Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware, Internet Explorer Hijacked and can't access internet - he

Started by Lonette , Dec 30 2009 11:55 AM

  • This topic is locked This topic is locked

#16
azarl
Posted 04 January 2010 - 12:48 PM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts

Thanks Azarl. I'm at work but I'll do this as soon as I get home aroung 5:30pm (Central time. I have a new update - my son just called and said 3 porn site popped up and now have short cuts on the desktop. He's pretty freaked out so I didn't ask him any information about it. I hope this deletes it! =(


Not yet, we've a way to go

Have a wonderful day! Bet you have tons of SNOW!

Lonette


Enough :)
  • 0

Advertisements

#17
Lonette
Posted 04 January 2010 - 03:54 PM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
I'm sorry- I have a question before I run this.... should I always disable my Antivirus Programs before I run anything? Sorry, I'm so dumb when it comes to computers. I have McAfee.
  • 0

#18
Lonette
Posted 04 January 2010 - 04:45 PM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
hmm, I followed your instructions but log.txt did not open. log - Notepad opened with the following in it. :)

userprofile
1 file(s) copied.
  • 0

#19
azarl
Posted 05 January 2010 - 03:11 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts

I'm sorry- I have a question before I run this.... should I always disable my Antivirus Programs before I run anything? Sorry, I'm so dumb when it comes to computers. I have McAfee.


Not needed for this one

Is there a file called log.txt on your desktop?
  • 0

#20
Lonette
Posted 05 January 2010 - 08:20 AM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Good morning.

No, sorry there was only log- notepad. I did it twice and both times only log-notepad came up.

Lonette
  • 0

#21
azarl
Posted 05 January 2010 - 09:13 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Step1

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\IdeChnDr.sys |  C:\WINDOWS\system32\drivers\IdeChnDr.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

Step2

Please run ComboFix again
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#22
Lonette
Posted 05 January 2010 - 10:13 AM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Got it! Again, I am currently at work, but I'll do this as soon as I get home the evening.

Thanks for being so patient with me. :(

Have a wonderful day!

Lonette
  • 0

#23
azarl
Posted 05 January 2010 - 10:26 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Thank you :)
  • 0

#24
Lonette
Posted 05 January 2010 - 11:56 AM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Azarl,
I just read the instructions again and see where the instructions say

"Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools".

Last night I noticed that the McAfee icon was missing from my bottom tool bar and when I tried to double clink on the one on my desktop it wouldn't open. When I right click on it - I get nothing. So, I don't know if it's still running or not. The only way I know to disable it was to right click. Will this cause any issues with the combofix run?
  • 0

#25
Lonette
Posted 05 January 2010 - 06:06 PM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Hello. Below is The Advenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "H8SRTd.sys" found!
ImagePath: \systemroot\system32\drivers\H8SRTkldtsrhtqk.sys
Start Type: 1 (System)

Rootkit scan completed.

File move operation "C:\IdeChnDr.sys|C:\WINDOWS\system32\drivers\IdeChnDr.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

Advertisements

#26
Lonette
Posted 05 January 2010 - 07:52 PM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Below is the ComboFix log. Thank you.

ComboFix 10-01-04.01 - Lonette 01/05/2010 19:02:08.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1592 [GMT -6:00]
Running from: c:\documents and settings\Lonette\Desktop\keh4cpwr.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\s3efad32.exe
c:\windows\system32\0019.DLL
c:\windows\system32\drivers\H8SRTkldtsrhtqk.sys
c:\windows\system32\H8SRThtqglhnsed.dll
c:\windows\system32\H8SRTjlwgunxmak.dll
c:\windows\system32\H8SRTomwuaxairt.log
c:\windows\system32\H8SRTononclgjny.dat
c:\windows\system32\H8SRTyexmkigytg.dll
c:\windows\system32\srcr.dat
c:\windows\system32\WORK.DAT

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-04 00:04 . 2010-01-06 00:33 880 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-03 17:53 . 2010-01-03 17:59 -------- d-----w- C:\keh4cpwr
2010-01-02 16:15 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2010-01-02 02:00 . 2010-01-02 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-02 02:00 . 2010-01-02 15:46 -------- d-----w- c:\program files\McAfee Security Scan
2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- c:\documents and settings\Lonette\Local Settings\Application Data\Mozilla
2009-12-31 00:28 . 2009-12-31 00:28 -------- d-----w- c:\program files\ERUNT
2009-12-29 21:05 . 2009-12-29 21:05 -------- d-----w- C:\spoolerlogs
2009-12-29 04:53 . 2009-12-29 04:53 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-27 22:53 . 2009-12-27 22:53 -------- d-----w- c:\documents and settings\Lonette\Application Data\Malwarebytes
2009-12-27 22:52 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 22:52 . 2009-12-27 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 22:52 . 2009-12-27 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 22:52 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 22:29 . 2009-12-27 22:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BVRP Software
2009-12-16 17:53 . 2009-12-16 17:53 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-12-16 17:53 . 2009-12-16 17:53 -------- d-----w- c:\program files\ATT
2009-12-13 00:01 . 2009-12-13 00:01 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 20:46 . 2005-09-24 21:07 -------- d-----w- c:\program files\World of Warcraft
2009-12-16 18:05 . 2005-09-13 22:47 -------- d-----w- c:\program files\Common Files\Motive
2009-12-16 17:55 . 2005-09-13 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-12-13 02:20 . 2009-02-24 00:12 -------- d-----w- c:\program files\SiteAdvisor
2009-11-04 22:54 . 2009-02-24 00:08 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 22:54 . 2009-02-24 00:08 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 22:54 . 2009-02-24 00:08 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 22:54 . 2009-01-09 18:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-03 15:51 . 2010-01-02 16:43 421888 ----a-w- c:\documents and settings\Lonette\Application Data\Mozilla\Firefox\Profiles\8xik54wy.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-10-29 07:46 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
2006-05-15 12:13 . 2006-05-15 12:13 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-11 02:26 368706 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
2004-11-10 19:36 290816 ----a-w- c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-21 22:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-21 22:48 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 15:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 12:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 23:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2004-10-25 17:18 1111552 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-26 00:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-06-25 17:17 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 00:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 21:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-14 05:08 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-03-18 23:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"5502:TCP"= 5502:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4550:TCP"= 4550:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3832:TCP"= 3832:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/23/2009 6:11 PM 93320]
.
Contents of the 'Scheduled Tasks' folder

2009-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]

2008-07-26 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-24 18:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-24 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uSearchAssistant = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Lonette\Application Data\Mozilla\Firefox\Profiles\8xik54wy.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\Lonette\Application Data\Mozilla\Firefox\Profiles\8xik54wy.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ttool - c:\windows\s3efad32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89437400]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x890d6220
PacketIndicateHandler -> NDIS.sys @ 0xf743fa21
SendHandler -> NDIS.sys @ 0xf741d87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1080)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-01-05 19:42:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 01:42
ComboFix2.txt 2010-01-03 18:51

Pre-Run: 25,235,693,568 bytes free
Post-Run: 25,245,396,992 bytes free

- - End Of File - - 628D5CBF25625ED987ECCE70AC29D3C9
  • 0

#27
Lonette
Posted 05 January 2010 - 08:50 PM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
I hope I didn't mess up. The McAfee icon reappeared on my tool bar. I was able to disable and run combofix.

ComboFix 10-01-04.01 - Lonette 01/05/2010 20:16:29.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1587 [GMT -6:00]
Running from: c:\documents and settings\Lonette\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-04 00:04 . 2010-01-06 00:33 880 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-03 17:53 . 2010-01-03 17:59 -------- d-----w- C:\keh4cpwr
2010-01-02 16:15 . 2008-11-06 08:03 -------- d-----w- C:\SDFix
2010-01-02 02:00 . 2010-01-02 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-02 02:00 . 2010-01-02 15:46 -------- d-----w- c:\program files\McAfee Security Scan
2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- c:\documents and settings\Lonette\Local Settings\Application Data\Mozilla
2009-12-31 00:28 . 2009-12-31 00:28 -------- d-----w- c:\program files\ERUNT
2009-12-29 21:05 . 2009-12-29 21:05 -------- d-----w- C:\spoolerlogs
2009-12-29 04:53 . 2009-12-29 04:53 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-27 22:53 . 2009-12-27 22:53 -------- d-----w- c:\documents and settings\Lonette\Application Data\Malwarebytes
2009-12-27 22:52 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 22:52 . 2009-12-27 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 22:52 . 2009-12-27 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 22:52 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 22:29 . 2009-12-27 22:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BVRP Software
2009-12-16 17:53 . 2009-12-16 17:53 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-12-16 17:53 . 2009-12-16 17:53 -------- d-----w- c:\program files\ATT
2009-12-13 00:01 . 2009-12-13 00:01 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 20:46 . 2005-09-24 21:07 -------- d-----w- c:\program files\World of Warcraft
2009-12-16 18:05 . 2005-09-13 22:47 -------- d-----w- c:\program files\Common Files\Motive
2009-12-16 17:55 . 2005-09-13 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-12-13 02:20 . 2009-02-24 00:12 -------- d-----w- c:\program files\SiteAdvisor
2009-12-11 01:54 . 2009-12-12 23:53 153860 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-11-04 22:54 . 2009-02-24 00:08 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 22:54 . 2009-02-24 00:08 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 22:54 . 2009-02-24 00:08 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 22:54 . 2009-01-09 18:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-03 15:51 . 2010-01-02 16:43 421888 ----a-w- c:\documents and settings\Lonette\Application Data\Mozilla\Firefox\Profiles\8xik54wy.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-10-29 07:46 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
2006-05-15 12:13 . 2006-05-15 12:13 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-11 02:26 368706 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
2004-11-10 19:36 290816 ----a-w- c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-21 22:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-21 22:48 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 15:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 12:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 23:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2004-10-25 17:18 1111552 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-26 00:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-06-25 17:17 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 00:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 21:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-14 05:08 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-03-18 23:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"5502:TCP"= 5502:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4550:TCP"= 4550:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3832:TCP"= 3832:TCP:Services
"7238:TCP"= 7238:TCP:Services

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/23/2009 6:11 PM 93320]
.
Contents of the 'Scheduled Tasks' folder

2009-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]

2008-07-26 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-24 18:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-24 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uSearchAssistant = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Lonette\Application Data\Mozilla\Firefox\Profiles\8xik54wy.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\Lonette\Application Data\Mozilla\Firefox\Profiles\8xik54wy.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 20:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x892F4058]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x89085220
PacketIndicateHandler -> NDIS.sys @ 0xf743fa21
SendHandler -> NDIS.sys @ 0xf741d87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-01-05 20:41:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 02:41
ComboFix2.txt 2010-01-06 01:42
ComboFix3.txt 2010-01-03 18:51

Pre-Run: 25,314,791,424 bytes free
Post-Run: 25,258,573,824 bytes free

- - End Of File - - 971B9782E254B55A62755AA9B5768A4D
  • 0

#28
azarl
Posted 06 January 2010 - 04:42 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Hi Lonette

You did just fine

  • Please download MBR.exe and save it to your root folder (usually C:\).
  • Click on your Start button, then click Run

    Posted Image

  • Type 'cmd', hit Enter and a black window will open.
  • Click in the window and type the following (after each line, hit "Enter"):
  • cd C:\
  • mbr -t > %userprofile%\Desktop\mbr_report.txt
This will produce a file "mbr_report.txt" on your desktop. Please post the contents of this here.
  • 0

#29
Lonette
Posted 06 January 2010 - 08:46 AM

Lonette

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Got it. Thank you Azarl.

BTW, it's getting down to 8 degrees here tonight.
  • 0

#30
azarl
Posted 06 January 2010 - 10:30 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Farenheight or Centegrade?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP