0

About 6 weeks ago I tried to watch a video and the codec it asked me to install was a virus. It hijacked my browsers so all the searches took me to ad sites. I ran malware bytes and removed it and got control of my browsers. (Firefox 3 and IE8)

However now about every other week or so I run McAfee or Malware Bytes and it comes up with a new trojan running on my system. I haven't downloaded anything sketchy or been to any sites that might have questionable content, so where do the new trojans come from?

Also since updating to Flash 10 nothing flash will work on IE8 and when I try and install it from the adobe site IE8 closes the tab and tells me something is trying to add itself maliciously.

Can anyone help?

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:47 AM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.8.0.32/cascade/cascade-en_US.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.8.0.32/cribbage/cribbage-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.8.0.25/gin2/gin2-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.8.0.25/penguins/penguins-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.4.35/poppit2/poppit2-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.8.0.32/spider/spider-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.8.0.25/wordwhomp2/whomp2-en_US.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10570 bytes

5
Contributors
20
Replies
21
Views
7 Years
Discussion Span
Last Post by jholland1964
0

1st step ditch mcAfee, it's garbage. Secondly update MalwareBytes and run another full scan. Then download a better a/v firewall software, I recomend Comodo free version, it will allert you whenever your system downloads a file or attempts to change system files where mcAfee lets anything happen without alerting you at all.

This should stabalize you out, once one of the spyware killers round here (mods or master posters) can get in here they should be able to help you further.

0

Update MBA-M and do a FULL SCAN with it. Have it remove everything found.
Reboot the computer. Then do the following:
Run the ESET Online Scanner

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer. Then run a new HJT scan. Post back here with the MBA-M log, the ESET log and the new HJT log.

0

I got to the running of the eset scanner and as it was loading I received an error message from IE8

The instruction at '0x06620068 refrenced memory at '0x06620068' . The memory could not be "written".

Whether I click ok to terminate or cancel to debug it closes the window.

Any suggestions?

0

Did you all ready run the MBA-M program? If so post the log here. We still don't know the NAME of the trojans which are being found, and this is an important thing for us to find out. Sometimes different removal steps are needed.

You also said you began having problems when you updated the Flash Player, have you tried just Uninstalling that and leaving it off for now?
One key thing is NOT updating files which are not key files, and for now the Flash Player isn't key, when you possibly have infection on the computer. If you have not uninstalled that then I would recommend that you do for now.

Edited by jholland1964: n/a

0

Ok flash uninstalled for now. The problems started really about 6 weeks ago when a video asked me to install a codec that wasn't really a codec... I wasn't running any antivirus software at that point. I'd never had an issue before. Kicking myself now.

Flash worked on IE8 until I updated it to 10. It still works on Firefox. I would go all Firefox but my wife has to have IE for work stuff.

Here's the latest MBM-A log that detected something. 2 days ago.

Malwarebytes' Anti-Malware 1.41
Database version: 2955
Windows 5.1.2600 Service Pack 3

10/13/2009 1:17:42 PM
mbam-log-2009-10-13 (13-17-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 219068
Time elapsed: 1 hour(s), 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks

0

Is this vundo trojan the one that keeps coming back? You know you can get an IE plug in for Firefox, works fine.

0

No it's always a different one that comes up.

ESQULserv.sys
Windows MSI

Are names of others. What does the IE plug in do?

0

Sounds like you have a rootkit on there. That's why it keeps coming back.
Do this: Now you can read full instructions for this tool if you wish on http://www.bleepingcomputer.com/combofix/how-to-use-combofix

download ComboFix
Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop.
DO NOT RUN it YET
You must take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.

Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will scan your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

I'll get the link for the Firefox IE Add-on once you have posted your combofix log. You don't want to be adding anything else until this clean up is complete.
Judy

Edited by jholland1964: n/a

0

Ok, combofix ran fine, here is the log.

ComboFix 09-10-15.04 - Family 10/16/2009 8:55.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.674 [GMT -7:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Family\My Documents\ZbThumbnail.info
C:\LOG1D.tmp
C:\LOG30.tmp
C:\LOG32.tmp
C:\LOG35.tmp
C:\LOGA.tmp
C:\LOGC4.tmp
C:\LOGF7.tmp
c:\program files\internet optimizer

.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-15 02:54 . 2009-10-15 02:54 -------- d-----w- c:\program files\Microsoft
2009-10-13 18:17 . 2009-10-13 18:17 -------- dc-h--w- c:\windows\ie8
2009-10-10 13:10 . 2009-10-10 13:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-10 06:32 . 2009-10-10 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-10-10 06:30 . 2009-07-08 20:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-10 06:30 . 2009-07-08 20:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-10 06:30 . 2009-07-08 20:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-10 06:30 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-10 06:30 . 2009-10-10 06:30 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-10 06:30 . 2009-10-10 06:30 -------- d-----w- c:\program files\McAfee.com
2009-10-10 06:30 . 2009-10-11 21:15 -------- d-----w- c:\program files\McAfee
2009-10-10 06:24 . 2009-07-08 20:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-10 06:08 . 2009-10-10 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-08 21:30 . 2009-10-16 15:15 -------- d-----w- c:\documents and settings\Family\Application Data\skypePM
2009-10-08 21:30 . 2009-10-08 21:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-08 21:28 . 2009-10-16 15:15 -------- d-----w- c:\documents and settings\Family\Application Data\Skype
2009-10-08 21:27 . 2009-10-08 21:27 -------- d-----w- c:\program files\Common Files\Skype
2009-10-08 21:27 . 2009-10-08 21:27 -------- d-----r- c:\program files\Skype
2009-10-08 21:27 . 2009-10-08 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-03 15:43 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 20:44 . 2009-08-31 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 17:51 . 2009-03-09 14:27 -------- d-----w- c:\documents and settings\Family\Application Data\U3
2009-10-10 05:49 . 2009-08-26 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-23 21:46 . 2005-02-16 00:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-22 15:31 . 2008-12-20 22:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-08-31 22:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-08-31 22:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 18:19 . 2009-09-01 18:19 -------- d-----w- c:\program files\iTunes
2009-09-01 18:19 . 2009-09-01 18:19 -------- d-----w- c:\program files\iPod
2009-09-01 18:19 . 2007-07-06 17:07 -------- d-----w- c:\program files\Common Files\Apple
2009-09-01 18:18 . 2009-09-01 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
2009-09-01 17:33 . 2009-07-31 16:01 -------- d-----w- c:\program files\QuickTime
2009-09-01 17:13 . 2006-10-29 02:42 -------- d-----w- c:\program files\Java
2009-08-31 22:37 . 2009-08-31 22:37 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2009-08-31 22:37 . 2009-08-31 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 19:41 . 2006-05-10 04:19 -------- d-----w- c:\documents and settings\Family\Application Data\Apple Computer
2009-08-31 14:22 . 2009-08-09 00:40 -------- d-----w- c:\program files\LifeLine Studios
2009-08-31 14:18 . 2005-02-06 05:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 14:17 . 2009-08-31 14:17 -------- d-----w- c:\program files\Sierra On-Line
2009-08-29 08:08 . 2005-06-18 06:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 12:35 . 2009-08-26 12:35 -------- d-----w- c:\program files\Trend Micro
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 22:28 . 2009-08-25 22:28 83128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 20:31 . 2008-04-01 15:56 -------- d-----w- c:\documents and settings\Family\Application Data\uTorrent
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-18 17:52 . 2009-08-18 17:52 -------- d-----w- c:\documents and settings\Family\Application Data\SorensonMedia
2009-08-18 17:49 . 2009-08-18 17:49 -------- d-----w- c:\program files\ffdshow
2009-08-17 04:02 . 2005-02-12 20:15 83128 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-02-06 05:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2002-08-29 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 16:52 . 2009-07-29 16:52 70984 ----a-w- c:\documents and settings\Family\g2mdlhlpx.exe
2009-07-26 23:44 . 2009-07-26 23:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2007-02-01 08:31 . 2004-03-23 12:57 30053 ----a-w- c:\program files\USAGE
2007-02-01 08:31 . 2002-01-19 22:52 1801 ----a-w- c:\program files\README
2007-02-01 08:31 . 2004-07-29 09:19 202240 ----a-w- c:\program files\lame.exe
2007-02-01 08:31 . 2000-12-19 19:16 707 ----a-w- c:\program files\LICENSE
2007-02-01 08:31 . 2000-03-08 14:37 30 ----a-w- c:\program files\FILE_ID.DIZ
2007-02-01 08:31 . 1999-11-24 19:40 25292 ----a-w- c:\program files\COPYING
2007-02-01 08:31 . 2003-12-19 11:02 256 ----a-w- c:\program files\about
2006-09-06 20:06 . 2006-09-06 20:06 774144 ----a-w- c:\program files\RngInterstitial.dll
2005-04-28 22:07 . 2005-04-28 22:07 5575 ----a-w- c:\program files\Sibelius Scorch.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-22 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"nSvcIp"=2 (0x2)
"MDM"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/9/2009 11:32 PM 210216]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [4/10/2007 7:13 PM 11001]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [4/10/2007 7:13 PM 148688]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [7/21/2007 3:28 PM 16512]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-10-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-10 04:26]

2009-10-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-10 04:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: pogo.com\www
DPF: Blooop by pogo - hxxp://game1.pogo.com/applet-6.8.0.32/cascade/cascade-en_US.cab
DPF: Cribbage by pogo - hxxp://game1.pogo.com/applet-6.8.0.32/cribbage/cribbage-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/applet-6.8.0.25/gin2/gin2-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Penguin Blocks by pogo - hxxp://game1.pogo.com/applet-6.8.0.25/penguins/penguins-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/applet-6.7.4.35/poppit2/poppit2-en_US.cab
DPF: Spider Solitaire by pogo - hxxp://game1.pogo.com/applet-6.8.0.32/spider/spider-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/applet-6.8.0.25/wordwhomp2/whomp2-en_US.cab
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\24ko95ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 09:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-688789844-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-10-16 9:03
ComboFix-quarantined-files.txt 2009-10-16 16:02

Pre-Run: 64,567,287,808 bytes free
Post-Run: 65,610,616,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

231 --- E O F --- 2009-10-14 23:51

Thanks,
Micah

0

As you can see this log is very complicated, as it is supposed to be. Give me some time and I will get back with you on other steps.

Meanwhile here is the link for the IE Tab for Firefox.
With it you can use Firefox to go to any page which requires IE. When you do the tab will open with Internet Explorer because it embeds Internet Explorer in tabs of Mozilla/Firefox. Take a look at my attachment showing print screen of my computer on the Windows Update page from Firefox. See the IE tab. Once you are finished with whatever you are doing within that IE tab just close the tab. But you can really exclusively use Firefox but go to and work on any page which requires the use of Internet Explorer.

I will get back with you on the combofix log later.

Attachments IE_Add-On_for_Firefox.jpg 73.81 KB
0

Hi I believe I have the same problem/virus on my home computer, or atleast it is doing about the same thing - reoccuring no matter what.

I have attempted all virus scanners suggested on the site (except combofix) so far, and all simple close out after a minute, 2 minutes of runtime, with no error and no message.

MBAM, HJT, Windows Malicious Tool Remover, Etc... Even the ESET or ETES (w.e.) all close after (presumably) they find the infected file.

I am not at home, but would changing the .exe name help with this? as I read in another thread - if this doesn't work I will make a new thread and post a ComboFix log.

0

Hi I believe I have the same problem/virus on my home computer, or atleast it is doing about the same thing - reoccuring no matter what.

I have attempted all virus scanners suggested on the site (except combofix) so far, and all simple close out after a minute, 2 minutes of runtime, with no error and no message.

MBAM, HJT, Windows Malicious Tool Remover, Etc... Even the ESET or ETES (w.e.) all close after (presumably) they find the infected file.

I am not at home, but would changing the .exe name help with this? as I read in another thread - if this doesn't work I will make a new thread and post a ComboFix log.

I would STRONGLY advise that you NOT run combofix at this time. We need to see scan logs from ALL other scans run AND a HiJackThis scan log also before that determination can be made.
Please DO create your own thread with all pertinent information (including operating system, av & firewall programs, when the problem began, etc. DON'T INCLUDE the part that says

I believe I have the same problem/virus on my home computer, or atleast it is doing about the same thing - reoccuring no matter what.

that part is of no use since no two computers are identical. What may be causing the problem on YOUR computer may not be the same infection causing the problems on this particular computer, even though the symptoms may be similar. Many infections do exhibit the same symptoms BUT removal steps would be different. So create your own thread and we will begin with your problems there.
Judy

0

Now for the original poster Micah, I asked PhilliePhan one of our experts with combofix to take a look at the log. Here is his suggestion:
Run SysProt AntiRootkit 1.0.1.0 download from here:
http://majorgeeks.com/SysProt_AntiRootkit_d5708.html
Follow these instructions:

-- Extract it from the ZIP
-- Click the "Log" tab.
-- In the Write to log box select ALL items and check the Hidden Objects Only box as well.

Run the tool and the log should be found in the Sysprot Folder.
Post back here with that log.
Judy

0

I followed the link and downloaded but when I extracted it McAfee blocked a file it said was a trojan. I think the file was the sysprot.exe

Should I unblock and run it anyway?

0

Should I unblock and run it anyway?

Yes - we wouldn't have you download malware.... :)

-- A lot of legitimate tools these days tend to get flagged by AV.
You are right to be vigilant. I guess it all depends on whether you can trust the advisor and the source of the file.
The guys at majorgeeks do a good job making sure their downloads are clean.

PP :)

0

Ok, here's the sysprot log. Thanks guys for all your help so far.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_nvatabus.sys
Service Name: ---
Module Base: A4A0C000
Module End: A4A20000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: AFE9B000
Module End: AFE9D000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 8050223C
Jump To: A4D59518
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 805A8314
Jump To: A4D59544
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwUnloadKey
At Address: 80618BE2
Jump To: A4D59649
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 805C8CB8
Jump To: A4D5955D
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 806188B8
Jump To: A4D595DB
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationProcess
At Address: 805C3DE2
Jump To: A4D594C6
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetContextThread
At Address: 805C79B8
Jump To: A4D594DA
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRestoreKey
At Address: 8061BCEA
Jump To: A4D59673
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwReplaceKey
At Address: 8061C3DE
Jump To: A4D59687
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRenameKey
At Address: 80619D54
Jump To: A4D595AF
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryValueKey
At Address: 8061856A
Jump To: A4D595F1
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryMultipleValueKey
At Address: 80619480
Jump To: A4D59607
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryKey
At Address: 8061BA2A
Jump To: A4D5969B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 805ADA96
Jump To: A4D59502
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 805C15B0
Jump To: A4D59488
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 805C1324
Jump To: A4D59474
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 8061B704
Jump To: A4D59571
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwNotifyChangeKey
At Address: 8061C4F8
Jump To: A4D5965F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 805A74FE
Jump To: A4D5952E
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwEnumerateValueKey
At Address: 8061ADDC
Jump To: A4D5961D
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwEnumerateKey
At Address: 8061AB72
Jump To: A4D59633
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteValueKey
At Address: 8061A992
Jump To: A4D595C5
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 8061A7C2
Jump To: A4D59599
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcessEx
At Address: 805C73F8
Jump To: A4D594B0
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 805C74AE
Jump To: A4D5949C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateKey
At Address: 8061A332
Jump To: A4D59585
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 8056E2FC
Jump To: A4D594EE
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: PsCreateSystemThread
At Address: 805C73F8
Jump To: A4D594B0
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: PsCreateSystemProcess
At Address: 805C74AE
Jump To: A4D5949C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: BRECKENRIDGE.PH.COX.NET:6646
Remote Address: MARK-PC:49213
Type: TCP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: ESTABLISHED

Local Address: BRECKENRIDGE.PH.COX.NET:2676
Remote Address: NUQ04S01-IN-F113.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2672
Remote Address: 204.2.160.233:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2660
Remote Address: 204.2.160.250:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2658
Remote Address: 98.174.31.185:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2657
Remote Address: 98.174.31.171:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2652
Remote Address: A96-7-156-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2651
Remote Address: NUQ04S01-IN-F113.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2615
Remote Address: NUQ04S01-IN-F156.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2614
Remote Address: NUQ04S01-IN-F164.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2613
Remote Address: 128.241.220.96:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2612
Remote Address: 128.241.220.96:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:2611
Remote Address: NUQ04S01-IN-F148.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: BRECKENRIDGE.PH.COX.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BRECKENRIDGE:27015
Remote Address: LOCALHOST:1031
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: BRECKENRIDGE:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: BRECKENRIDGE:7438
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Microsoft ActiveSync\wcescomm.exe
State: LISTENING

Local Address: BRECKENRIDGE:5679
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Microsoft ActiveSync\wcescomm.exe
State: LISTENING

Local Address: BRECKENRIDGE:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: BRECKENRIDGE:5152
Remote Address: LOCALHOST:2573
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: BRECKENRIDGE:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: BRECKENRIDGE:1031
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: BRECKENRIDGE:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: LISTENING

Local Address: BRECKENRIDGE:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BRECKENRIDGE:990
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\MI3AA1~1\rapimgr.exe
State: LISTENING

Local Address: BRECKENRIDGE:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BRECKENRIDGE:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BRECKENRIDGE.PH.COX.NET:6646
Remote Address: NA
Type: UDP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: NA

Local Address: BRECKENRIDGE.PH.COX.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: BRECKENRIDGE.PH.COX.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BRECKENRIDGE.PH.COX.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BRECKENRIDGE.PH.COX.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BRECKENRIDGE.PH.COX.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BRECKENRIDGE:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BRECKENRIDGE:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BRECKENRIDGE:60496
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: BRECKENRIDGE:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: BRECKENRIDGE:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\01 Prelude (Faithful To Me).mp3 4800095b89feb-1c6c-4210-
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\01 Prelude (Faithful To Me).mp3 4800095b89feb-1c6c-4210-
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\08 Cry Of A Tiny Babe.mp3 480003875ec08-9fbe-4c79-a599-2
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\08 Cry Of A Tiny Babe.mp3 480003875ec08-9fbe-4c79-a599-2
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\09 Singalong Junk.mp3 480000bf4e939-3445-4024-b94c-d1fc6
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\09 Singalong Junk.mp3 480000bf4e939-3445-4024-b94c-d1fc6
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\David's Birth 2nd with volume changes.avi 48000b0030856-
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\David's Birth 2nd with volume changes.avi 48000b0030856-
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\John Mark McMillan - I Am A Temple.mp3 48000297972b6-f3a
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\John Mark McMillan - I Am A Temple.mp3 48000297972b6-f3a
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\Vineyard - Unspeakable Joy.mp3 4800073d07000-ec9e-40ef-b
Status: Hidden

Object: F:\Adobe\Premiere Elements\1.0\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Adobe Premiere Elements Auto-Save\Conformed Audio Files\David's Birth 2nd with volume changes-3.CFA\Vineyard - Unspeakable Joy.mp3 4800073d07000-ec9e-40ef-b
Status: Hidden

Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: F:\System Volume Information\tracking.log
Status: Access denied

Object: F:\System Volume Information\_restore{8B532A49-4B16-4461-8BD8-1CD2634A6D50}
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{8B532A49-4B16-4461-8BD8-1CD2634A6D50}
Status: Access denied

0

Ok, here's the sysprot log. Thanks guys for all your help so far.

That log looks OK.

Judy might want to doublecheck with a gmer scan, but that's her call.

Are you still having problems?

PP :)

0

I'm going to say trust PP here and agree that it looks good.
Let's do it this way, since MBA-M was the program that kept catching and removing this why don't you update MBA-M and do another full scan and see what it shows, hopefully nothing.

If it shows clean then you should be good to go. If it does show up again then do the following;
Run the GMER Rootkit Detector and Removal Tool
Post back and let us know the results.
Judy

0

Sorry I've been away. MBA-M comes up clean so I think it's ok now. Thanks for all your help I'm glad there are people like you out there!

Micah

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.