Computer infected with AntivirusPro 2010

I think we're getting there. :D:

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :processes
explorer.exe

:files
c:\windows\xysewo._sy
c:\windows\hufy.lib
c:\docume~1\raymond\applic~1\uwudorexiq.dat
c:\windows\system32\anawan._sy
c:\program files\common files\exagim._sy

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use ATF Cleaner to remove temp files,
cookies, cache, ect...
Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a DDS log.
 
During the running of OTM.exe

The system required a re-boot,
which is what is happening right now.

Unable to select and copy the info in the results window.
 
On re-boot, prompted for OTM.exe to run, clicked yes. File output below.
Spybot has detected a registry change and asking for a response.
Category: System Startup user entry
Changes: Value deleted
Entry: mserv

Should the change be allowed?
Then do I proceed with the update of Java?

Also, McAfee is not enabled.

I see that the Process Explorer was killed.
Task Manager wouldn't open to stop the 'Antiviruspro 2010' process.
I downloaded ProcessExplorer.exe, which allowed the 'Antiviruspro2010' process to be stopped.
Was this a malware program?


All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\windows\xysewo._sy moved successfully.
c:\windows\hufy.lib moved successfully.
c:\docume~1\raymond\applic~1\uwudorexiq.dat moved successfully.
c:\windows\system32\anawan._sy moved successfully.
c:\program files\common files\exagim._sy moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Raymond
->Temp folder emptied: 143645 bytes
->Temporary Internet Files folder emptied: 3822006 bytes
->Java cache emptied: 13296141 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 316312 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 16.88 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10052009_201227

Files moved on Reboot...

Registry entries deleted on Reboot...
 
On re-boot, prompted for OTM.exe to run, clicked yes. File output below.
Spybot has detected a registry change and asking for a response.
Category: System Startup user entry
Changes: Value deleted
Entry: mserv

Should the change be allowed?
Click to expand...
Yes, that change that prompted Spybot should be allowed. It was actually made by combofix and was a orphaned malware entry.

Then do I proceed with the update of Java?
Click to expand...
Yes, move on.

Also, McAfee is not enabled.
Click to expand...
Can you enable it?

I see that the Process Explorer was killed.
Task Manager wouldn't open to stop the 'Antiviruspro 2010' process.
I downloaded ProcessExplorer.exe, which allowed the 'Antiviruspro2010' process to be stopped.
Was this a malware program?
Click to expand...
When you say it was killed, what do you mean? No, it's not Malware. It's a great Sysinternals program that's like task manager on steroids.
 
Java has been installed. Although the number of choices doesn't make it easy.

Allowed all the registry changes.

However, at the end of it all, McAfee stopped what it suspected was a trojan.

Moving on to ATF Cleaner
 
Sounds like McAfee got it? If so great.

EDIT: Could have been in combofix quarantine, which we'll clean out at the end.
 
Last edited:
ATF Cleaner was successfully run.
Malwarebytes was successfully run. Log below.

McAfee warned of a registry change by Malwarebytes.
It was allowed.
3 detections by Malwarebytes were removed.
The computer is going to reboot.


Malwarebytes' Anti-Malware 1.41
Database version: 2911
Windows 5.1.2600 Service Pack 3

10/5/2009 9:51:57 PM
mbam-log-2009-10-05 (21-51-57).txt

Scan type: Quick Scan
Objects scanned: 99555
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Raymond\Favorites\Online Pharmacy News diazepam buy ambien, xanax, valium online.url (Rogue.Link) -> Quarantined and deleted successfully.
 
Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2008 12:52:59 PM
System Uptime: 10/5/2009 9:59:47 PM (1 hours ago)

Motherboard: Acer | | E946GZ
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 147 GiB total, 64.68 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 1.449 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 347.149 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 561.121 GiB free.
G: is CDROM ()
H: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP281: 10/5/2009 1:58:22 PM - System Checkpoint
RP282: 10/5/2009 9:14:36 PM - Removed Java(TM) 6 Update 10
RP283: 10/5/2009 9:14:54 PM - Installed Java(TM) 6 Update 16

==== Installed Programs ======================

AAC Decoder
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Software Update
AutoUpdate
DING!
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ERUNT 1.1j
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Officejet Pro K550 Series
ImageMixer 3 SE for SD
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
LightScribe 1.4.74.1
Logitech iTouch Software
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Misc
MKV Splitter
Mozilla Thunderbird (2.0.0.23)
News Rover
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
The Works of W. Cleon Skousen Version 3.0.1
Toolbox
Trader Workstation 4.0
UGuide
Update for Windows XP (KB951072-v2)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

9/30/2009 10:11:47 AM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
9/30/2009 10:11:47 AM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
9/30/2009 10:11:03 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
9/28/2009 9:56:48 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
10/5/2009 9:22:08 AM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
10/5/2009 9:22:08 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
10/5/2009 8:12:28 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 2 time(s).
10/5/2009 8:12:28 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 1:58:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/5/2009 1:51:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:48:47 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.

==== End Of File ===========================
 
DDS.txt


DDS (Ver_09-09-29.01) - NTFSx86
Run by Raymond at 22:03:46.92 on Mon 10/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.599 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxpers.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Raymond\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\raymond\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
S2 0143791254781135mcinstcleanup;McAfee Application Installer Cleanup (0143791254781135);c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34248]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-10-05 21:41 <DIR> --d----- c:\docume~1\raymond\applic~1\Malwarebytes
2009-10-05 21:41 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 21:41 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 21:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-05 20:12 <DIR> --d----- C:\_OTM
2009-10-05 13:55 50,176 a------- c:\windows\system32\proquota.exe
2009-10-05 13:49 <DIR> a-dshr-- C:\cmdcons
2009-10-05 13:48 229,888 a------- c:\windows\PEV.exe
2009-10-05 13:48 161,792 a------- c:\windows\SWREG.exe
2009-10-05 13:48 98,816 a------- c:\windows\sed.exe
2009-10-05 13:42 <DIR> --d-h--- c:\windows\PIF
2009-10-04 20:13 <DIR> --d----- c:\program files\Temp
2009-10-04 20:12 <DIR> --d----- c:\program files\Ttemp
2009-10-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 14:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-01 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-01 13:48 <DIR> --d----- c:\program files\common files\iS3
2009-10-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-01 13:11 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-10-05 21:14 411,368 a------- c:\windows\system32\deploytk.dll

============= FINISH: 22:04:14.31 ===============
 
One more scan...hopefully.

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
Kaspersky log
New DDS log taken after the above scan has run
 
You must log in or register to reply here.
Back
Top