFix reboots machine
I get the "Machine has no Windows Recovery Console installed" message
I find out McAfee is still running and disable it
I click yes to install the "Windows Recovery Console"
ComboFix successfully installs Windows Recovery Console
ComboFix then displays the message:
Rootkit found
service: tcpip
c:\windows\system32\drivers\tcpip.sys
Restart required
Infinite restart loop

I'm thinking I would probably need a non-usb keyboard since it won't let me use the arrow keys to pick reboot in Safe Mode.

I don't know quite how to proceed. Thanks in advance.
 
Hi cool2024

I'm thinking I would probably need a non-usb keyboard since it won't let me use the arrow keys to pick reboot in Safe Mode
Click to expand...

Will this (Windows XP Advanced Options menu. ) sight after you've pressed the f8 key

pic1A.gif
 
Ok I got a hold of a ps/2 keyboard and am able to boot into safe mode. ComboFix is automatically running as i type. I will post the ComboFix log as soon as its done. Thanks again.
 
ComboFix has finished and has displayed a log file for me to save. Hooray!

Unfortunately my Internet connection is now broken. I looked at the ComboFix tutorial and found how to repair the connection but it still doesn't work.

When I goto Start -> Control Panel -> Network Connections -> Right Click Local Area Connection -> Click repair, there is an error message saying "Windows could not finish repairing the problem because the following action cannot be completed: Clearing the DNS cache".

Any ideas on how I can clear the cache?

I can post the ComboFix log later on tonight US West Coast time.

Thanks so much for you help Peku :bigthumb:
 
Hi cool2024

Let`s try this.........

Click Start> Run> type in CMD tap enter key
Copy/Paste: ipconfig /flushdns
(If you are typing this in, note the space between the g /f
It needs to be there.)

After that, Reboot.

How is your Internet Connection now ?
 
Ok, I went to Start -> Run -> typed cmd -> pressed Enter -> typed ipconfig /flushdns and the screen says that: "Windows IP Configuration Could not flush the DNS Resolver Cache: Function failed during execution."

Then I restarted the computer -> ran Firefox -> tried to go to google.com but Firefox says "Unable to connect".

What else can I do? Thanks again.
 
Here's the ComboFix log you asked for. Thanks again Peku

ComboFix 10-08-10.03 - Chris 08/11/2010 13:16:53.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.785 [GMT -7:00]
Running from: c:\documents and settings\Chris\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\daemon.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\msippsth.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Legacy_WKSPATCH
-------\Legacy_ZESOFT
-------\Service_6to4
-------\Service_TCPIP Pass-through Filter


((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-10 20:22 . 2004-08-04 06:14 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 06:59 . 2010-08-10 06:59 -------- d-----w- c:\program files\ERUNT
2010-08-09 21:18 . 2010-08-09 21:18 8192 ----a-w- c:\windows\system32\uexsl.dll
2010-08-09 21:18 . 2010-08-09 21:18 8192 ----a-w- c:\windows\system32\qxdqei.dll
2010-08-09 21:18 . 2010-08-09 21:18 -------- d-----w- c:\documents and settings\Chris\Application Data\B4EDEAF43A12AE939F3D7AD57EDBA29E
2010-07-15 20:41 . 2010-07-15 20:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 20:00 . 2004-04-08 08:44 -------- d-----w- c:\program files\Azureus
2010-08-10 00:53 . 2008-08-12 07:16 -------- d-----w- c:\program files\Whale Communications
2010-08-09 21:19 . 2010-08-09 21:18 1051136 ----a-w- c:\documents and settings\Chris\Application Data\B4EDEAF43A12AE939F3D7AD57EDBA29E\secureapp70700.exe
2010-08-05 07:09 . 2010-03-05 21:15 -------- d-----w- c:\program files\McAfee
2010-07-15 22:18 . 2010-03-05 21:16 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-06 15:39 . 2010-07-06 15:39 300384 ----a-w- c:\documents and settings\Chris\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-07-06 15:39 . 2010-07-06 15:39 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll
2010-07-06 15:38 . 2010-07-06 15:38 -------- d-----w- c:\documents and settings\Chris\Application Data\McAfee
2010-07-06 15:38 . 2010-03-05 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-06 13:04 . 2005-12-29 08:45 -------- d-----w- c:\documents and settings\Chris\Application Data\tunebite
2010-07-02 10:16 . 2007-07-11 01:13 -------- d-----w- c:\program files\Warcraft III
2010-06-26 07:24 . 2008-02-09 12:30 99756 ----a-w- c:\windows\War3Unin.dat
2010-06-02 06:30 . 2010-06-02 06:30 503808 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1117daa9-n\msvcp71.dll
2010-06-02 06:30 . 2010-06-02 06:30 499712 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1117daa9-n\jmc.dll
2010-06-02 06:30 . 2010-06-02 06:30 348160 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1117daa9-n\msvcr71.dll
2005-09-16 01:26 . 2004-10-10 02:00 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2007-06-22 01:38 . 2007-06-22 01:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 01:38 . 2007-06-22 01:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 01:38 . 2007-06-22 01:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 01:38 . 2007-06-22 01:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 01:39 . 2007-06-22 01:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 01:39 . 2007-06-22 01:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 01:39 . 2007-06-22 01:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 01:39 . 2007-06-22 01:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 01:40 . 2007-06-22 01:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lock Computer on Starup"="user32.dll" [2004-08-04 577024]
"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-07-23 56832]
"Prolific_OneButton"="c:\program files\Prolific\One Button\OneBtn.exe" [2004-06-09 49152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Chris\My Documents\Shared\Mvs\s.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 23:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-06 00:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 21:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IntuitUpdateService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [9/16/2005 12:21 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [9/16/2005 12:21 AM 5248]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [4/3/2004 11:13 AM 10112]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [4/4/2004 1:17 AM 151476]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/5/2010 2:20 PM 93320]
R3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [4/4/2004 1:01 AM 18272]
R3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [4/4/2004 1:01 AM 21184]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2010 12:16 AM 135664]
S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [6/28/2005 2:07 PM 241731]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [3/4/2006 7:25 PM 223128]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/8/2008 11:55 AM 24652]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/4/2006 7:21 PM 642560]
.
Contents of the 'Scheduled Tasks' folder

2010-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1409082233-839522115-1003Core.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 05:22]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1409082233-839522115-1003UA.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 05:22]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-05 20:22]

2010-03-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-05 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: En&queue current page with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open &link target with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidlink.htm
IE: Open current page with Bulk I&mage Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebid.htm
LSP: c:\windows\system32\uexsl.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\iqkv9dh5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/#General
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
MSConfigStartUp-AtiTrayTools - c:\program files\Radeon Omega Drivers\v2.6.87\ATI Tray Tools\atitray.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-POEngine - c:\program files\PokerOffice\POEngine.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-ymetray - c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe
AddRemove-Active Ports - c:\windows\unvise32.exe
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe
AddRemove-NVIDIA nForce Drivers - c:\windows\System32\NVUninst.exe
AddRemove-XPv3.8.252 - c:\windows\Radeon Omega Drivers v3.8.252
AddRemove-Serv-U - c:\progra~1\Serv-U\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 13:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860E6EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e6fc3
\Driver\ACPI -> ACPI.sys @ 0xf7513cb8
\Driver\atapi -> atapi.sys @ 0xf74a57b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577d44
ParseProcedure -> ntkrnlpa.exe @ 0x80576964
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf739aba0
PacketIndicateHandler -> NDIS.sys @ 0xf7389a0b
SendHandler -> NDIS.sys @ 0xf739db31
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{057AFF8E-18BB-3F80-364CCC2831522BE6}\{99AD5AFA-2676-F639-545B2C570527D246}\{9515C81F-50C9-6ACD-17AF77618A15A8EB}*]
"63AUOURV1X6YIYB2ELIFO4LTRC1"=hex:01,00,01,00,00,00,00,00,87,da,ad,38,2b,26,f8,
c3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0b1882f7-fa07-4f2b-9fdf-9c60a5a55847}]
@Denied: (Full) (Everyone)
"Model"=dword:000000fd
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):24,66,61,b0,0b,ed,9a,18,e0,09,da,bf,f1,6a,f3,5b,e2,0a,03,1d,15,
d6,fb,6e,74,2d,e7,4e,33,1e,71,3f,45,37,e7,9d,fa,64,86,51,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2012)
c:\program files\TortoiseCVS\TrtseShl.dll
c:\windows\system32\uexsl.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
.
**************************************************************************
.
Completion time: 2010-08-11 13:34:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-11 20:34
ComboFix2.txt 2007-11-06 09:12

Pre-Run: 7,686,260,736 bytes free
Post-Run: 11,105,719,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C07D089E5DF9E378E9235ECFD2B245C5
 
Hi
What else can I do?
Click to expand...

Open Services...
Click Start-->Run, then type or copy and paste services.msc
Click OK or press the "enter" key. Next, please scroll down to and double click DNS Client ...Make sure startup type is set to "Automatic". Click "Apply" and "OK" your way out, then close Services . Reboot the computer to properly record those changes to the hard disk. When the system comes back up, try flushing the dns resolver cache again.

-------------------------------------------------------------------------------------------

Check files for Viruses
c:\windows\system32\uexsl.dll
c:\windows\system32\qxdqei.dll
Click to expand...
  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please

Please reply with

the Jotti/Virustotal results

description of any problems you are having with your PC

Thanks peku006
 
I did what you asked, went to Services.msc -> DNS Client -> changed startup type to "Automatic" -> clicked "Apply" and "OK" -> closed Services -> rebooted the computer -> went to cmd -> typed ipconfig /flushdns -> ran firefox -> still can't connect to internet.

I did manage to upload the 2 dlls to virustotal.com. Results are below:

uexsl.dll
Antivirus Version Last Update Result
AhnLab-V3 2010.08.14.00 2010.08.13 -
AntiVir 8.2.4.34 2010.08.13 -
Antiy-AVL 2.0.3.7 2010.08.11 -
Authentium 5.2.0.5 2010.08.13 -
Avast 4.8.1351.0 2010.08.13 -
Avast5 5.0.332.0 2010.08.13 -
AVG 9.0.0.851 2010.08.13 -
BitDefender 7.2 2010.08.14 -
CAT-QuickHeal 11.00 2010.08.13 -
ClamAV 0.96.0.3-git 2010.08.14 -
Comodo 5731 2010.08.14 ApplicUnsaf.Win32.Brih.a
DrWeb 5.0.2.03300 2010.08.14 Trojan.Click1.25301
Emsisoft 5.0.0.37 2010.08.14 -
eSafe 7.0.17.0 2010.08.12 -
eTrust-Vet 36.1.7790 2010.08.13 -
F-Prot 4.6.1.107 2010.08.13 -
F-Secure 9.0.15370.0 2010.08.14 -
Fortinet 4.1.143.0 2010.08.13 W32/Agent.OFJ!tr
GData 21 2010.08.14 -
Ikarus T3.1.1.88.0 2010.08.13 -
Jiangmin 13.0.900 2010.08.13 -
Kaspersky 7.0.0.125 2010.08.14 -
McAfee 5.400.0.1158 2010.08.14 Artemis!B3EFB184D576
McAfee-GW-Edition 2010.1 2010.08.14 Artemis!B3EFB184D576
Microsoft 1.6004 2010.08.13 -
NOD32 5365 2010.08.13 Win32/Agent.RNB
Norman 6.05.11 2010.08.13 -
nProtect 2010-08-13.01 2010.08.13 -
Panda 10.0.2.7 2010.08.13 -
PCTools 7.0.3.5 2010.08.14 -
Prevx 3.0 2010.08.14 High Risk Cloaked Malware
Rising 22.60.04.04 2010.08.13 -
Sophos 4.56.0 2010.08.14 Troj/Agent-OFJ
Sunbelt 6731 2010.08.14 Trojan.Win32.Browser-Winsock.Hijacker
SUPERAntiSpyware 4.40.0.1006 2010.08.13 -
Symantec 20101.1.1.7 2010.08.14 -
TheHacker 6.5.2.1.347 2010.08.14 -
TrendMicro 9.120.0.1004 2010.08.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.14 -
VBA32 3.12.14.0 2010.08.13 -
ViRobot 2010.8.9.3978 2010.08.13 -
VirusBuster 5.0.27.0 2010.08.13 -

MD5 : b3efb184d5762dabce4c0ac7b6e188bf
SHA1 : e6dc04c8c5a4965e093b9a96c219b998bb86e9b1
SHA256: 7d40af468b30ae2426063d3590ba215e8d10d3a12095fb5af9ba3dd884c5787a
ssdeep: 192:/wjHWy8YkntA5huI/2NLEFYjf+8AFup3e:4L7/kGXuI/aL5pu
File size : 8192 bytes
First seen: 2010-07-23 15:18:23
Last seen : 2010-08-14 01:34:43
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1410
timedatestamp....: 0x4C46F543 (Wed Jul 21 13:25:23 2010)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x12B2, 0x1400, 6.07, cb94cf75c209beb01a273ed5c7516c86
.rdata, 0x3000, 0x2FD, 0x400, 3.88, 0b75dd81c6aa12ea35fb354c4887ef81
.data, 0x4000, 0x78, 0x200, 0.31, f0f4f53dfd61aa2546d9fbcee5627038
.reloc, 0x5000, 0x130, 0x200, 2.93, a77c08f6b71b7d67beede025f13d8027

[[ 2 import(s) ]]
WS2_32.dll: WSCEnumProtocols, getnameinfo, -, -, WSCGetProviderPath
KERNEL32.dll: LoadLibraryW, ExpandEnvironmentStringsA, LoadLibraryA, LeaveCriticalSection, EnterCriticalSection, FindAtomA, DeleteCriticalSection, FreeLibrary, InitializeCriticalSection, WideCharToMultiByte, HeapAlloc, ExpandEnvironmentStringsW, HeapFree, GetProcAddress, GetLastError, HeapCreate

[[ 2 export(s) ]]
GetLspGuid, WSPStartup

qxdqei.dll
Antivirus Version Last Update Result
AhnLab-V3 2010.08.14.00 2010.08.13 -
AntiVir 8.2.4.34 2010.08.13 -
Antiy-AVL 2.0.3.7 2010.08.11 -
Authentium 5.2.0.5 2010.08.13 -
Avast 4.8.1351.0 2010.08.13 -
Avast5 5.0.332.0 2010.08.13 -
AVG 9.0.0.851 2010.08.13 -
BitDefender 7.2 2010.08.14 -
CAT-QuickHeal 11.00 2010.08.13 -
ClamAV 0.96.0.3-git 2010.08.14 -
Comodo 5731 2010.08.14 ApplicUnsaf.Win32.Brih.a
DrWeb 5.0.2.03300 2010.08.14 Trojan.Click1.25301
Emsisoft 5.0.0.37 2010.08.14 -
eSafe 7.0.17.0 2010.08.12 -
eTrust-Vet 36.1.7790 2010.08.13 -
F-Prot 4.6.1.107 2010.08.13 -
F-Secure 9.0.15370.0 2010.08.14 -
Fortinet 4.1.143.0 2010.08.13 W32/Agent.OFJ!tr
GData 21 2010.08.14 -
Ikarus T3.1.1.88.0 2010.08.13 -
Jiangmin 13.0.900 2010.08.13 -
Kaspersky 7.0.0.125 2010.08.14 -
McAfee 5.400.0.1158 2010.08.14 Artemis!B3EFB184D576
McAfee-GW-Edition 2010.1 2010.08.14 Artemis!B3EFB184D576
Microsoft 1.6004 2010.08.13 -
NOD32 5365 2010.08.13 Win32/Agent.RNB
Norman 6.05.11 2010.08.13 -
nProtect 2010-08-13.01 2010.08.13 -
Panda 10.0.2.7 2010.08.13 -
PCTools 7.0.3.5 2010.08.14 -
Prevx 3.0 2010.08.14 High Risk Cloaked Malware
Rising 22.60.04.04 2010.08.13 -
Sophos 4.56.0 2010.08.14 Troj/Agent-OFJ
Sunbelt 6731 2010.08.14 Trojan.Win32.Browser-Winsock.Hijacker
SUPERAntiSpyware 4.40.0.1006 2010.08.13 -
Symantec 20101.1.1.7 2010.08.14 -
TheHacker 6.5.2.1.347 2010.08.14 -
TrendMicro 9.120.0.1004 2010.08.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.14 -
VBA32 3.12.14.0 2010.08.13 -
ViRobot 2010.8.9.3978 2010.08.13 -
VirusBuster 5.0.27.0 2010.08.13 -

MD5 : b3efb184d5762dabce4c0ac7b6e188bf
SHA1 : e6dc04c8c5a4965e093b9a96c219b998bb86e9b1
SHA256: 7d40af468b30ae2426063d3590ba215e8d10d3a12095fb5af9ba3dd884c5787a
ssdeep: 192:/wjHWy8YkntA5huI/2NLEFYjf+8AFup3e:4L7/kGXuI/aL5pu
File size : 8192 bytes
First seen: 2010-07-23 15:18:23
Last seen : 2010-08-14 01:45:30
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1410
timedatestamp....: 0x4C46F543 (Wed Jul 21 13:25:23 2010)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x12B2, 0x1400, 6.07, cb94cf75c209beb01a273ed5c7516c86
.rdata, 0x3000, 0x2FD, 0x400, 3.88, 0b75dd81c6aa12ea35fb354c4887ef81
.data, 0x4000, 0x78, 0x200, 0.31, f0f4f53dfd61aa2546d9fbcee5627038
.reloc, 0x5000, 0x130, 0x200, 2.93, a77c08f6b71b7d67beede025f13d8027

[[ 2 import(s) ]]
WS2_32.dll: WSCEnumProtocols, getnameinfo, -, -, WSCGetProviderPath
KERNEL32.dll: LoadLibraryW, ExpandEnvironmentStringsA, LoadLibraryA, LeaveCriticalSection, EnterCriticalSection, FindAtomA, DeleteCriticalSection, FreeLibrary, InitializeCriticalSection, WideCharToMultiByte, HeapAlloc, ExpandEnvironmentStringsW, HeapFree, GetProcAddress, GetLastError, HeapCreate

[[ 2 export(s) ]]
GetLspGuid, WSPStartup
 
Is it a good idea to run these set of commands to get my internet working again?

ipconfig /release

ipconfig /flushdns

ipconfig /registerdns

ipconfig /renew

netsh winsock reset catalog

netsh int ip reset reset.log

netsh winsock reset

:thanks: again Peku
 
Hi cool2024
Is it a good idea to run these set of commands to get my internet working again?
Click to expand...
not yet.............

Please download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the I know what I'm doing Button and place all listings of uexsl.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button. Then Reboot.

To see a tutorial on how to use this program click the link below:

Using LSP-Fix to remove LSP Spyware & Hijackers

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the
    pasteline.png
    area. Do not include the word Code.
Code: 
:Files
c:\windows\system32\uexsl.dll
c:\windows\system32\qxdqei.dll
:Commands
[emptytemp]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large
    btnmoveit.png
    button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

Thanks peku006
 
Hmm LSPFix doesn't have uexsl.dll in the Keep box and in the Remove box.

In the Keep box it lists: mswsock.dll tcpip, winrnr.dll ntds
In the Remove box it lists: rsvpsp.dll (Protocol Handler)

I have not clicked Finish.

Should I go ahead and run Oldtimer?

Thanks again Peku
 
Hi cool2024

Ok, continue with Oldtimer and run DDS again and post both logs

Thanks peku006
 
Hi Peku,

Here's the Old Timer and DDS logs you asked for. Thanks again Peku.

=========== Old Timer ==========

All processes killed
========== FILES ==========
DllUnregisterServer procedure not found in C:\windows\system32\uexsl.dll
C:\windows\system32\uexsl.dll moved successfully.
DllUnregisterServer procedure not found in C:\windows\system32\qxdqei.dll
C:\windows\system32\qxdqei.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Allison
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 3226919 bytes
->FireFox cache emptied: 54774978 bytes
->Flash cache emptied: 6316 bytes

User: Chris
->Temp folder emptied: 1903420 bytes
->Temporary Internet Files folder emptied: 3940898 bytes
->Java cache emptied: 44176839 bytes
->FireFox cache emptied: 36385401 bytes
->Google Chrome cache emptied: 110179034 bytes
->Flash cache emptied: 2227788 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Doris
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 200801 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 2084 bytes

User: Fred
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 23983 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 1399 bytes

User: Justin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 5443185 bytes
->Flash cache emptied: 348 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Nathan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 21888674 bytes
->Flash cache emptied: 731 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 2202 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 41544 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1524201 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 601559 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 273.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08162010_083302

Files moved on Reboot...
File C:\WINDOWS\temp\mcmsc_TR53OcqQOovckcg not found!

Registry entries deleted on Reboot...


=========== DDS ==========


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 13:24:24.57 on Mon 08/16/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.658 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Prolific\One Button\OneBtn.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chris\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Lock Computer on Starup] rundll32.exe user32.dll, LockWorkStation
uRun: [Google Update] "c:\documents and settings\chris\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Prolific_OneButton] c:\program files\prolific\one button\OneBtn.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [abdtffrd] c:\documents and settings\networkservice\local settings\application data\ojrlxyfih\bqjluoqshdw.exe
dRun: [Ibacihiciquci] rundll32.exe "c:\windows\JGI14fa.dll",Startup
dRun: [abdtffrd] c:\documents and settings\networkservice\local settings\application data\ojrlxyfih\bqjluoqshdw.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: En&queue current page with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Ima&ge Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open &link target with Bulk Image Downloader - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with Bulk I&mage Downloader - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\iqkv9dh5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.netvibes.com/#General
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\chris\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-9-16 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-9-16 5248]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-4-3 10112]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 214664]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2004-4-4 151476]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-3-5 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-3-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-3-5 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-5 35272]
R3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [2004-4-4 18272]
R3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [2004-4-4 21184]
S0 mgthop;mgthop;c:\windows\system32\drivers\mgthop.sys [2010-8-13 0]
S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v2.6.87\ati tray tools\atitray.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-8-15 256512]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-3-5 40552]
S3 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-6-28 241731]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-4 223128]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-8 24652]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-3-5 606736]

=============== Created Last 30 ================

2010-08-16 15:33:02 0 d-----w- C:\_OTM
2010-08-15 17:58:52 98816 ----a-w- c:\windows\sed.exe
2010-08-15 17:58:52 77312 ----a-w- c:\windows\MBR.exe
2010-08-15 17:58:52 256512 ----a-w- c:\windows\PEV.exe
2010-08-15 17:58:52 161792 ----a-w- c:\windows\SWREG.exe
2010-08-15 17:58:43 0 d-s---w- C:\ComboFix
2010-08-14 01:35:42 0 ----a-w- c:\windows\system32\drivers\mgthop.sys
2010-08-14 01:35:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-10 20:22:45 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-10 20:20:20 0 d-sha-r- C:\cmdcons
2010-08-10 20:16:07 77312 ----a-w- c:\windows\MBR.exe-old
2010-08-10 20:16:03 256512 ----a-w- c:\windows\PEV.exe-old
2010-08-10 20:16:03 161792 ----a-w- c:\windows\SWREG.exe-old
2010-08-10 20:16:02 98816 ----a-w- c:\windows\sed.exe-old
2010-08-09 21:18:15 0 d-----w- c:\docume~1\chris\applic~1\B4EDEAF43A12AE939F3D7AD57EDBA29E

==================== Find3M ====================

2010-07-15 22:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-26 07:24:48 99756 ----a-w- c:\windows\War3Unin.dat

============= FINISH: 13:25:08.70 ===============
 
Hi cool2024

  • Double-click OTM.exe to run it.
  • Paste the following code under the
    pasteline.png
    area. Do not include the word Code.
Code: 
:Files
c:\windows\JGI14fa.dll
c:\documents and settings\networkservice\local settings\application data\ojrlxyfih
c:\windows\system32\drivers\mgthop.sys 

:services
mgthop
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large
    btnmoveit.png
    button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.

Thanks peku006
 
Here is the OTM log you asked for. Did you need a DDS log as well? Thanks Peku.

========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\JGI14fa.dll
c:\windows\JGI14fa.dll moved successfully.
c:\documents and settings\networkservice\local settings\application data\ojrlxyfih folder moved successfully.
c:\windows\system32\drivers\mgthop.sys moved successfully.
========== SERVICES/DRIVERS ==========
Service mgthop stopped successfully!
Service mgthop deleted successfully!

OTM by OldTimer - Version 3.1.15.0 log created on 08172010_125502
 
Hi cool2024
Did you need a DDS log as well?
Click to expand...
not now....

1 - Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
Alternate download sites available here or here.
  1. Make sure you are connected to the Internet.
  2. Double-click on mbam-setup.exe to install the application.
  3. When the installation begins, follow the prompts and do not make any changes to default settings.
  4. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
  1. Make sure the "Perform full scan" option is selected.
  2. Then click on the Scan button.
  3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  4. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  5. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  6. Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  1. Click on the Show Results button to see a list of any malware that was found.
  2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
    We will take care of the System Volume Information items later.
  3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  5. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

the Malwarebytes' Anti-Malware Log
description of any problems you are having with your PC

Thanks peku006
 
Here's the MBAM log you asked for. Thanks again Peku.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4447

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

8/18/2010 9:59:38 PM
mbam-log-2010-08-18 (21-59-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 370092
Time elapsed: 1 hour(s), 59 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abdtffrd (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\Application Data\B4EDEAF43A12AE939F3D7AD57EDBA29E\secureapp70700.exeold (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\My Documents\WinXP Cracks\XPsp1crk.exe (Spyware.Passwords) -> Not selected for removal.
C:\Documents and Settings\Chris\My Documents\Broder\Gazillionaire\FFF-ReflexV2.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chris\My Documents\Broder\Gazillionaire\FFF-ReflexV2.exe.bak (Trojan.Backdoor) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\ocr\netload.in\asmCaptcha\test.exe (Malware.Packer) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\ocr\rapidshare.com\asmCaptcha\test.exe (Malware.Packer) -> Not selected for removal.
C:\Program Files\CryptLoad_1.0.4\router\FRITZ!Box\nc.exe (PUP.KeyLogger) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1041\A0264406.exe (Trojan.Backdoor) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1041\A0265516.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0265581.dll (Trojan.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266595.exe (Rogue.SecuritySuite) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266596.exe (Trojan.FakeAlert) -> Not selected for removal.
C:\System Volume Information\_restore{C016FDDC-8E3F-46B5-A836-CC563C4F2A7F}\RP1044\A0266614.sys (Trojan.Agent.Gen) -> Not selected for removal.
C:\_OTM\MovedFiles\08162010_083302\C_windows\system32\qxdqei.dll (LSP.Hijacker) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\08162010_083302\C_windows\system32\uexsl.dll (LSP.Hijacker) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\08172010_125502\c_documents and settings\networkservice\local settings\application data\ojrlxyfih\bqjluoqshdw.exe-old (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\08172010_125502\c_windows\JGI14fa.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\ComboFix\Combo-Fix.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
 
You must log in or register to reply here.
Back
Top