GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


Malware/Spyware problem

2 posters

descriptionMalware/Spyware problem EmptyMalware/Spyware problem5th June 2010, 10:16 pm

more_horiz
This is my first time here, and I am not very computer literate. My computer is being attacked by something which appears to be called Win32/Nuqel.E and BankerFoxA. I read your info on updating and downloading Java and various other things. However, I'm unable to download anything due to the attack. I can't run anything! I just get the notice that whatever I try to install or run is infected. The only thing I'm capable of doing is getting online, but even that is intermittent. My computer keeps popping up balloons on false anti virus programs and randomly opening up browsers with porno sites. I am running on Windows xp. Please advise...I'm at wits end!

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 1:11 am

more_horiz
Hi endlessands,

Welcome to GeekPolice.net.

My name is Crush but, you can call me Chris too , and I will do my best to help get your problem resolved today.

I am currently a student in GeekPolice Academy, and will be a little delayed on each reply, as my instructors must review and approve each reply.

http://www.GeekPolice.net/virus-spyware-malware-removal-f11/do-you-want-to-learn-how-to-fight-malware-join-GeekPolice-academy-t17111.htm

If you have any questions, please ask, and I will do my best to get to the question promptly.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 1:18 am

more_horiz
Thanks! I 'll wait to hear from you. ~Erica

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 1:21 am

more_horiz
What Operating System are you using endlessands? XP, Vista or Windows 7?

EDIT: Nevermind. I should learn to read Goofy

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 1:33 am

more_horiz
Hi endlessands,

Please download and run the following tools:

RKill by Grinler
Version 1
Version 2

  • Download Version 1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Version 2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
This only kills the active infection, the actual infection will not be gone.
======

Once that is done, please immediately do the following

Please download ComboFix Malware/Spyware problem Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Malware/Spyware problem Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Malware/Spyware problem RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 2:14 am

more_horiz
Ok, so every time I double click on the rkill (version 2) , a black screen pops up, but so does a separate window that asks me to choose a program to open the file with...not sure what I'm supposed to do

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 2:21 am

more_horiz
Did you try Version 1? Same result?

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 2:24 am

more_horiz
same result with version 1

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 4:06 am

more_horiz
Hi again,

We need to repair your file associations so, programs know what to use to open

Please download SREng

  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:
    Malware/Spyware problem SystemRepair_FileAssocs
  • In your case, it would be .EXE
  • Close SREng now.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 6:10 am

more_horiz
Ok, followed the directions and the system repair window showed that everything is "normal." There were no errors.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 6:19 pm

more_horiz
Hi Erica,

Do you by chance have access to another PC and a USB drive or CD's? Just something to put files on so we can run them on the infected computer?

Before going that route please try this first:

Please download ComboFix Malware/Spyware problem Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Malware/Spyware problem Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Malware/Spyware problem RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 8:21 pm

more_horiz
ComboFix 10-06-06.01 - Erica 06/06/2010 12:29:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -7:00]
Running from: c:\commy.exe\ComboFix.exe
Command switches used :: ComboFix
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\Erica\Application Data\Dealio
c:\documents and settings\Erica\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Erica\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Erica\g2mdlhlpx.exe
c:\documents and settings\Tim\Application Data\Dealio
c:\documents and settings\Tim\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Tim\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\FF\chrome.manifest
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.xul
c:\program files\Dealio Toolbar\FF\chrome\content\login.js
c:\program files\Dealio Toolbar\FF\chrome\content\login.xul
c:\program files\Dealio Toolbar\FF\chrome\content\parser.js
c:\program files\Dealio Toolbar\FF\chrome\content\RssTickerWidget.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgichevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgicomm.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgihandling.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgilisteners.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgiui.js
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\searchbox.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.properties
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\yahoo-search.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\apple.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\barnes.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\bestbuy.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\icon_settings.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\macys.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\newegg.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\overstock.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_dealio.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_yahoo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\searchbox.css
c:\program files\Dealio Toolbar\FF\chrome\skin\separator.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\target.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\walmart.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\widgitoolbarplugin.css
c:\program files\Dealio Toolbar\FF\components\config.ini
c:\program files\Dealio Toolbar\FF\components\dealioToolbarFF.dll
c:\program files\Dealio Toolbar\FF\components\IFBHOHelperWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\components\IFBHOWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\install.rdf
c:\program files\Dealio Toolbar\IE\4.0.2\config.ini
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettingsRes409.dll
c:\program files\Dealio Toolbar\sscfg.ini
c:\program files\Dealio Toolbar\SSFF\chrome.manifest
c:\program files\Dealio Toolbar\SSFF\chrome\content\plugin.js
c:\program files\Dealio Toolbar\SSFF\chrome\content\plugin.xul
c:\program files\Dealio Toolbar\SSFF\chrome\content\protection.js
c:\program files\Dealio Toolbar\SSFF\chrome\content\utils.js
c:\program files\Dealio Toolbar\SSFF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Dealio Toolbar\SSFF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Dealio Toolbar\SSFF\chrome\skin\yahoo.xml
c:\program files\Dealio Toolbar\SSFF\components\IFBHOSearch.xpt
c:\program files\Dealio Toolbar\SSFF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Dealio Toolbar\SSFF\components\IFHelperPreferences.xpt
c:\program files\Dealio Toolbar\SSFF\components\SearchSettingsFF.dll
c:\program files\Dealio Toolbar\SSFF\components\sscfg.ini
c:\program files\Dealio Toolbar\SSFF\install.rdf
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\windows\Cursors\tenofni.bak1
c:\windows\Cursors\tenofni.bak2
c:\windows\Cursors\tenofni.ini
c:\windows\PRAGMAcviqnrdmsh
c:\windows\PRAGMAcviqnrdmsh\pragmabbr.dll
c:\windows\PRAGMAcviqnrdmsh\PRAGMAc.dll
c:\windows\PRAGMAcviqnrdmsh\PRAGMAcfg.ini
c:\windows\PRAGMAcviqnrdmsh\PRAGMAd.sys
c:\windows\PRAGMAcviqnrdmsh\pragmaserf.dll
c:\windows\PRAGMAcviqnrdmsh\PRAGMAsrcr.dat
c:\windows\PRAGMAiymxvsluti
c:\windows\PRAGMAiymxvsluti\pragmabbr.dll
c:\windows\PRAGMAiymxvsluti\PRAGMAc.dll
c:\windows\PRAGMAiymxvsluti\PRAGMAcfg.ini
c:\windows\PRAGMAiymxvsluti\PRAGMAd.sys
c:\windows\PRAGMAiymxvsluti\pragmaserf.dll
c:\windows\PRAGMAiymxvsluti\PRAGMAsrcr.dat
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\bowyxgk.sys
c:\windows\system32\drivers\iokm.sys
c:\windows\system32\drivers\mnein.sys
c:\windows\system32\drivers\veknjkk.sys
c:\windows\SYSTEM32\rqtss.bak1
c:\windows\SYSTEM32\rqtss.bak2

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAcviqnrdmsh
-------\Legacy_PRAGMAcviqnrdmsh
-------\Service_PRAGMAiymxvsluti
-------\Legacy_PRAGMAiymxvsluti
-------\Legacy_kowk
-------\Legacy_kucsp
-------\Legacy_upwq
-------\Legacy_ydsbnmqs
-------\Service_kowk
-------\Service_kucsp
-------\Service_upwq
-------\Service_ydsbnmqs


((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 18:53 . 2010-06-06 18:54 -------- d-----w- C:\commy.exe
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\documents and settings\Erica\Application Data\Malwarebytes
2010-06-06 03:34 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 03:34 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-05 20:38 . 2010-06-06 01:51 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk
2010-06-04 02:32 . 2010-06-04 02:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-03 03:04 . 2010-06-03 03:04 -------- d-----w- c:\program files\iLike
2010-06-02 15:36 . 2010-06-02 15:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-10 17:21 . 2010-05-10 17:21 -------- d-----w- c:\windows\system32\BWKDLogs
2010-05-10 17:15 . 2010-05-10 17:15 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\KodakGallery
2010-05-10 17:05 . 2010-05-10 17:05 -------- d-----w- c:\program files\Common Files\Kodak
2010-05-10 16:58 . 2010-05-15 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-05-10 16:06 . 2010-05-10 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 19:13 . 2007-03-05 01:07 -------- d-----w- c:\documents and settings\Erica\Application Data\SiteAdvisor
2010-06-06 05:20 . 2007-06-14 18:31 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2010-06-06 05:20 . 2007-06-14 18:36 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-06-06 01:44 . 2007-03-08 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 20:52 . 2007-03-08 20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-05 04:48 . 2007-12-29 18:45 -------- d-----w- c:\documents and settings\Erica\Application Data\Apple Computer
2010-06-03 03:04 . 2009-12-24 16:43 -------- d-----w- c:\program files\iTunes
2010-05-01 04:59 . 2009-05-04 16:33 -------- d-----w- c:\program files\Citrix
2010-04-28 00:16 . 2010-03-15 23:36 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16 . 2010-03-15 23:36 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16 . 2010-03-15 23:36 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16 . 2010-03-15 23:36 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16 . 2010-03-15 23:36 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16 . 2010-03-15 23:36 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16 . 2010-03-15 23:36 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-28 00:16 . 2010-03-15 23:36 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16 . 2007-03-05 01:05 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16 . 2007-03-05 01:05 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-19 13:11 . 2010-04-19 13:11 -------- d-----w- c:\documents and settings\Tim\Application Data\Apple Computer
2010-04-18 13:50 . 2007-06-02 23:15 -------- d-----w- c:\documents and settings\Erica\Application Data\Yahoo!
2010-04-18 13:50 . 2007-05-04 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-14 22:59 . 2010-04-14 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:\program files\iPod
2010-04-14 22:55 . 2010-02-05 04:59 -------- d-----w- c:\program files\Common Files\Apple
2010-04-14 22:43 . 2004-04-17 18:43 -------- d-----w- c:\program files\QuickTime
2010-04-14 22:32 . 2010-04-14 22:32 -------- d-----w- c:\program files\Bonjour
2010-04-14 22:28 . 2010-04-14 22:28 -------- d-----w- c:\program files\Safari
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2006-07-21 12:31 . 2006-07-21 12:31 141728 ----a-w- c:\program files\MC
2010-04-28 00:16 . 2010-03-15 23:36 24376 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-07-14 53248]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-07-16 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-18 185896]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-12-30 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
NkbMonitor.exe.lnk - c:\documents and settings\Erica\My Documents\NkbMonitor.exe [2007-6-16 118784]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/15/2010 4:36 PM 82952]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 1:51 AM 380928]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/15/2010 4:36 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [3/15/2010 4:36 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/15/2010 4:36 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/15/2010 4:36 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/15/2010 4:36 PM 88480]
S0 ewkdfyk;ewkdfyk;c:\windows\system32\drivers\ngfmkbx.sys --> c:\windows\system32\drivers\ngfmkbx.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/15/2010 4:36 PM 83496]
S3 NUVision;NUVision II Video Service;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [10/10/2004 1:01 PM 153760]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\Erica\Application Data\Mozilla\Firefox\Profiles\jv7t3avb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=135963&p=
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-Protection Center - c:\program files\Protection Center\cntprot.exe
HKCU-Run-rrsjeixo - c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk\dcbechitssd.exe
HKLM-Run-rrsjeixo - c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk\dcbechitssd.exe
Notify-infonet - c:\windows\Cursors\infonet.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?: /RegServer????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A960\dlbfbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-06 13:15:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-06 20:15

Pre-Run: 3,285,716,992 bytes free
Post-Run: 3,746,414,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 647910F6E9D3ACA54AD48A67FC4641CB

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 9:36 pm

more_horiz
Hi Erica,

First, please copy (ctrl+c) and paste (ctrl+v) combofix.exe from c:\commy.exe\ to the Desktop
========

Next we need to re-run ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk

    Driver::
    ewkdfyk

    File::
    c:\windows\system32\drivers\ngfmkbx.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Malware/Spyware problem Cfscriptb4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 11:23 pm

more_horiz
Sorry, but I don't understand this 1st instruction:

(First, please copy (ctrl+c) and paste (ctrl+v) combofix.exe from c:\commy.exe\ to the Desktop)

I know how to copy and paste, just a little unclear on exactly what I'm copying and pasting to what.
I went to the c drive from my computer, and located a file by the name of commy.exe when I double click on it, there is another file by the name of iexplore... There is also a ComboFix icon on my desktop which I put there previously to do the last scan.
I already disabled my McAfee ant virus program (and firewall).

I apologize for my lack of computer knowledge...bear with me please! Thanks

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem6th June 2010, 11:32 pm

more_horiz
Hi,

EDIT: Combofix.exe currently resides on your desktop? then, disregard the below and move on to the next step. I was going off of the information in the log provided that said ComboFix was running from within a folder.
====

Not a problem at all Smile.... The issue is: Combofix is currently running from within a folder.

When you browse to c:\commy.exe\ the folder, you should see ComboFix.exe within that folder.

It will look like this: Malware/Spyware problem Combofix

You need to copy and paste that from within the folder it is currently and put it on your Desktop (where all your icons and start menu is)

This is purely for ease of use as the instructions I gave you call for creating a text file and dragging it into combofix's icon. This is much easier when on the desktop.

As always, if you have any questions or issues feel free to ask Smile...

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 12:15 am

more_horiz
There is an icon on my desktop with the name of commy.exe. If I double click on it, A window prompts me to run software with an unknown publisher named commy.exe.exe

Within my c drive, there is a folder by the name of commy.exe the only contents within it is something called iexplore. Also within the c drive there is something called Combofix text document (24 KB). But when I click on it, my computer wants to know what program to open it with.

I already followed the instructions yesterday to download the SREng. It showed that everything was "normal" and there were no errors.

At this point, I have no idea how to find notepad to copy/paste the text you gave me in the above instructions.

I have no idea what i'm doing here! I get an EPIC FAIL!

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 12:23 am

more_horiz
Hi again Erica Smile...

Thanks. That puts things in perspective perfectly. I'm sorry for causing you to go crazy. What you need to do is fairly simple.

If you look at post #13, it outlines what to do with the text I gave you in that post.

Just open Notepad by going Start>Run then type Notepad and copy and paste this:

Folder::
c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk

Driver::
ewkdfyk

File::
c:\windows\system32\drivers\ngfmkbx.sys

into a new blank notepad. Then, go File>Save As and save it as CFscript.txt on to your Desktop.

Once it's there, drag it into the ComboFix icon on your Desktop and a log will be generated. I'll need that log back here.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 1:39 am

more_horiz
Thanks Chris! Ok, so now I opened the notepad, copied the text you gave in it, saved it as CFscript.txt. It is now on my desktop.
The icon on my desktop for ComboFix is actually labeled commy.exe
when I try to drag and drop the CFScript into it, it won't go in there. The window pops up to run commy.exe.exe
Did I put the wrong icon on my desktop? If so, what can I do to get the right one on there....the icon is the same as your example...it's just that the label is different. I hope this makes some kind of sense to you, I'm not sure I know the right way to explain! Don't pull your hair out just yet!

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 1:48 am

more_horiz
Nope. You've done everything perfectly. Just click Run when prompted to do so Smile.... What that text file is telling ComboFix, is basically what to do. Instead of running normally it will delete infections now Smile...

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 2:44 am

more_horiz
ComboFix 10-06-05.03 - Erica 06/06/2010 18:59:51.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.228 [GMT -7:00]
Running from: c:\documents and settings\Erica\Desktop\commy.exe.exe
Command switches used :: c:\documents and settings\Erica\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\ngfmkbx.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EWKDFYK
-------\Service_ewkdfyk


((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-06 18:53 . 2010-06-06 18:54 -------- d-----w- C:\commy.exe
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\documents and settings\Erica\Application Data\Malwarebytes
2010-06-06 03:34 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 03:34 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 02:32 . 2010-06-04 02:32 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-06-03 03:04 . 2010-06-03 03:04 -------- d-----w- c:\program files\iLike
2010-06-02 15:36 . 2010-06-02 15:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-10 17:21 . 2010-05-10 17:21 -------- d-----w- c:\windows\system32\BWKDLogs
2010-05-10 17:15 . 2010-05-10 17:15 -------- d-----w- c:\documents and settings\Erica\Local Settings\Application Data\KodakGallery
2010-05-10 17:05 . 2010-05-10 17:05 -------- d-----w- c:\program files\Common Files\Kodak
2010-05-10 16:58 . 2010-05-15 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-05-10 16:06 . 2010-05-10 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 19:13 . 2007-03-05 01:07 -------- d-----w- c:\documents and settings\Erica\Application Data\SiteAdvisor
2010-06-06 05:20 . 2007-06-14 18:31 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2010-06-06 05:20 . 2007-06-14 18:36 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2010-06-06 01:44 . 2007-03-08 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 20:52 . 2007-03-08 20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-05 04:48 . 2007-12-29 18:45 -------- d-----w- c:\documents and settings\Erica\Application Data\Apple Computer
2010-06-03 03:04 . 2009-12-24 16:43 -------- d-----w- c:\program files\iTunes
2010-05-01 04:59 . 2009-05-04 16:33 -------- d-----w- c:\program files\Citrix
2010-04-28 00:16 . 2010-03-15 23:36 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-28 00:16 . 2010-03-15 23:36 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-28 00:16 . 2010-03-15 23:36 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-28 00:16 . 2010-03-15 23:36 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-28 00:16 . 2010-03-15 23:36 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-28 00:16 . 2010-03-15 23:36 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-28 00:16 . 2010-03-15 23:36 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-28 00:16 . 2010-03-15 23:36 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-28 00:16 . 2007-03-05 01:05 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-28 00:16 . 2007-03-05 01:05 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-19 13:11 . 2010-04-19 13:11 -------- d-----w- c:\documents and settings\Tim\Application Data\Apple Computer
2010-04-18 13:50 . 2007-06-02 23:15 -------- d-----w- c:\documents and settings\Erica\Application Data\Yahoo!
2010-04-18 13:50 . 2007-05-04 06:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-14 22:59 . 2010-04-14 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:\program files\iPod
2010-04-14 22:55 . 2010-02-05 04:59 -------- d-----w- c:\program files\Common Files\Apple
2010-04-14 22:43 . 2004-04-17 18:43 -------- d-----w- c:\program files\QuickTime
2010-04-14 22:32 . 2010-04-14 22:32 -------- d-----w- c:\program files\Bonjour
2010-04-14 22:28 . 2010-04-14 22:28 -------- d-----w- c:\program files\Safari
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2006-07-21 12:31 . 2006-07-21 12:31 141728 ----a-w- c:\program files\MC
2010-04-28 00:16 . 2010-03-15 23:36 24376 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-07-14 53248]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-07-16 290816]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-18 185896]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"rrsjeixo"="c:\documents and settings\Erica\Local Settings\Application Data\wqokhwwmk\dcbechitssd.exe" [BU]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-12-30 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
NkbMonitor.exe.lnk - c:\documents and settings\Erica\My Documents\NkbMonitor.exe [2007-6-16 118784]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/15/2010 4:36 PM 82952]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/15/2010 4:36 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/15/2010 4:36 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/15/2010 4:36 PM 83496]
S3 NUVision;NUVision II Video Service;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [10/10/2004 1:01 PM 153760]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\Erica\Application Data\Mozilla\Firefox\Profiles\jv7t3avb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=135963&p=
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Erica\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 19:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?: /RegServer????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A960\dlbfbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-06 19:39:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 02:38
ComboFix2.txt 2010-06-06 20:15

Pre-Run: 3,745,234,944 bytes free
Post-Run: 3,695,792,128 bytes free

- - End Of File - - 32529645119A6637C2676F8FCC880E38

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 4:56 pm

more_horiz
Hi Erica,

We need to run ComboFix again to remove infections.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:5555

    Registry::
    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
    "rrsjeixo"=-

    Folder::
    c:documents and settingsEricaLocal SettingsApplication Datawqokhwwmk
  4. Save this as CFscript.txt, in the same location as ComboFix.exe

    Malware/Spyware problem Cfscriptb4

  5. Referring to the picture above, drag CFscript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem7th June 2010, 11:14 pm

more_horiz
ComboFix 10-06-05.03 - Erica 06/07/2010 15:41:13.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -7:00]
Running from: c:documents and settingsEricaDesktopcommy.exe.exe
Command switches used :: c:documents and settingsEricaDesktopCFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-06 18:53 . 2010-06-06 18:54 -------- d-----w- C:commy.exe
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:documents and settingsEricaApplication DataMalwarebytes
2010-06-06 03:34 . 2010-04-29 22:39 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-06-06 03:34 . 2010-04-29 22:39 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-06-04 02:32 . 2010-06-04 02:32 -------- d-sh--w- c:documents and settingsLocalServiceIETldCache
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:program filesTeaTimer (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:program filesSDHelper (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:program filesMisc. Support Library (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:program filesFile Scanner Library (Spybot - Search & Destroy)
2010-06-03 03:04 . 2010-06-03 03:04 -------- d-----w- c:program filesiLike
2010-06-02 15:36 . 2010-06-02 15:36 -------- d-sh--w- c:documents and settingsNetworkServiceIETldCache
2010-05-10 17:21 . 2010-05-10 17:21 -------- d-----w- c:windowssystem32BWKDLogs
2010-05-10 17:15 . 2010-05-10 17:15 -------- d-----w- c:documents and settingsEricaLocal SettingsApplication DataKodakGallery
2010-05-10 17:05 . 2010-05-10 17:05 -------- d-----w- c:program filesCommon FilesKodak
2010-05-10 16:58 . 2010-05-15 22:13 -------- d-----w- c:documents and settingsAll UsersApplication DataKodak
2010-05-10 16:06 . 2010-05-10 16:06 -------- d-----w- c:documents and settingsAll UsersApplication DataFileCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 19:13 . 2007-03-05 01:07 -------- d-----w- c:documents and settingsEricaApplication DataSiteAdvisor
2010-06-06 05:20 . 2007-06-14 18:31 20 ---h--w- c:documents and settingsAll UsersApplication DataPKP_DLds.DAT
2010-06-06 05:20 . 2007-06-14 18:36 20 ---h--w- c:documents and settingsAll UsersApplication DataPKP_DLec.DAT
2010-06-06 01:44 . 2007-03-08 20:54 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-06-05 20:52 . 2007-03-08 20:54 -------- d-----w- c:program filesSpybot - Search & Destroy
2010-06-05 04:48 . 2007-12-29 18:45 -------- d-----w- c:documents and settingsEricaApplication DataApple Computer
2010-06-03 03:04 . 2009-12-24 16:43 -------- d-----w- c:program filesiTunes
2010-05-01 04:59 . 2009-05-04 16:33 -------- d-----w- c:program filesCitrix
2010-04-28 00:16 . 2010-03-15 23:36 9344 ----a-w- c:windowssystem32driversmfeclnk.sys
2010-04-28 00:16 . 2010-03-15 23:36 95568 ----a-w- c:windowssystem32driversmfeapfk.sys
2010-04-28 00:16 . 2010-03-15 23:36 88480 ----a-w- c:windowssystem32driversmfendisk.sys
2010-04-28 00:16 . 2010-03-15 23:36 83496 ----a-w- c:windowssystem32driversmferkdet.sys
2010-04-28 00:16 . 2010-03-15 23:36 82952 ----a-w- c:windowssystem32driversmfetdi2k.sys
2010-04-28 00:16 . 2010-03-15 23:36 55456 ----a-w- c:windowssystem32driverscfwids.sys
2010-04-28 00:16 . 2010-03-15 23:36 385880 ----a-w- c:windowssystem32driversmfehidk.sys
2010-04-28 00:16 . 2010-03-15 23:36 312616 ----a-w- c:windowssystem32driversmfefirek.sys
2010-04-28 00:16 . 2007-03-05 01:05 51688 ----a-w- c:windowssystem32driversmfebopk.sys
2010-04-28 00:16 . 2007-03-05 01:05 152320 ----a-w- c:windowssystem32driversmfeavfk.sys
2010-04-19 13:11 . 2010-04-19 13:11 -------- d-----w- c:documents and settingsTimApplication DataApple Computer
2010-04-18 13:50 . 2007-06-02 23:15 -------- d-----w- c:documents and settingsEricaApplication DataYahoo!
2010-04-18 13:50 . 2007-05-04 06:24 -------- d-----w- c:documents and settingsAll UsersApplication DataYahoo!
2010-04-14 22:59 . 2010-04-14 22:53 -------- d-----w- c:documents and settingsAll UsersApplication Data{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:program filesiPod
2010-04-14 22:55 . 2010-02-05 04:59 -------- d-----w- c:program filesCommon FilesApple
2010-04-14 22:43 . 2004-04-17 18:43 -------- d-----w- c:program filesQuickTime
2010-04-14 22:32 . 2010-04-14 22:32 -------- d-----w- c:program filesBonjour
2010-04-14 22:30 . 2010-04-14 22:30 73000 ----a-w- c:documents and settingsAll UsersApplication DataApple ComputerInstaller CacheiTunes 9.1.0.79SetupAdmin.exe
2010-04-14 22:28 . 2010-04-14 22:28 -------- d-----w- c:program filesSafari
2010-04-14 22:25 . 2010-04-14 22:25 79144 ----a-w- c:documents and settingsAll UsersApplication DataApple ComputerInstaller CacheSafari 5.31.22.7SetupAdmin.exe
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:windowssystem32vbscript.dll
2010-03-10 03:37 . 2010-01-21 01:30 50354 ----a-w- c:documents and settingsEricaApplication DataFacebookuninstall.exe
2006-07-21 12:31 . 2006-07-21 12:31 141728 ----a-w- c:program filesMC
2010-04-28 00:16 . 2010-03-15 23:36 24376 ----a-w- c:program filesmozilla firefoxcomponentsScriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"DellSupport"="c:program filesDellSupportDSAgnt.exe" [2007-03-15 460784]
"ShutterflyStudio"="c:program filesShutterflyStudioBINSFlyStudio.exe" [2008-05-07 2500096]
"SpybotSD TeaTimer"="c:program filesSpybot - Search & DestroyTeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="c:windowsSystem32NvCpl.dll" [2003-11-03 4800512]
"IntelMeM"="c:program filesIntelModem Event MonitorIntelMEM.exe" [2003-09-04 221184]
"dla"="c:windowssystem32dlatfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:windowsSystem32DSentry.exe" [2003-08-13 28672]
"diagent"="c:program filesCreativeSBLiveDiagnosticsdiagent.exe" [2002-04-03 135264]
"UpdReg"="c:windowsUpdReg.EXE" [2000-05-11 90112]
"Dell AIO Printer A960"="c:program filesDell AIO Printer A960dlbfbmgr.exe" [2003-09-21 270336]
"DVDLauncher"="c:program filesCyberLinkPowerDVDDVDLauncher.exe" [2004-07-14 53248]
"PCMService"="c:program filesDellMedia ExperiencePCMService.exe" [2004-07-16 290816]
"UpdateManager"="c:program filesCommon FilesSonicUpdate Managersgtray.exe" [2003-08-19 110592]
"dscactivate"="c:program filesDell Support Centergs_agentcustomdsca.exe" [2007-11-15 16384]
"TkBellExe"="c:program filesCommon FilesRealUpdate_OBrealsched.exe" [2009-01-18 185896]
"mcui_exe"="c:program filesMcAfee.comAgentmcagent.exe" [2010-04-02 1180976]
"AppleSyncNotifier"="c:program filesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:program filesiTunesiTunesHelper.exe" [2010-03-26 142120]
"rrsjeixo"="c:documents and settingsEricaLocal SettingsApplication Datawqokhwwmkdcbechitssd.exe" [BU]

c:documents and settingsTimStart MenuProgramsStartup
PowerReg Scheduler V3.exe [2004-12-30 225280]

c:documents and settingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2008-4-23 29696]
NkbMonitor.exe.lnk - c:documents and settingsEricaMy DocumentsNkbMonitor.exe [2007-6-16 118784]
ymetray.lnk - c:program filesYahoo!Yahoo! Music Jukeboxymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalmcmscsvc]
@=""

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMCODS]
@=""

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"c:\WINDOWS\SYSTEM32\LEXPPS.EXE"=
"c:\Program Files\Messenger\msmsgs.exe"=
"c:\WINDOWS\SYSTEM32\java.exe"=
"c:\Program Files\Real\RealPlayer\realplay.exe"=
"c:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"=
"c:\Program Files\Yahoo!\UPnP\yupnpsrv.exe"=
"c:\Program Files\Mozilla Firefox\firefox.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Program Files\Rhapsody\rhapsody.exe"=
"c:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe"=
"c:\Program Files\Bonjour\mDNSResponder.exe"=
"c:\Program Files\iTunes\iTunes.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:windowsSYSTEM32DRIVERSmfetdi2k.sys [3/15/2010 4:36 PM 82952]
R2 Application Updater;Application Updater;c:program filesApplication UpdaterApplicationUpdater.exe [1/8/2010 1:51 AM 380928]
R2 McMPFSvc;McAfee Personal Firewall;"c:program filesCommon FilesMcafeeMcSvcHostMcSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:program filesCommon FilesMcAfeeMcSvcHostMcSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:program filesCommon FilesMcAfeeSystemCoremfefire.exe [3/15/2010 4:36 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:program filesCommon FilesMcAfeeSystemCoremfevtps.exe [3/15/2010 4:36 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:windowsSYSTEM32DRIVERScfwids.sys [3/15/2010 4:36 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:windowsSYSTEM32DRIVERSmfefirek.sys [3/15/2010 4:36 PM 312616]
R3 mfendiskmp;mfendiskmp;c:windowsSYSTEM32DRIVERSmfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:windowsSYSTEM32DRIVERSmfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:windowsSYSTEM32DRIVERSmferkdet.sys [3/15/2010 4:36 PM 83496]
S3 NUVision;NUVision II Video Service;c:windowsSYSTEM32DRIVERSnuvvid2.sys [10/10/2004 1:01 PM 153760]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:windowsTasksAppleSoftwareUpdate.job
- c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
FF - ProfilePath - c:documents and settingsEricaApplication DataMozillaFirefoxProfilesjv7t3avb.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=135963&p=
FF - plugin: c:documents and settingsEricaApplication DataFacebooknpfbplugin_1_0_0.dll
FF - plugin: c:documents and settingsEricaApplication DataFacebooknpfbplugin_1_0_1.dll
FF - plugin: c:documents and settingsEricaApplication DataFacebooknpfbplugin_1_0_3.dll
FF - plugin: c:program filesJavaj2re1.4.2binNPJPI142.dll
FF - plugin: c:program filesMozilla FirefoxpluginsNPUploader.dll
FF - plugin: c:program filesViewpointViewpoint Experience TechnologynpViewpoint.dll
FF - plugin: c:program filesVirtools3D Life Playernpvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 15:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
ShutterflyStudio = c:program filesShutterflyStudioBINSFlyStudio.exe /trayonly?: /RegServer????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1052)
c:windowssystem32WININET.dll
c:windowssystem32ieframe.dll
c:windowssystem32webcheck.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Completion time: 2010-06-07 16:03:43
ComboFix-quarantined-files.txt 2010-06-07 23:03
ComboFix2.txt 2010-06-07 02:39
ComboFix3.txt 2010-06-06 20:15

Pre-Run: 3,771,342,848 bytes free
Post-Run: 3,731,988,480 bytes free

- - End Of File - - 3989FA739139C06939F3E58F04D1DFF7

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 12:49 am

more_horiz
Hi Erica,

It looks like a forum issue prevented this:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"rrsjeixo"=-

from being removed. See here for more information:
http://www.GeekPolice.net/geekpolice-bulletin-f28/recent-issues-080610-t21987.htm#144131

Until this issue is resolved the fix won't come out right Sad tearing. Sorry for the inconvenience.

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 1:15 am

more_horiz
Any ideas as to when the issue might be resolved, or should I keep checking back periodically? Thanks for all the time you've put into helping me. I'm surprised that the problem isn't fully fixed, as my computer's performance has been SO much better!

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 1:27 am

more_horiz
Hi endlessands

I have no idea when it will be fixed. That being said, I've got a bit of a workaround for you. This link

http://rapidshare.com/files/396495946/FixforErica.txt.html

contains a properly formatted script for you to download. When you go to that link, click on Free User>Download

When the text file is downloaded saved as CFScript.txt as you would if you created it yourself then, drag it into ComboFix's icon a per the instructions in Post #21

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 3:12 am

more_horiz
Thanks, I followed the link and got the download. It was automatically saved with the file name FixforErica I then dragged it to the ComboFix icon to run Combofix, but a window popped up with the name: CF Script Name error. It said: Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt.
So my question is: I see that your instructions say for me to save as CFScript.txt but I'm not sure how to do that because it saved it automatically as FixforErica. I must have missed a step...?

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 6:18 am

more_horiz
Hi Erica,

I should have saved it as CFScript, sorry. If you right click on FixForErica and choose Rename it will allow you to rename it to CFScript Smile...

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 5:18 pm

more_horiz
ComboFix 10-06-05.03 - Erica 06/08/2010 9:42.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.257 [GMT -7:00]
Running from: c:documents and settingsEricaDesktopcommy.exe.exe
Command switches used :: c:documents and settingsEricaDesktopCFScript.txt.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 03:02 . 2010-06-08 03:04 -------- d-----w- C:commy.exe18885c
2010-06-06 18:53 . 2010-06-06 18:54 -------- d-----w- C:commy.exe
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:documents and settingsEricaApplication DataMalwarebytes
2010-06-06 03:34 . 2010-04-29 22:39 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-06-06 03:34 . 2010-06-06 03:34 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-06-06 03:34 . 2010-04-29 22:39 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-06-04 02:32 . 2010-06-04 02:32 -------- d-sh--w- c:documents and settingsLocalServiceIETldCache
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:program filesTeaTimer (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:49 -------- d-----w- c:program filesSDHelper (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:program filesMisc. Support Library (Spybot - Search & Destroy)
2010-06-03 03:41 . 2010-06-03 03:41 -------- d-----w- c:program filesFile Scanner Library (Spybot - Search & Destroy)
2010-06-03 03:04 . 2010-06-03 03:04 -------- d-----w- c:program filesiLike
2010-06-02 15:36 . 2010-06-02 15:36 -------- d-sh--w- c:documents and settingsNetworkServiceIETldCache
2010-05-10 17:21 . 2010-05-10 17:21 -------- d-----w- c:windowssystem32BWKDLogs
2010-05-10 17:15 . 2010-05-10 17:15 -------- d-----w- c:documents and settingsEricaLocal SettingsApplication DataKodakGallery
2010-05-10 17:05 . 2010-05-10 17:05 -------- d-----w- c:program filesCommon FilesKodak
2010-05-10 16:58 . 2010-05-15 22:13 -------- d-----w- c:documents and settingsAll UsersApplication DataKodak
2010-05-10 16:06 . 2010-05-10 16:06 -------- d-----w- c:documents and settingsAll UsersApplication DataFileCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 19:13 . 2007-03-05 01:07 -------- d-----w- c:documents and settingsEricaApplication DataSiteAdvisor
2010-06-06 05:20 . 2007-06-14 18:31 20 ---h--w- c:documents and settingsAll UsersApplication DataPKP_DLds.DAT
2010-06-06 05:20 . 2007-06-14 18:36 20 ---h--w- c:documents and settingsAll UsersApplication DataPKP_DLec.DAT
2010-06-06 01:44 . 2007-03-08 20:54 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-06-05 20:52 . 2007-03-08 20:54 -------- d-----w- c:program filesSpybot - Search & Destroy
2010-06-05 04:48 . 2007-12-29 18:45 -------- d-----w- c:documents and settingsEricaApplication DataApple Computer
2010-06-03 03:04 . 2009-12-24 16:43 -------- d-----w- c:program filesiTunes
2010-05-01 04:59 . 2009-05-04 16:33 -------- d-----w- c:program filesCitrix
2010-04-28 00:16 . 2010-03-15 23:36 9344 ----a-w- c:windowssystem32driversmfeclnk.sys
2010-04-28 00:16 . 2010-03-15 23:36 95568 ----a-w- c:windowssystem32driversmfeapfk.sys
2010-04-28 00:16 . 2010-03-15 23:36 88480 ----a-w- c:windowssystem32driversmfendisk.sys
2010-04-28 00:16 . 2010-03-15 23:36 83496 ----a-w- c:windowssystem32driversmferkdet.sys
2010-04-28 00:16 . 2010-03-15 23:36 82952 ----a-w- c:windowssystem32driversmfetdi2k.sys
2010-04-28 00:16 . 2010-03-15 23:36 55456 ----a-w- c:windowssystem32driverscfwids.sys
2010-04-28 00:16 . 2010-03-15 23:36 385880 ----a-w- c:windowssystem32driversmfehidk.sys
2010-04-28 00:16 . 2010-03-15 23:36 312616 ----a-w- c:windowssystem32driversmfefirek.sys
2010-04-28 00:16 . 2007-03-05 01:05 51688 ----a-w- c:windowssystem32driversmfebopk.sys
2010-04-28 00:16 . 2007-03-05 01:05 152320 ----a-w- c:windowssystem32driversmfeavfk.sys
2010-04-19 13:11 . 2010-04-19 13:11 -------- d-----w- c:documents and settingsTimApplication DataApple Computer
2010-04-18 13:50 . 2007-06-02 23:15 -------- d-----w- c:documents and settingsEricaApplication DataYahoo!
2010-04-18 13:50 . 2007-05-04 06:24 -------- d-----w- c:documents and settingsAll UsersApplication DataYahoo!
2010-04-14 22:59 . 2010-04-14 22:53 -------- d-----w- c:documents and settingsAll UsersApplication Data{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:program filesiPod
2010-04-14 22:55 . 2010-02-05 04:59 -------- d-----w- c:program filesCommon FilesApple
2010-04-14 22:43 . 2004-04-17 18:43 -------- d-----w- c:program filesQuickTime
2010-04-14 22:32 . 2010-04-14 22:32 -------- d-----w- c:program filesBonjour
2010-04-14 22:28 . 2010-04-14 22:28 -------- d-----w- c:program filesSafari
2006-07-21 12:31 . 2006-07-21 12:31 141728 ----a-w- c:program filesMC
2010-04-28 00:16 . 2010-03-15 23:36 24376 ----a-w- c:program filesmozilla firefoxcomponentsScriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"DellSupport"="c:program filesDellSupportDSAgnt.exe" [2007-03-15 460784]
"ShutterflyStudio"="c:program filesShutterflyStudioBINSFlyStudio.exe" [2008-05-07 2500096]
"SpybotSD TeaTimer"="c:program filesSpybot - Search & DestroyTeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="c:windowsSystem32NvCpl.dll" [2003-11-03 4800512]
"IntelMeM"="c:program filesIntelModem Event MonitorIntelMEM.exe" [2003-09-04 221184]
"dla"="c:windowssystem32dlatfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:windowsSystem32DSentry.exe" [2003-08-13 28672]
"diagent"="c:program filesCreativeSBLiveDiagnosticsdiagent.exe" [2002-04-03 135264]
"UpdReg"="c:windowsUpdReg.EXE" [2000-05-11 90112]
"Dell AIO Printer A960"="c:program filesDell AIO Printer A960dlbfbmgr.exe" [2003-09-21 270336]
"DVDLauncher"="c:program filesCyberLinkPowerDVDDVDLauncher.exe" [2004-07-14 53248]
"PCMService"="c:program filesDellMedia ExperiencePCMService.exe" [2004-07-16 290816]
"UpdateManager"="c:program filesCommon FilesSonicUpdate Managersgtray.exe" [2003-08-19 110592]
"dscactivate"="c:program filesDell Support Centergs_agentcustomdsca.exe" [2007-11-15 16384]
"TkBellExe"="c:program filesCommon FilesRealUpdate_OBrealsched.exe" [2009-01-18 185896]
"mcui_exe"="c:program filesMcAfee.comAgentmcagent.exe" [2010-04-02 1180976]
"AppleSyncNotifier"="c:program filesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:program filesiTunesiTunesHelper.exe" [2010-03-26 142120]

c:documents and settingsTimStart MenuProgramsStartup
PowerReg Scheduler V3.exe [2004-12-30 225280]

c:documents and settingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2008-4-23 29696]
NkbMonitor.exe.lnk - c:documents and settingsEricaMy DocumentsNkbMonitor.exe [2007-6-16 118784]
ymetray.lnk - c:program filesYahoo!Yahoo! Music Jukeboxymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalmcmscsvc]
@=""

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMCODS]
@=""

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringMcAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"c:\WINDOWS\SYSTEM32\LEXPPS.EXE"=
"c:\Program Files\Messenger\msmsgs.exe"=
"c:\WINDOWS\SYSTEM32\java.exe"=
"c:\Program Files\Real\RealPlayer\realplay.exe"=
"c:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"=
"c:\Program Files\Yahoo!\UPnP\yupnpsrv.exe"=
"c:\Program Files\Mozilla Firefox\firefox.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Program Files\Rhapsody\rhapsody.exe"=
"c:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe"=
"c:\Program Files\Bonjour\mDNSResponder.exe"=
"c:\Program Files\iTunes\iTunes.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:windowsSYSTEM32DRIVERSmfetdi2k.sys [3/15/2010 4:36 PM 82952]
R2 Application Updater;Application Updater;c:program filesApplication UpdaterApplicationUpdater.exe [1/8/2010 1:51 AM 380928]
R2 McMPFSvc;McAfee Personal Firewall;"c:program filesCommon FilesMcafeeMcSvcHostMcSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:program filesCommon FilesMcAfeeMcSvcHostMcSvHost.exe" /McCoreSvc [3/15/2010 4:35 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:program filesCommon FilesMcAfeeSystemCoremfefire.exe [3/15/2010 4:36 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:program filesCommon FilesMcAfeeSystemCoremfevtps.exe [3/15/2010 4:36 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:windowsSYSTEM32DRIVERScfwids.sys [3/15/2010 4:36 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:windowsSYSTEM32DRIVERSmfefirek.sys [3/15/2010 4:36 PM 312616]
R3 mfendiskmp;mfendiskmp;c:windowsSYSTEM32DRIVERSmfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:windowsSYSTEM32DRIVERSmfendisk.sys [3/15/2010 4:36 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:windowsSYSTEM32DRIVERSmferkdet.sys [3/15/2010 4:36 PM 83496]
S3 NUVision;NUVision II Video Service;c:windowsSYSTEM32DRIVERSnuvvid2.sys [10/10/2004 1:01 PM 153760]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:windowsTasksAppleSoftwareUpdate.job
- c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
FF - ProfilePath - c:documents and settingsEricaApplication DataMozillaFirefoxProfilesjv7t3avb.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=135963&p=
FF - plugin: c:documents and settingsEricaApplication DataFacebooknpfbplugin_1_0_0.dll
FF - plugin: c:documents and settingsEricaApplication DataFacebooknpfbplugin_1_0_1.dll
FF - plugin: c:documents and settingsEricaApplication DataFacebooknpfbplugin_1_0_3.dll
FF - plugin: c:program filesJavaj2re1.4.2binNPJPI142.dll
FF - plugin: c:program filesMozilla FirefoxpluginsNPUploader.dll
FF - plugin: c:program filesViewpointViewpoint Experience TechnologynpViewpoint.dll
FF - plugin: c:program filesVirtools3D Life Playernpvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 09:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
ShutterflyStudio = c:program filesShutterflyStudioBINSFlyStudio.exe /trayonly?: /RegServer????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(428)
c:windowssystem32WININET.dll
c:windowssystem32ieframe.dll
c:windowssystem32webcheck.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Completion time: 2010-06-08 10:12:54
ComboFix-quarantined-files.txt 2010-06-08 17:12
ComboFix2.txt 2010-06-07 23:03
ComboFix3.txt 2010-06-07 02:39
ComboFix4.txt 2010-06-06 20:15

Pre-Run: 3,682,930,688 bytes free
Post-Run: 3,647,299,584 bytes free

- - End Of File - - 6FB00B52EB11C1ABCCB23C75DFCC6410

descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 5:49 pm

more_horiz
Hi Erica,

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

    • descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 6:10 pm

    more_horiz
    For some reason the "Accept" button from this link is not an option...only "Exit"?

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem8th June 2010, 6:17 pm

    more_horiz
    Hi Erica,

    It works on my end so, it's not an issue with Kaspersky. Do you currently have Java installed? You could try updating to the latest version from here:
    http://www.java.com/en/ and then try running Kaspersky again.
    =======

    If that doesn't do it, did you see this?

    Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.


    Try disabling your AV. See here for more info on doing so: http://www.bleepingcomputer.com/forums/topic114351.html

    then, run Kaspersky again

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 5:37 am

    more_horiz
    Updated Java, disabled all anti-virus programs. Got the download ok finally, but tried unsuccessfully all day to complete the scan. All 5 or 6 times, it freezes right in the middle of scan and either freezes up or closes. Too frustrated to try again tonight, so I'll give it another shot in the morning.

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 5:40 am

    more_horiz
    Hi Erica,

    That's odd. I've never had issues with Kaspersky like that.

    Try this:

    Please run Panda ActiveScan online scan.

    • Click the big green Scan now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • Once the scan is completed, please hit the notepad icon next to the text Export to:
    • Save it to a convenient location such as your Desktop
    • Post the contents of the ActiveScan.txt in your next reply

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 12:33 pm

    more_horiz
    Threats (9)
    Low danger level (9)
    W32/Bagle.pwdz... Virus
    Latent
    Hide + Info
    1. c:documents and settingsall usersapplicati...troyrecoverysmitfraudcgeneric.zip
    adware/activsh... Adware
    Latent
    Hide + Info
    1. c:program filesactivshopper
    Adware/Protect... Adware
    Latent
    Hide + Info
    1. c:qooboxquarantinecwindowspragmacviqnrdmshpragmaserf.dll.vir
    2. c:system volume information_restore{b37680b...0-83e44c588624}rp1431a0449092.dll
    Adware/Protect... Adware
    Latent
    Hide + Info
    1. c:system volume information_restore{b37680b...0-83e44c588624}rp1431a0449090.dll
    2. c:qooboxquarantinecwindowspragmacviqnrdmshpragmabbr.dll.vir
    Adware/Protect... Adware
    Latent
    Hide + Info
    1. c:qooboxquarantinecwindowspragmaiymxvslutipragmad.sys.vir
    Generic Malwar... Virus
    Latent
    Hide + Info
    1. c:documents and settingsericaapplication d...lliance3dgroovextrav181groove.x32
    Adware/Protect... Adware
    Latent
    Hide + Info
    1. c:qooboxquarantinecwindowspragmaiymxvslutipragmac.dll.vir
    2. c:qooboxquarantinecwindowspragmacviqnrdmshpragmac.dll.vir
    Trj/CI.A Virus
    Latent
    Hide + Info
    1. c:qooboxquarantinecwindowspragmaiymxvslutipragmabbr.dll.vir
    2. c:system volume information_restore{b37680b...0-83e44c588624}rp1431a0449093.dll
    3. c:system volume information_restore{b37680b...0-83e44c588624}rp1431a0449095.dll
    4. c:qooboxquarantinecwindowspragmaiymxvslutipragmaserf.dll.vir
    Application/PR... Tracking Application
    Latent
    Hide + Info
    1. c:documents and settingstimstart menuprog...sstartuppowerreg scheduler v3.exe

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 5:54 pm

    more_horiz
    Hi Erica,

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Folders/Files (if present):

    c:documents and settingsall usersapplicati...troyrecovery

    c:documentsandsettingsericaapplicationd...lliance3dgroovextrav181groove.x32

    c:documents and settingstimstart menuprog...sstartuppowerreg scheduler v3.exe

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 9:20 pm

    more_horiz
    Hey Chris, I r-clicked start menu and hit explore....then I clicked documents and settings then all users. There are several folders in there which I checked but didn't find "troyrecovery." Couldn't find 3D Groove either. Any tips on how I might find them?

    Found Power Reg Scheduler and deleted.

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 9:27 pm

    more_horiz
    Hi Erica,

    Try going down one level further to All Users/Application Data to find troyrecovery

    for lliance3dgroovextrav181groove.x32 it is in Documents and Settings/Erica/Application Data

    sstartuppowerreg scheduler v3.exe is in Documents and Settings/Start Menu Programs

    If you go Start>Search you can type the filenames in and it will come up with the locations if you still can't find them.

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 9:39 pm

    more_horiz
    ok so here's what's confusing me (sorry, take a deep breath)...
    I see category "All Users" but no "application" subcategory

    I see "Documents and settings" and subcategory "Erica," but no "Application Data" subcategory.

    I put the file names in a search, and came up with nothing. I'll look again, I'm sure I'm just not seeing the right place to look.

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 9:44 pm

    more_horiz
    Hi Erica,

    It could be that hidden files and folders aren't set to show.

    1. On the Tools menu in Windows Explorer, click Folder Options.

    2. Click the View tab.

    3. Under Hidden files and folders, click Show hidden files and folders.

    The filepaths are as follows:

    c:\documents and settings\all users\application data\troyrecovery

    c:\documents and settings\erica\application data\lliance3dgroovextrav181groove.x32

    c:\documents and settings\tim\start menu programs\sstartuppowerreg scheduler v3.exe

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 9:59 pm

    more_horiz
    That worked...thanks! Found and deleted 3D groove and start up power reg but there is still no troy recovery (not even when I did a search from the start menu).

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 10:09 pm

    more_horiz
    What about smitfraudcgeneric.zip?

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 10:23 pm

    more_horiz
    Didn't find it in a search...is there a specific path I should follow?

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 10:28 pm

    more_horiz
    This is the path to the infected file from the logfile

    c:documents and settingsall usersapplicati...troyrecoverysmitfraudcgeneric.zip

    It's garbled because A) it's shortened and One Cool Dude Our current forum issue. According to the logfile it should be in C:|Documents and Settings|All Users|Application Data|troyrecovery|smitfraudcgeneric.zip

    that's my best guess. without the character to split up the path i can't say with certainty where it is

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 10:41 pm

    more_horiz
    I know what it is. I found it under a folder under the heading Spybot and then under Recovery. There are a bunch of applications with the name SmitfraudC, C1, C2,C3,etc.

    Should I delete all of them? I uninstalled Spybot the other day

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem9th June 2010, 11:36 pm

    more_horiz
    Hi Erica,

    EDIT: Better idea Smile...

    Since you uninstalled Spybot there's no need for that folder. You can safely delete it Hooray!

    Could you please let me know how things are running now as well?

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem10th June 2010, 12:42 am

    more_horiz
    I'm still trying to locate those files...I know where they are, I just can't find it when I browse on Virus Total. I found this infected file though...should I delete?


    File dummy.cd_clint.dll received on 2010.06.10 00:37:07 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
    Result: 1/41 (2.44%)
    Loading server information...
    Your file is queued in position: 1.
    Estimated start time is between 42 and 60 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Compact
    Print results Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:

    Antivirus Version Last Update Result
    a-squared 5.0.0.26 2010.06.09 -
    AhnLab-V3 2010.06.10.00 2010.06.10 -
    AntiVir 8.2.2.6 2010.06.09 -
    Antiy-AVL 2.0.3.7 2010.06.08 -
    Authentium 5.2.0.5 2010.06.10 -
    Avast 4.8.1351.0 2010.06.09 -
    Avast5 5.0.332.0 2010.06.09 -
    AVG 9.0.0.787 2010.06.09 -
    BitDefender 7.2 2010.06.10 -
    CAT-QuickHeal 10.00 2010.06.09 -
    ClamAV 0.96.0.3-git 2010.06.09 -
    Comodo 5044 2010.06.09 -
    DrWeb 5.0.2.03300 2010.06.10 -
    eSafe 7.0.17.0 2010.06.09 -
    eTrust-Vet 36.1.7624 2010.06.10 -
    F-Prot 4.6.0.103 2010.06.09 -
    F-Secure 9.0.15370.0 2010.06.10 -
    Fortinet 4.1.133.0 2010.06.09 -
    GData 21 2010.06.10 -
    Ikarus T3.1.1.84.0 2010.06.09 -
    Jiangmin 13.0.900 2010.06.09 -
    Kaspersky 7.0.0.125 2010.06.09 -
    McAfee 5.400.0.1158 2010.06.10 -
    McAfee-GW-Edition 2010.1 2010.06.09 -
    Microsoft 1.5802 2010.06.09 -
    NOD32 5185 2010.06.09 -
    Norman 6.04.12 2010.06.09 -
    nProtect 2010-06-09.02 2010.06.09 -
    Panda 10.0.2.7 2010.06.08 -
    PCTools 7.0.3.5 2010.06.10 -
    Prevx 3.0 2010.06.10 -
    Rising 22.51.02.03 2010.06.09 -
    Sophos 4.54.0 2010.06.10 -
    Sunbelt 6427 2010.06.10 -
    Symantec 20101.1.0.89 2010.06.09 -
    TheHacker 6.5.2.0.295 2010.06.08 -
    TrendMicro 9.120.0.1004 2010.06.09 -
    TrendMicro-HouseCall 9.120.0.1004 2010.06.10 -
    VBA32 3.12.12.5 2010.06.09 -
    ViRobot 2010.6.9.2346 2010.06.09 Adware.SpyFerret.R.48640
    VirusBuster 5.0.27.0 2010.06.09 -
    Additional information
    File size: 48640 bytes
    MD5...: 65fd7ea79f626f7b57f4d6ced6339f32
    SHA1..: 866057a7b43c7d8cbc940bdb5d3f981e90c766bd
    SHA256: df94491ba2793da99a2431591f317c67150d22e2530a9d34d5f427ad854fccf4
    ssdeep: 768:fx2vBbnGaxz3I1pc8APF5AkQejBa5VlnaaroGUGQQP86pxl6N93+:aBbXz4L
    c8APF5RQI05ONGUGRON93
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1000
    timedatestamp.....: 0x3c407b08 (Sat Jan 12 18:06:00 2002)
    machinetype.......: 0x14c (I386)

    ( 7 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x8000 0x7600 6.58 8558c7cd93244de2db100e05b0f62e21
    .data 0x9000 0x6000 0x2600 4.78 df74a9ef4ed005ce2b9a3dbf3590410c
    .tls 0xf000 0x1000 0x200 7.56 6dc5e9f680f898766f95b3772be45afa
    .idata 0x10000 0x1000 0x600 4.21 03687ef20fd86b905fd9b48e039f7963
    .edata 0x11000 0x1000 0x200 2.15 bab4bd510e904028091b14b2b3bd197a
    .rsrc 0x12000 0x1000 0xa00 3.74 3d2d5690d8a991e3b301369919edbdcb
    .reloc 0x13000 0x1000 0x800 6.49 ae41c1542e3e8af842d30f2ded308dd4

    ( 2 imports )
    > KERNEL32.DLL: CloseHandle, CreateFileA, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCurrentThreadId, GetEnvironmentStrings, GetFileType, GetLastError, GetLocalTime, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeW, GetVersion, GetVersionExA, GlobalMemoryStatus, HeapAlloc, HeapFree, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, RaiseException, RtlUnwind, SetConsoleCtrlHandler, SetFilePointer, SetHandleCount, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WriteFile
    > USER32.DLL: EnumThreadWindows, MessageBoxA, wsprintfA

    ( 6 exports )
    ChannelRead, ChannelWrite, DescWrite, ServiceClose, ServiceShow, ___CPPdebugHook
    RDS...: NSRL Reference Data Set
    -
    trid..: Win32 Dynamic Link Library - Borland C/C++ (91.6%)
    Win32 Executable Generic (3.5%)
    Win32 Dynamic Link Library (generic) (3.1%)
    Generic Win/DOS Executable (0.8%)
    DOS Executable Generic (0.8%)
    pdfid.: -
    sigcheck:
    publisher....: CEXX Labs - www.cexx.org
    copyright....: CEXX Labs _ Mike Dombrowski
    product......: CEXX.ORG Spyware Condom (CYDOOR-Compatible)
    description..: DLL (GUI)
    original name: project1.dll
    internal name: ProjectOne
    file version.: 1.0.0.0
    comments.....: _For that EXTRA comfort and protection._
    signers......: -
    signing date.: -
    verified.....: Unsigned[b]

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem10th June 2010, 12:45 am

    more_horiz
    Hi Erica,

    Darn it! You must have missed my edit. My apologies. Since you uninstalled Sybot, you don't need to keep that folder around anymore. You can just delete C:\Program Files\Spybot S & D

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem10th June 2010, 12:48 am

    more_horiz
    Awesome! That makes it easy. I uninstalled it yesterday when I tried to run Kaspersky.

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem10th June 2010, 12:49 am

    more_horiz
    Hehe. Exactly what I was thinking Smile....

    So, how are things running now? Any better?

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem10th June 2010, 12:52 am

    more_horiz
    My computer is running perfectly now. Do you think all of the nasty stuff is gone? How can I tell?

    descriptionMalware/Spyware problem EmptyRe: Malware/Spyware problem

    more_horiz
    privacy_tip Permissions in this forum:
    You cannot reply to topics in this forum