I have no experience dealing with viruses....my laptop crashed yesterday. I lost all my documents (I did have them backed up, so they are not completely lost)...I cannot do a system restore. I get the message that a file is corrupt and then the computer shuts down . I ran Mcafee, when it didn't work...I disabled Mcafee and ran Combofix. Here is the resulting log...
If anyone can help me with this, I would really appreciate it!
TIA! Charlene
ComboFix 09-08-27.01 - Charlene 08/27/2009 14:10.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.169 [GMT -4:00]
Running from: c:\documents and settings\Charlene.SHIRLEY1\My Documents\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk
c:\windows\system32\autorun.ini
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))
.
2009-08-27 17:36 . 2009-08-27 17:36 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Application Data\McAfee
2009-08-27 16:51 . 2009-08-27 16:51 -------- d-sh--w- c:\documents and settings\Charlene.SHIRLEY1\PrivacIE
2009-08-27 16:51 . 2009-08-27 16:51 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Application Data\Yahoo!
2009-08-27 16:51 . 2009-08-27 16:51 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\Google
2009-08-27 16:51 . 2009-08-27 16:51 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Application Data\Delicious IE Extension
2009-08-27 15:21 . 2009-08-27 15:21 140 ----a-w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\fusioncache.dat
2009-08-27 15:21 . 2009-08-27 15:21 113848 ----a-w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 15:21 . 2009-08-27 15:21 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\ApplicationHistory
2009-08-27 15:19 . 2009-08-27 15:19 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\Identities
2009-08-27 15:12 . 2009-08-27 15:12 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\AOL
2009-08-27 15:12 . 2009-08-27 15:12 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\Apple Computer
2009-08-27 15:12 . 2009-08-27 15:12 -------- d-----w- c:\documents and settings\Charlene.SHIRLEY1\Local Settings\Application Data\Fisher-Price
2009-08-27 15:07 . 2009-08-27 15:07 -------- d-----w- c:\documents and settings\TEMP
2009-08-26 23:16 . 2009-08-26 23:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-08-25 02:04 . 2009-08-25 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-24 02:26 . 2009-08-24 02:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-15 04:02 . 2009-08-15 04:02 -------- d-sh--w- C:\FOUND.000
2009-08-11 18:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 22:32 . 2004-08-04 02:39 8416 ----a-w- c:\windows\system32\drivers\aec.sys
2009-08-05 09:01 . 2004-08-04 09:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 09:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 09:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 09:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 09:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 09:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 09:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 09:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 09:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 09:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 19:03 . 2009-04-12 02:19 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-06-24 11:18 . 2004-08-04 09:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 09:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 09:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 09:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 09:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-04 09:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 09:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 09:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2006-08-20 18:13 . 2006-08-20 18:08 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2006-08-20 18:08 . 2006-08-20 18:06 7050552 ----a-w- c:\program files\psa30se_en_us.exe
2006-08-20 18:06 . 2006-08-20 18:06 762512 ----a-w- c:\program files\ytb612_efgsip.exe
.
------- Sigcheck -------
[-] 2009-08-26 22:32 8416 D4533785ED70D50CA44E9659F607E01C c:\windows\system32\drivers\aec.sys
[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[7] 2004-08-04 02:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[-] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$NtServicePackUninstall$\aec.sys
[7] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 19:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 19:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-18 160592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-29 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-10-26 212992]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-10-26 2889728]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-06-06 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-07-25 81920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-10-31 385024]
"Net-It Launcher"="c:\windows\system32\NILaunch.exe" [1998-02-05 24576]
"\\DCDSFV21\EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]
"Auto EPSON Stylus CX5400 on DCDSFV21"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-27 99840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-29 185896]
"HostManager"="c:\program files\Common Files\AOL\1180574891\ee\AOLSoftware.exe" [2006-09-26 50736]
"eligmini"="c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe" [2008-09-03 487424]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
ACS.lnk - c:\windows\system32\ACS.BAT [2006-8-16 28]
D-Link AirPlus Xtreme G Configuration Utility.lnk - c:\program files\D-Link AirPlus Xtreme G\AirPlus.exe [2006-8-16 544866]
D-Link REG Utility.lnk - c:\program files\D-Link AirPlus Xtreme G\Reg.exe [2006-8-16 24576]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1180574891\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [4/11/2009 10:19 PM 54776]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/22/2009 1:14 PM 266240]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/2/2008 8:45 AM 210216]
S1 mailKmd;mailKmd; [x]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [8/7/2006 7:09 AM 2343]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-02 17:32]
2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-02 17:32]
2008-07-01 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2008-07-01 21:46]
2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-08-27 c:\windows\Tasks\User_Feed_Synchronization-{0F2452D3-C5AF-46C2-AC31-6181A07EA9EE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 14:28
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\MCE001d6\feapp.da.tĺ 2072281088 bytes
c:\windows\TEMP\MCE001d6\c:\windows\TEMP\MCE001d6\
scan completed successfully
hidden files: 3
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-27 14:35
ComboFix-quarantined-files.txt 2009-08-27 18:35
Pre-Run: 8,085,323,776 bytes free
Post-Run: 8,185,446,400 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
211 --- E O F --- 2009-08-26 07:00