Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unable to update McAfee, Google redirection

Started by Beagle Pup , Oct 31 2010 09:49 AM

  • This topic is locked This topic is locked

#16
Beagle Pup
Posted 22 November 2010 - 10:51 AM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi again SweetTech

Managed to run ComboFix without having to install the Microsoft Windows Recovery Console and now post the results of the scan:-

ComboFix 10-11-17.04 - NIGEL 20/11/2010 16:06:54.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1258 [GMT 0:00]
Running from: J:\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JEAN\Application Data\Izixe
c:\documents and settings\JEAN\Application Data\Izixe\soupo.hov
c:\documents and settings\JEAN\Application Data\Izixe\soupo.tmp
c:\documents and settings\JEAN\Local Settings\Application Data\{47CAE5D7-4D78-4077-AFF2-9340A5C27673}
c:\documents and settings\JEAN\Local Settings\Application Data\{47CAE5D7-4D78-4077-AFF2-9340A5C27673}\chrome\content\_cfg.js
c:\documents and settings\JEAN\Local Settings\Application Data\{47CAE5D7-4D78-4077-AFF2-9340A5C27673}\chrome\content\overlay.xul
c:\documents and settings\JEAN\Local Settings\Application Data\{47CAE5D7-4D78-4077-AFF2-9340A5C27673}\install.rdf
c:\documents and settings\NIGEL\.COMMgr
c:\documents and settings\NIGEL\GoToAssistDownloadHelper.exe
c:\documents and settings\NIGEL\Local Settings\Application Data\{44C18674-B5A8-482B-8CE3-C3C4A8C2C94A}
c:\documents and settings\NIGEL\Local Settings\Application Data\{44C18674-B5A8-482B-8CE3-C3C4A8C2C94A}\chrome.manifest
c:\documents and settings\NIGEL\Local Settings\Application Data\{44C18674-B5A8-482B-8CE3-C3C4A8C2C94A}\chrome\content\_cfg.js
c:\documents and settings\NIGEL\Local Settings\Application Data\{44C18674-B5A8-482B-8CE3-C3C4A8C2C94A}\chrome\content\overlay.xul
c:\documents and settings\NIGEL\Local Settings\Application Data\{44C18674-B5A8-482B-8CE3-C3C4A8C2C94A}\install.rdf
c:\documents and settings\NIGEL\My Documents\cc_20101028_170437.reg
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Internet Explorer\SET19.tmp
c:\program files\Internet Explorer\SET1A.tmp
c:\program files\Internet Explorer\SET1B.tmp
c:\program files\Internet Explorer\SET426.tmp
c:\program files\Internet Explorer\SET427.tmp
c:\program files\Internet Explorer\SET428.tmp
c:\program files\Internet Explorer\SET92.tmp
c:\program files\Internet Explorer\SET93.tmp
c:\program files\Internet Explorer\SET94.tmp
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\ST6UNST.000

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 )))))))))))))))))))))))))))))))
.

2010-11-01 18:07 . 2010-11-01 18:07 -------- d-----w- C:\_OTL
2010-10-31 11:42 . 2010-10-31 11:42 -------- d-----w- c:\documents and settings\NIGEL\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-10 16:39 . 2008-05-28 15:30 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-03 21:06 . 2010-10-19 16:16 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-11 14:16 . 2010-09-11 14:16 213504 ----a-w- c:\windows\Zvoxea.exe
2010-08-24 13:57 . 2010-01-05 18:04 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 13:57 . 2009-07-08 12:44 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2006-02-28 . 57BF20A3977F07049EBBB9FB87D40BA5 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2007-06-13 . 6BDBD88586BCB185C8CD4758DEF214FD . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3B419EE1-1FA8-47B9-9AEC-6B60AC2E3FCA}"= "c:\program files\Torrents-Search-Engine\tbTor1.dll" [2010-02-21 2349080]

[HKEY_CLASSES_ROOT\clsid\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-01-24 17:10 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-01-24 17:10 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-01-24 17:10 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"Google Update"="c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-31 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-01-30 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1211986260\ee\AOLSoftware.exe" [2006-09-26 50736]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-01-28 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-01-28 98304]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 17021440]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-06 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2008-5-28 156784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantBurn]
2007-06-04 17:24 599600 ----a-w- c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 11:06 62760 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2006-08-17 12:45 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2007-08-09 12:17 2503976 ----a-w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 13:23 81920 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Common Files\\AOL\\1211986260\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/09/2010 19:32 64288]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [30/04/2008 15:00 16048]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [05/02/2010 16:00 54776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [30/04/2008 15:00 162096]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 12:15 1375992]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [05/02/2010 16:00 88176]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [05/02/2010 15:59 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [05/02/2010 15:59 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [05/02/2010 15:59 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [05/02/2010 15:59 141792]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [22/05/2008 13:38 38656]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [05/02/2010 15:59 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [05/02/2010 15:59 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [05/02/2010 15:59 88480]
R3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [28/05/2008 15:27 55808]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys --> c:\windows\system32\drivers\mfetdi2k.sys [?]
S2 gupdate1c98c6ec92d4c10;Google Update Service (gupdate1c98c6ec92d4c10);c:\program files\Google\Update\GoogleUpdate.exe [11/02/2009 17:32 133104]
S3 Just Flight Limited License Service;Just Flight Limited License Service;c:\program files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe [20/06/2009 20:28 69632]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 12:15 15264]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [05/02/2010 15:59 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [05/02/2010 15:59 83496]
S3 nenum13E;nenum13E;\??\c:\docume~1\NIGEL\LOCALS~1\Temp\nenum13E.sys --> c:\docume~1\NIGEL\LOCALS~1\Temp\nenum13E.sys [?]
S4 0126371281191039mcinstcleanup;McAfee Application Installer Cleanup (0126371281191039);c:\windows\TEMP\012637~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\012637~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [24/01/2010 17:10 229688]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 19:08]

2010-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:32]

2010-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:32]

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2689334666-3409229528-900351719-1005Core.job
- c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-31 11:42]

2010-11-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2689334666-3409229528-900351719-1005UA.job
- c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-31 11:42]

2009-03-21 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-19 00:55]

2010-11-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-09-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-09-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-20 c:\windows\Tasks\User_Feed_Synchronization-{D9B3A1E6-7A73-4E80-8E3F-13AC2AFCDC3B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.bbc.co.uk
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-Ejiqoxoyi - c:\windows\sfmsapr.dll
MSConfigStartUp-Tzeqaxuwibiqore - c:\windows\okajepop.dll
MSConfigStartUp-{97884004-7E03-796B-F1BF-50328496B136} - c:\documents and settings\JEAN\Application Data\Agozk\ynqe.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-20 16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\sqlite_SzypCnGDgipJLre 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Portrait Displays\DisplayTune\HPW\CNN81202C7]
@DACL=(02 0000)
"Analog Caps"="(prot(monitor)type(LCD)model(W2007)cmds(01 02 03 07 0C 4E F3 E3)vcp(02 04 05 06 08 0B 0C 0E 10 12 14(01 05 08 0B) 16 18 1A 1E 1F 20 30 3E 52 60(01 03) 62 6C 6E 70 8D AC AE B2 B6 C0 C6 C8 C9 CA CC(01 02 03 04 05 06 0A 13) D6(01 04 05) DC(00 02 03 04 05) DF FF)mswhql(1)mccs_ver(2.1)asset_eep(32)mpu_ver(1.02))"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\common files\aol\1211986260\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-11-20 16:33:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-20 16:33

Pre-Run: 257,684,258,816 bytes free
Post-Run: 261,136,351,232 bytes free

- - End Of File - - A011FBC0F8BC35D6D36A712AA0811257


IE 8 now seems to work satisfactorily without any redirection and I have managed to uninstall/reinstall Google Chrome so that this is now working. McAfee still persisted in failing to update so I uinstalled and reinstalled this and McAfee appears now to be up to date so cannot yet test whether updating yet works!

I have had requests coming up from time to time to run a DLL as an App. These are on C:\WINDOWS\System32\rundll32exe and C:\WINDOWS\system32\ieframe.dll, OpenURL%1. I have refused these and they continue to persist - should they be accepted?

I look forward to hearing from you.
  • 0

Advertisements

#17
SweetTech
Posted 22 November 2010 - 11:02 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Looking over your log right now, and we do have some additional work to do. I'll have instructions for you shortly.
  • 0

#18
SweetTech
Posted 22 November 2010 - 11:08 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Do you recognize this file?

c:\windows\TEMP\sqlite_SzypCnGDgipJLre


ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
c:\windows\Zvoxea.exe
c:\docume~1\NIGEL\LOCALS~1\Temp\nenum13E.sys
c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service

Driver::
nenum13E
0126371281191039mcinstcleanup

SRPeek::
c:\windows\system32\winlogon.exe

FCopy::
c:\windows\$NtUninstallKB938828$\explorer.exe | c:\windows\explorer.exe

Suspect::[100]
c:\windows\TEMP\sqlite_SzypCnGDgipJLre

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#19
Beagle Pup
Posted 22 November 2010 - 01:13 PM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi SweetTech

No, I don't recognise that file! I'll try as you've suggested and will come back to you.

Many thanks
  • 0

#20
SweetTech
Posted 22 November 2010 - 01:16 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay
  • 0

#21
Beagle Pup
Posted 23 November 2010 - 02:23 PM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Sweetech

I now post the results of ComboFix and MBAM:-

ComboFix 10-11-17.04 - NIGEL 23/11/2010 17:49:39.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1409 [GMT 0:00]
Running from: J:\ComboFix.exe
Command switches used :: C:\Documents and Settings\NIGEL\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\docume~1\NIGEL\LOCALS~1\Temp\nenum13E.sys"
"c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service"
"c:\windows\Zvoxea.exe"
.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5176

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

23/11/2010 18:54:32
mbam-log-2010-11-23 (18-54-32).txt

Scan type: Quick scan
Objects scanned: 188503
Time elapsed: 27 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Whilst running the ComboFix scan,a message came up saying that certain Windows files have been removed by unrecognised versions - did I want to insert the Windows CD so that the original files could be replaced? I wasn't sure what to do about this so I let the scan continue.

Also, ComboFix attempted to reboot the machine but this was not completely successful as the computer 'hung'. I had then to reboot the machine myself so that the screen failed to open with ComboFix. I searched for the log of the scan and I hope that the one I have posted is the correct one!

I look forward to hearing from you.
  • 0

#22
SweetTech
Posted 23 November 2010 - 02:37 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts

Whilst running the ComboFix scan,a message came up saying that certain Windows files have been removed by unrecognised versions - did I want to insert the Windows CD so that the original files could be replaced? I wasn't sure what to do about this so I let the scan continue.

Do you remember if this was a window from ComboFix, or from Windows?

Can you re-run the CF fix in Safe Mode?
  • 0

#23
Beagle Pup
Posted 25 November 2010 - 06:06 AM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Sweetech

I believe this message was from Windows.

Not sure how to boot up in Safe Mode - please let me have some guidance on this.

Cheers
  • 0

#24
SweetTech
Posted 25 November 2010 - 07:15 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Entering Safe Mode

  • Restart your computer.
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll to Safe Mode
  • Then press the Enter Key on your Keyboard
  • Go into your usual account

  • 0

#25
Beagle Pup
Posted 25 November 2010 - 07:40 AM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Sweetech

Many thanks for this. I'll try as you suggest
  • 0

Advertisements

#26
Beagle Pup
Posted 25 November 2010 - 07:40 AM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Sweetech

Many thanks for this. I'll try as you suggest
  • 0

#27
SweetTech
Posted 25 November 2010 - 02:55 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
ok.
  • 0

#28
Beagle Pup
Posted 27 November 2010 - 10:27 AM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi again Sweetech

Had some difficulty going into Safe Mode. After pressing F8 repeatedly, a window came up asking which boot mode I wanted. I wasn't sure what to do about this and in the end the computer booted up normally. I thought then I'd try the Combo Fix scan again with the CFScript inserted from which you will previously recall I couldn't get a proper log since the Combo Fix boot up hung. This time all went well and I attach the Combo Fix log plus a revised MBAM scan. Again, a 'Windows File Protection' window came up inviting me to insert Windows XP Home Service Pack 2 CD to replace unrecognised versions of Windows files with their original versions so as to maintain system stability. I haven't done this yet and await your comments.

ComboFix 10-11-26.07 - NIGEL 27/11/2010 14:36:10.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1514 [GMT 0:00]
Running from: J:\ComboFix.exe
Command switches used :: c:\documents and settings\NIGEL\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\docume~1\NIGEL\LOCALS~1\Temp\nenum13E.sys"
"c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service"
"c:\windows\Zvoxea.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\winlogon.exe . . . is infected!!

--------

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\winlogon.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\$NtUninstallKB938828$\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NENUM13E
-------\Service_nenum13E


((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
.

2010-11-27 14:25 . 2010-11-27 14:25 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-23 18:05 . 2010-11-23 18:05 -------- d-----w- C:\Kontiki
2010-11-21 17:13 . 2006-02-28 12:00 502272 ----a-w- c:\windows\system32\zz-winlogon.exe.tmp
2010-11-21 17:11 . 2010-11-21 17:11 -------- d-----w- c:\program files\McAfeeMOBK
2010-11-21 17:11 . 2010-04-13 20:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-11-21 17:11 . 2010-11-21 17:11 -------- d-----w- c:\program files\McAfee Online Backup
2010-11-21 17:10 . 2010-10-13 22:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-21 17:10 . 2010-10-13 22:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-21 17:10 . 2010-10-13 22:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-21 17:10 . 2010-10-13 22:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-21 17:10 . 2010-10-13 22:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-21 17:10 . 2010-10-13 22:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-21 17:10 . 2010-10-13 22:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-21 17:10 . 2010-10-13 22:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-21 17:10 . 2010-11-21 17:10 -------- d-----w- c:\program files\McAfee.com
2010-11-21 16:59 . 2010-10-13 22:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-01 18:07 . 2010-11-01 18:07 -------- d-----w- C:\_OTL
2010-10-31 11:42 . 2010-10-31 11:42 -------- d-----w- c:\documents and settings\NIGEL\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-27 14:51 . 2006-02-28 12:00 1033216 ----a-w- c:\windows\explorer.exe
2010-11-10 16:39 . 2008-05-28 15:30 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-03 21:06 . 2010-10-19 16:16 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-13 22:28 . 2010-10-13 22:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-10-13 22:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\dllcache\winlogon.exe [x]
[-] 86AF7AEBC63FCA574A7631D9D99BABF5 502272 \RP18\A0016833.exe
.
------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2006-02-28 . 57BF20A3977F07049EBBB9FB87D40BA5 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2010-11-27 . 9DDBBD5A8E18A8AEC828C5E2BC506BC3 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3B419EE1-1FA8-47B9-9AEC-6B60AC2E3FCA}"= "c:\program files\Torrents-Search-Engine\tbTor1.dll" [2010-02-21 2349080]

[HKEY_CLASSES_ROOT\clsid\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"Google Update"="c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-01-30 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1211986260\ee\AOLSoftware.exe" [2006-09-26 50736]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-01-28 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-01-28 98304]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 17021440]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-27 274608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2008-5-28 156784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantBurn]
2007-06-04 17:24 599600 ----a-w- c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 11:06 62760 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2006-08-17 12:45 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2007-08-09 12:17 2503976 ----a-w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 13:23 81920 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Common Files\\AOL\\1211986260\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [30/04/2008 15:00 16048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [21/11/2010 17:10 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [21/11/2010 17:11 54776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [30/04/2008 15:00 162096]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [21/11/2010 17:11 88176]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [21/11/2010 17:10 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [21/11/2010 17:10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [21/11/2010 16:59 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 20:11 229688]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [22/05/2008 13:38 38656]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [21/11/2010 17:10 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [21/11/2010 17:10 88544]
R3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [28/05/2008 15:27 55808]
S2 gupdate1c98c6ec92d4c10;Google Update Service (gupdate1c98c6ec92d4c10);c:\program files\Google\Update\GoogleUpdate.exe [11/02/2009 17:32 133104]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [21/11/2010 17:10 55840]
S3 Just Flight Limited License Service;Just Flight Limited License Service;c:\program files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe [20/06/2009 20:28 69632]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [21/11/2010 17:10 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [21/11/2010 17:10 84264]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:32]

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:32]

2010-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2689334666-3409229528-900351719-1005Core.job
- c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-20 16:48]

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2689334666-3409229528-900351719-1005UA.job
- c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-20 16:48]

2009-03-21 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-19 00:55]

2010-11-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-09-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-27 c:\windows\Tasks\User_Feed_Synchronization-{D9B3A1E6-7A73-4E80-8E3F-13AC2AFCDC3B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.bbc.co.uk
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-27 14:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Portrait Displays\DisplayTune\HPW\CNN81202C7]
@DACL=(02 0000)
"Analog Caps"="(prot(monitor)type(LCD)model(W2007)cmds(01 02 03 07 0C 4E F3 E3)vcp(02 04 05 06 08 0B 0C 0E 10 12 14(01 05 08 0B) 16 18 1A 1E 1F 20 30 3E 52 60(01 03) 62 6C 6E 70 8D AC AE B2 B6 C0 C6 C8 C9 CA CC(01 02 03 04 05 06 0A 13) D6(01 04 05) DC(00 02 03 04 05) DF FF)mswhql(1)mccs_ver(2.1)asset_eep(32)mpu_ver(1.02))"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2416)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\System32\vssvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\common files\aol\1211986260\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-27 15:02:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-27 15:02
ComboFix2.txt 2010-11-20 16:33

Pre-Run: 261,234,499,584 bytes free
Post-Run: 261,261,176,832 bytes free

- - End Of File - - 0E6DB6C6BB58B98C371B7757F7E18797



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5199

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

27/11/2010 15:36:59
mbam-log-2010-11-27 (15-36-59).txt

Scan type: Quick scan
Objects scanned: 189130
Time elapsed: 28 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#29
SweetTech
Posted 27 November 2010 - 10:40 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
How are things running?

I'd like to have you install Service Pack 3 right now.

Update Windows XP
Service Pack 3 (SP3)
It would be in your best interest to install this service pack. This update includes all previously released updates for your system.
Microsoft advises that SP1 or SP1a needs to be installed before installing this update.
Attention: The SP3 download is very large! Based on your Internet connection... be prepared, it could take hours to download!!
Alternately, you could see if a friend or family member has the SP3 update on CD or order it from MS for a fee ... based on your location.

This will be a 2 step process...
The 1st step in this process is to apply Service Pack 3 (SP3) for Windows XP. This update, includes security fixes, to protect your computer.
The 2nd step is to apply all the critical updates and patches since SP3 was released.
Note: If at any time during these steps, you experience problems with your computer...:stop: ...Do not continue with the steps and post a description of the problem.
  • First
  • Obtain Windows XP Service Pack 3 from the Microsoft Download Center
  • Click the Download ...button. Choose "Save" at the prompt...and save the file to your desktop.
  • Double click the "WindowsXP-KB936929-SP3-x86-ENU.exe" file on your desktop to install the update.
    When the installation has completed successfully...
  • ! IMPORTANT ! reboot your computer (normally) before proceeding to the next step.
Second
  • Now...Go to: Windows Update and install the Critical Updates.
  • Press the "Express"...button to have all "critical" updates shown.
  • Make sure all critical updates and patches are checked for download and installation.
  • Press the Install Updates ... button to begin downloading and installing the updates
    After successfully installing the critical updates and patches...
  • ! IMPORTANT ! reboot your computer normally (again) before proceeding.


NEXT:



OTL Custom Scan

  • Download OTL and save it to your desktop.
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Standard output is selected.
  • Under the Extra Registry section, check Use SafeList
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

  • 0

#30
Beagle Pup
Posted 27 November 2010 - 12:45 PM

Beagle Pup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Sweetech

Everything seems to be working fine now! No Google redirections and McAfee seems to be updating OK. Site Advisor now works whereas it failed to previously. Google Chrome is also running fine!

Many thanks for your advice on updating to Service Pack 3. I am somewhat reluctant to do this since I tried to update previously and I couldn't get Microsoft Flight Sim 2004 or X to run. Since I tend to use this computer primarily for these sims, I am wondering whether the same thing will happen if I install this service pack.

If I don't update to Service Pack 3, is there any further action I need to take to insure that the computer is safe as it can be?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP