0

Previously I had a rogue antivirus virus, and also other viruses including a boot virus (right term?).. I’m sure they spun from the same thing. At some point while trying to fix it myself, the situation just got worse…BSOD only. I had to take the computer to the shop because even after running Symantec recovery disc, a few things couldn’t be cleaned and I couldn’t boot windows (I assume because of the boot virus). Got computer back from shop, windows boots fine, but still everything is not AOK. Still having some redirects and iexplore.exe overtaking my cpu usage and processes. I have MacAfee AV subscription (suite?) and Spysweeper subscription. Also from trying to remove things in the past month, I have downloaded Malwarebytes-Antimalware (free) and Hitman Pro (free). I know I need to go through the order of the “read me before” and post my logs, etc. regarding my problem, however as an initial question, should I uninstall/reinstall any of the protection I already have on my system? They are obviously not working or they have been disabled or hijacked by my problem virus/malware. I’m afraid that by trying too many things I’m counteracting.

Also, do you have a link/sticky on how to “disable” common AV protections.. I know sometimes that is asked of a questioner, and I do not know how to disable mine.

After getting this advice, I will post a new thread with my logs tonight.

Thanks in advance- you guys have helped me previously and I appreciate it!

3
Contributors
42
Replies
43
Views
7 Years
Discussion Span
Last Post by violaactuary
0

Uninstall NOTHING. Post the requested logs from the Read Me sticky right here.

Will do..

0

It says to disable AV while running GMER. I assume I reenable it after that step. Someone correct me if I'm wrong.

0

Going through all steps in order: Tried to run GMER second log three times, on normal mode computer shut down two times to BSOD. First time it said: a problem has been detected and windows has been shut down to prevent damage to your computer, etc. whole page of stuff. Second time it said: STOP:D0000144 Unknown Hard Error Unknown Hard Error. Tried to run it in safe mode and got nothing on the log at all (I mean completely blank), which was not what was happening when I did it in normal, so I don't think it was working.

Should I try GMER again? safe mode or normal mode? Any other recommendations?

After being frustrated by that, I went ahead and re-enabled virus protection, connected internet, updated MBA-M, disconnected internet, and ran that scan this morning. Found no infected files. But I do have the first GMER log and did do that initial clean step as well.

This is my home computer, so I am working on this in the evening. Oh, while running the Microsoft scan last night, (of course on explorer because it must run that way) I got the phantom "background radio ads." So, yes something is there. there were 5 or 6 iexplore.exe's in my task manager while running that, but I couldn't terminate them without terminating the microsoft scan. BTW, microsoft scan found nothing either.

Thanks,

0

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-11 22:58:17
Windows 5.1.2600 Service Pack 3
Running: ft9wcf53.exe; Driver: C:\DOCUME~1\Christy\LOCALS~1\Temp\pgloapoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB088B788]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB088B8C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB088B8AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB088B7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB088B8F1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB088B80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB088B710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB088B724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB088B79C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB088B92D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB088B899]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB088B883]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB088B919]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB088B905]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB088B8DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB088B7DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB088B7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 89EB2FA8

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 89EB2FA8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp 89EB2FA8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 89EB2FA8

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

0

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4420

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/12/2010 9:30:07 AM
mbam-log-2010-08-12 (09-30-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 245029
Time elapsed: 1 hour(s), 54 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

DDS (Ver_10-03-17.01) - NTFSx86
Run by Christy at 19:32:37.48 on Thu 08/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.750 [GMT -5:00]


============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Christy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100812184640.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [Google Update] "c:\documents and settings\christy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 385880]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-12 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-31 93320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-12 141792]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-12-15 1201640]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-31 152320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-12 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-12 88480]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-31 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-31 40552]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-12 271480]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\McShield.exe [2009-5-31 144704]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-31 51688]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-12 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-12 83496]

=============== Created Last 30 ================

2010-08-12 23:46:39 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-12 23:46:15 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-12 23:46:15 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-12 23:46:15 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-12 23:46:15 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-12 23:46:14 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-12 11:59:38 0 d-----w- C:\spoolerlogs
2010-08-10 03:46:02 11508680 ----a-w- c:\temp\windows-kb890830-v3.9.exe
2010-08-07 19:46:43 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-07 19:45:42 6289216 ----a-w- c:\temp\HitmanPro35.exe
2010-08-07 19:36:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-07 19:36:21 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-07 15:03:47 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-05 03:46:10 2 ----a-w- c:\windows\msoffice.ini
2010-07-27 17:59:17 0 d-sha-r- C:\cmdcons
2010-07-27 17:52:43 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-27 17:51:33 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-27 17:49:27 77312 ----a-w- c:\windows\MBR.exe
2010-07-27 17:49:27 256512 ----a-w- c:\windows\PEV.exe
2010-07-27 17:49:27 161792 ----a-w- c:\windows\SWREG.exe
2010-07-27 17:49:26 98816 ----a-w- c:\windows\sed.exe
2010-07-27 17:41:55 3745790 ----a-r- c:\temp\ComboFix.exe
2010-07-17 09:02:32 0 d-----w- C:\SERT
2010-07-15 02:54:36 262144 ---ha-w- c:\documents and settings\christy\ntuser.dat.LOG1
2010-07-15 02:54:36 0 ---ha-w- c:\documents and settings\christy\ntuser.dat.LOG2

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-17 11:16:55 19072 ----a-w- c:\windows\system32\drivers\SPARROW.SYS
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 22:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2008-08-20 07:25:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 19:33:36.73 ===============

0

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/21/2005 11:34:09 PM
System Uptime: 8/12/2010 7:06:45 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0F8403
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 39.618 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/27/2010 1:50:54 PM - System Checkpoint
RP2: 7/28/2010 3:00:21 AM - Software Distribution Service 3.0
RP3: 8/2/2010 11:40:21 AM - System Checkpoint
RP4: 8/4/2010 10:10:34 PM - Software Distribution Service 3.0
RP5: 8/4/2010 10:38:27 PM - Removed H&R Block Tax Offer
RP6: 8/5/2010 11:05:50 PM - System Checkpoint
RP7: 8/6/2010 11:06:19 PM - System Checkpoint
RP8: 8/7/2010 10:02:24 AM - Installed Java(TM) 6 Update 21
RP9: 8/8/2010 10:12:24 AM - System Checkpoint
RP10: 8/9/2010 9:58:45 PM - System Checkpoint
RP11: 8/10/2010 10:46:27 PM - System Checkpoint
RP12: 8/11/2010 3:00:21 AM - Software Distribution Service 3.0
RP13: 8/12/2010 4:02:06 AM - System Checkpoint

==== Installed Programs ======================

6200
6200_Help
6200Trb
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.3
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.2
AiO_Scan
AiOSoftware
Banctec Service Agreement
BlackBerry Desktop Software 4.3
BufferChm
CameraDrivers
CameraUserGuides
CCleaner
Cisco Network Magic
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Consumer Complete Care Services Agreement
Copy
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Digital Line Detect
DING!
DocProc
DocumentViewer
EarthLink setup files
eMusic Download Manager 3.0
eSupportQFolder
Fax
Finale Allegro 2007
FullDPAppQFolder
getPlus(R)_ocx
Google Chrome
Hitman Pro 3.5
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Extended Capabilities 4.7
HP Imaging Device Functions 6.0
HP Photosmart Cameras 6.0
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 4.7
HP Solution Center and Imaging Support Tools 6.0
HP Update
hpiCamDrvQFolder
HPProductAssistant
HPSystemDiagnostics
InstantShare
InstantShareDevices
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
MarketResearch
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Modem Helper
Mplayer.com
MSVC80_x86
MSVC80_x86_v2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Musicmatch for Windows Media Player
Musicmatch® Jukebox
My Way Search Assistant
NetWaiting
Network Magic
NetZeroInstallers
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.5
Nokia MTP driver
Nokia PC Suite
Nokia Software Updater
PanoStandAlone
PC Connectivity Solution
PhotoGallery
PowerDVD 5.3
ProductContext
Pure Networks Platform
QFolder
QuickTime
RandMap
Readme
RealPlayer
Rhapsody
Rhapsody Player Engine
Roxio Media Manager
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SkinsHP1
SolutionCenter
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sonic_PrimoSDK
Spy Sweeper
Spy Sweeper Core
Status
TrayApp
Trillian
Unload
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Wal-Mart Digital Photo Manager
WebEx Support Manager for Internet Explorer
WebFldrs XP
WebReg
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
Windows Driver Package - Nokia Modem (10/05/2009 4.2)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Zinio Reader

==== Event Viewer Messages From Past Week ========

8/9/2010 7:50:06 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/9/2010 7:49:58 PM, error: Service Control Manager [7022] - The Pure Networks Platform Service service hung on starting.
8/9/2010 7:48:25 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
8/9/2010 7:48:25 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
8/7/2010 9:54:25 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Real-time Scanner service, but this action failed with the following error: An instance of the service is already running.
8/12/2010 7:08:34 PM, error: Service Control Manager [7003] - The McAfee Network Agent service depends on the following nonexistent service: mfefire
8/12/2010 6:49:48 PM, error: Service Control Manager [7000] - The McAfee Anti-Spam Service service failed to start due to the following error: The system cannot find the file specified.
8/12/2010 6:49:45 PM, error: Service Control Manager [7003] - The McAfee Proxy Service service depends on the following nonexistent service: mfefire
8/12/2010 6:49:22 PM, error: Service Control Manager [7024] - The McAfee Real-time Scanner service terminated with service-specific error 5046 (0x13B6).
8/11/2010 11:37:25 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a19cda0, parameter3 8a19cf14, parameter4 805fb146.
8/11/2010 11:29:35 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
8/11/2010 11:25:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
8/11/2010 11:24:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
8/11/2010 11:24:09 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2010 11:24:09 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2010 11:24:09 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2010 11:24:09 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2010 11:23:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/11/2010 11:23:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

0

Well the GMER scan shows possible rootkit on there. I have requested that crunchie take a look at this and advise the next step.
Judy

0

Please do the following:
Please download ComboFix by sUBs from HERE

· You must download it to and run it from your Desktop
· Physically disconnect from the internet.
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall

· When finished, it will produce a log. Please save that log to post in your next reply


Run Combofix ONCE only!!

Edited by jholland1964: n/a

0

OK, so tell me if this is weird. So, I thought I would back up all of my data "off computer" before running combofix, and I find a combofix log saved on my c:drive. I have never downloaded combofix before nor run it... but this could have been one of the days that my computer was in the shop- and they ran it I suppose. I could post it if you want, it was from a few weeks ago.

Since the warning says "run combofix ONCE only" I just thought I'd better ask before running it again. I don't find the program, just a log.

0

They must have run it since you never did because you have to run the program to produce the log. Very odd that only the log remains though.
Post that one you found right now, and then run the combofix that YOU personally downloaded and post that log.

0

Thanks, I imagine they deleted the program and just forgot to delete the log. Here's that log. I will run one of my own when I get home in a few hours:

ComboFix 10-07-24.06 - Christy 07/27/2010 16:40:27.1.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.988
[GMT -5:00]
Running from: c:\documents and settings\Christy\Desktop\Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled*
{94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Sysinternals Antivirus
c:\sysinternals antivirus\Sysinternals Antivirus.lnk c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\jestertb.dll c:\windows\secure32.html c:\windows\system32\paytime.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-27 to
2010-07-27 ))))))))))))))))))))))))))))))) .

2010-07-27 18:25 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\1\msk\mcutil.dll
2010-07-27 18:25 . 2010-04-28 22:13 820488 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\1\msk\McInst.exe
2010-07-27 18:09 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\1\mpf\mcutil.dll
2010-07-27 18:09 . 2010-04-28 22:13 820488 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\1\mpf\McInst.exe
2010-07-27 18:03 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\1\vso\mcutil.dll
2010-07-27 18:03 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\mpf\mcutil.dll
2010-07-27 18:03 . 2010-04-28 22:13 820488 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\mpf\McInst.exe
2010-07-27 18:03 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\msk\mcutil.dll
2010-07-27 18:03 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\mps\mcutil.dll
2010-07-27 18:03 . 2010-04-28 22:13 820488 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\msk\McInst.exe
2010-07-27 18:03 . 2010-04-28 22:13 820488 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\mps\McInst.exe
2010-07-27 18:02 . 2010-04-28 22:35 267896 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\vso\mcutil.dll
2010-07-27 18:02 . 2010-04-28 22:13 820488 ----a-w- c:\documents and
settings\All Users\Application
Data\McAfee\MSC\Updates\Installs\Download_Files\vso\McInst.exe
2010-07-27 17:41 . 2010-07-27
17:41 3745790 ----a-r- c:\temp\ComboFix.exe
2010-07-17 09:02 . 2010-07-17 09:02 -------- d-----w- C:\SERT
2010-07-03 20:36 . 2010-07-03 20:36 -------- d-----w- c:\documents
and settings\NetworkService\Local Settings\Application Data\xwvueopfo
2010-07-03 20:36 . 2010-07-03
20:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-03 20:36 . 2010-07-03
20:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-03 20:36 . 2010-07-03 20:36 -------- d-----w- c:\documents
and settings\NetworkService\Local Settings\Application Data\ctiwdimxv
2010-06-28 10:23 . 2010-06-28 10:25 -------- d-----w- c:\documents
and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 11:16 . 2001-08-17
20:07 19072 ----a-w- c:\windows\system32\drivers\SPARROW.SYS
2010-07-15 20:18 . 2009-06-01
00:05 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-03 16:18 . 2009-12-16 01:46 -------- d-----w- c:\program
files\Malwarebytes' Anti-Malware
2010-06-29 01:00 . 2010-04-09 09:17 439816 ----a-w- c:\documents and
settings\Nick\Application Data\Real\Update\setup3.10\setup.exe
2010-06-20 01:17 . 2009-07-02
10:02 256 ----a-w- c:\windows\system32\pool.bin
2010-06-18 08:19 . 2010-06-18 08:19 -------- d-----w- c:\documents
and settings\Christy\Application Data\Malwarebytes
2010-06-08 13:16 . 2007-04-14 20:17 -------- d-----w- c:\program
files\Finale Allegro 2007
2010-04-29 20:39 . 2009-12-16
01:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-12-16
01:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2009-05-27 39408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe"
[2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe"
[2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-17 98304] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
[2006-01-19 110592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-27 68592] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe"
[2009-10-29 1218008]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216] "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe"
[2009-07-08 472112]
"SpySweeper"="c:\program
files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\Christy\Start Menu\Programs\Startup\ DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe
[2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Christy^Start Menu^Programs^Startup^DING!.lnk] path=c:\documents and settings\Christy\Start Menu\Programs\Startup\DING!.lnk backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09 63712 ----a-w- c:\program files\Adobe\Photoshop
Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader
8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program
files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support
Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support
Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program
files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\HP Software Update]
2005-09-24 05:08 49152 ----a-w- c:\program files\HP\HP Software
Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 15:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\igfxpers]
2005-09-20 15:36 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\igfxtray]
2005-09-20 15:35 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MimBoot]
2006-01-19
16:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MMTray]
2006-01-19 16:06 110592 ----a-w- c:\program
files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsgCenterExe]
2009-07-24 06:07 69632 ----a-w- c:\program files\Common
Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media
Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task]
2005-02-17 14:44 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program
files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\TkBellExe]
2009-07-24 06:07 198160 ----a-w- c:\program files\Common
Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofil
e\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled
:Pure Networks Platform Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofil
e\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys
[11/6/2009 1:00 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [12/15/2009 1:02 AM 1201640]
S2 0323471280253845mcinstcleanup;McAfee Application Installer Cleanup (0323471280253845);c:\windows\TEMP\032347~1.EXE
c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\032347~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1ca0c24d4a45198;Google Update Service (gupdate1ca0c24d4a45198);c:\program
files\Google\Update\GoogleUpdate.exe [7/24/2009 1:06 AM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/31/2009 7:08 PM 93320] .
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 06:05]

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 06:05]

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-01 17:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-01 17:22]

2010-07-27
c:\windows\Tasks\User_Feed_Synchronization-{D454F472-4BC1-41F2-A46E-57
CE9ADB2C66}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31] .
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micr
osoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**********************************************************************
****

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-27 16:52 Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**********************************************************************
****

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys
>>UNKNOWN [0x89F3478A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76dbf28 \Driver\ACPI -> ACPI.sys @ 0xf75aecb8 \Driver\atapi -> ntoskrnl.exe @ 0x805c7abe IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler
-> 0x89f9ab60
PacketIndicateHandler -> NDIS.SYS @ 0xf74a0a0d SendHandler -> NDIS.SYS @ 0xf74b4b40 copy of MBR has been found in sector 0x094FE9BD malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**********************************************************************
****
.
--------------------- DLLs Loaded Under Running Processes
---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\l3codeca.acm
.
Completion time: 2010-07-27 16:55:22
ComboFix-quarantined-files.txt 2010-07-27 21:55

Pre-Run: 43,963,084,800 bytes free
Post-Run: 44,703,191,040 bytes free

- - End Of File - - C1AD67DCA7D7418CF67261907224F69D

0

Also, I did uninstall/reinstall McAfee Security Suite last night. That virus scan still detects nothing. I'm thinking of getting my money back...

0

Good for you. I recommend Avira Free. Excellent program, FREE as stated and not intrusive either. Wait though until we see what combofix finds this time.

0

Combofix has been running for an hour and a half on the dos screen that says it will take 10-20 min.. What do I do?

0

I was able to power off the computer without ruining anything.. I think I'm having trouble actually disabling the virus software (SpySweeper and McAfee Security Suite). I tried turning it off at startup, and I also tried cancelling the processes, and I also tried disabling it from within the program. I still find instances in task manager.

I think maybe my virus has affected the programs.

Should I uninstall both before running combofix? Then reinstall after we get it fixed?

First time I tried combofix, it stuck on screen that said something like "this process should take 10 minutes but on highly infected machines it could take twice that long" and it never said anything after that, I had left it for between 2 and 3 hours. Computer wasn't frozen, it just never went any farther than that on the combofix.

The second time, after I tried disabling some things on start up, etc. I tried to run it again, and it gave me the warning that my mcafee was still detected. I was unable to do anything about the process that was running, so I just terminated combofix, not wanting to mess anything up.

Although I was on the "administrator" ID (my user is also an administrator), I still got some errors about not having rights when trying to terminate processes.

I was disconnected from internet.

What should I do next?

Thanks again for your help.

Edited by violaactuary: n/a

0

I would advise that you uninstall both of those programs before trying again. Is this a 32bit or 64bit system?

It is 32 bit, Windows XP Home with most recent updates.

0

Ok, Delete that Combofix that you downloaded and download it to your desktop again.
Follow the scan instructions again and see what develops. If it runs all the way through then post back here with the log.

0

Finally got combofix to run in complete.
It did stop once to restart saying that it had detected rootkit. After logging back in, it continued the scan without provocation and gave me a log.. success!

See below:


ComboFix 10-08-17.04 - Christy 08/18/2010 19:16:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.913 [GMT -5:00]
Running from: c:\documents and settings\Christy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-14 17:06 . 2010-08-14 17:06 -------- d-----w- c:\documents and settings\Christy\Application Data\Nero
2010-08-14 16:54 . 2010-08-14 16:56 -------- d-----w- c:\program files\Nero
2010-08-14 16:54 . 2010-08-14 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-08-14 16:54 . 2010-08-14 16:57 -------- d-----w- c:\program files\Common Files\Nero
2010-08-13 04:27 . 2010-08-13 04:27 -------- d-----w- c:\program files\SiteAdvisor
2010-08-13 04:25 . 2010-08-13 04:25 -------- d-----w- c:\program files\McAfee.com
2010-08-13 02:25 . 2010-08-13 02:24 300384 ----a-w- c:\documents and settings\Christy\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-13 02:23 . 2010-08-13 02:23 -------- d-----w- c:\documents and settings\Christy\Application Data\McAfee
2010-08-12 23:46 . 2010-06-01 01:32 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-08-12 23:46 . 2010-06-01 01:32 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-08-12 23:46 . 2010-06-01 01:32 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-12 11:59 . 2010-08-12 11:59 -------- d-----w- C:\spoolerlogs
2010-08-12 00:11 . 2010-08-12 00:14 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-10 03:46 . 2010-08-10 03:46 11508680 ----a-w- c:\temp\windows-kb890830-v3.9.exe
2010-08-07 19:46 . 2010-08-10 02:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-07 19:45 . 2010-08-07 19:46 6289216 ----a-w- c:\temp\HitmanPro35.exe
2010-08-07 19:36 . 2010-08-07 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-07 19:36 . 2010-08-07 19:36 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-07 15:05 . 2010-08-07 15:05 503808 ----a-w- c:\documents and settings\Christy\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7aaa828a-n\msvcp71.dll
2010-08-07 15:05 . 2010-08-07 15:05 499712 ----a-w- c:\documents and settings\Christy\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7aaa828a-n\jmc.dll
2010-08-07 15:05 . 2010-08-07 15:05 348160 ----a-w- c:\documents and settings\Christy\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7aaa828a-n\msvcr71.dll
2010-08-07 15:05 . 2010-08-07 15:05 12800 ----a-w- c:\documents and settings\Christy\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5a966d3d-n\decora-d3d.dll
2010-08-07 15:05 . 2010-08-07 15:05 61440 ----a-w- c:\documents and settings\Christy\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5a966d3d-n\decora-sse.dll
2010-08-07 15:03 . 2010-08-07 15:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 17:52 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-27 17:51 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-27 17:41 . 2010-07-27 17:41 3745790 ----a-r- c:\temp\ComboFix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 23:37 . 2007-04-13 16:48 -------- d-----w- c:\program files\McAfee
2010-08-18 23:37 . 2007-04-13 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-08-13 04:27 . 2009-06-01 00:04 -------- d-----w- c:\program files\Common Files\McAfee
2010-08-07 15:04 . 2005-02-17 14:29 -------- d-----w- c:\program files\Common Files\Java
2010-08-07 15:02 . 2005-02-17 14:29 -------- d-----w- c:\program files\Java
2010-08-05 03:46 . 2005-02-17 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-08-05 03:46 . 2005-02-17 14:41 -------- d-----w- c:\program files\Common Files\AOL
2010-08-05 03:39 . 2005-03-20 07:45 -------- d-----w- c:\program files\Google
2010-07-17 11:16 . 2001-08-17 20:07 19072 ----a-w- c:\windows\system32\drivers\SPARROW.SYS
2010-07-03 20:36 . 2010-07-03 20:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-03 20:36 . 2010-07-03 20:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-03 16:18 . 2009-12-16 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-29 01:00 . 2010-04-09 09:17 439816 ----a-w- c:\documents and settings\Nick\Application Data\Real\Update\setup3.10\setup.exe
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-20 01:17 . 2009-07-02 10:02 256 ----a-w- c:\windows\system32\pool.bin
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 01:32 . 2009-03-25 16:06 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-27_21.52.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-19 00:15 . 2010-08-19 00:15 16384 c:\windows\Temp\Perflib_Perfdata_610.dat
+ 2009-11-06 03:17 . 2009-11-06 03:17 11600 c:\windows\SYSTEM32\MUI\0409\mscorees.dll
- 2006-10-27 21:09 . 2010-02-25 06:24 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2006-10-27 21:09 . 2010-06-24 12:21 55296 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2004-08-04 11:00 . 2010-06-24 12:21 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 25600 c:\windows\SYSTEM32\jsproxy.dll
+ 2009-06-10 22:42 . 2010-06-24 12:22 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
- 2009-06-10 22:42 . 2010-02-25 06:24 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
- 2007-05-08 19:44 . 2010-02-25 06:24 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2007-05-08 19:44 . 2010-06-24 12:21 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2006-05-10 05:22 . 2010-02-25 06:24 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2006-05-10 05:22 . 2010-06-24 12:21 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2010-03-05 14:37 . 2010-03-05 14:37 65536 c:\windows\SYSTEM32\DLLCACHE\asycfilt.dll
+ 2010-07-27 22:19 . 2010-08-16 05:40 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-22 05:18 . 2010-07-27 18:38 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-02-22 05:18 . 2010-08-16 05:40 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-22 05:18 . 2010-07-27 18:38 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2010-07-27 22:19 . 2010-08-16 05:40 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2004-08-04 11:00 . 2010-03-05 14:37 65536 c:\windows\SYSTEM32\asycfilt.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-03-31 20:32 . 2010-03-31 20:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-03-31 20:32 . 2010-03-31 20:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2003-02-21 01:19 . 2003-02-21 01:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-08-14 16:54 . 2010-08-14 16:54 40960 c:\windows\Installer\7ce252a.msi
+ 2010-07-28 08:03 . 2010-02-25 06:24 12800 c:\windows\ie8updates\KB982381-IE8\xpshims.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 55296 c:\windows\ie8updates\KB982381-IE8\msfeedsbs.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 25600 c:\windows\ie8updates\KB982381-IE8\jsproxy.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 12800 c:\windows\ie8updates\KB2183461-IE8\xpshims.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 55296 c:\windows\ie8updates\KB2183461-IE8\msfeedsbs.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 25600 c:\windows\ie8updates\KB2183461-IE8\jsproxy.dll
+ 2010-07-28 08:08 . 2010-07-28 08:08 90112 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_006e1fd1\System.Drawing.Design.dll
+ 2010-07-28 08:08 . 2010-07-28 08:08 61440 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_76363092\CustomMarshalers.dll
+ 2010-07-28 08:08 . 2010-07-28 08:08 81920 c:\windows\ASSEMBLY\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 206848 c:\windows\SYSTEM32\occache.dll
+ 2004-08-04 11:00 . 2010-06-24 12:22 206848 c:\windows\SYSTEM32\occache.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 611840 c:\windows\SYSTEM32\mstime.dll
+ 2004-08-04 11:00 . 2010-06-24 12:22 611840 c:\windows\SYSTEM32\mstime.dll
+ 2006-10-27 21:09 . 2010-06-24 12:21 599040 c:\windows\SYSTEM32\msfeeds.dll
+ 2010-08-07 15:03 . 2010-08-07 15:03 153376 c:\windows\SYSTEM32\javaws.exe
+ 2010-08-07 15:03 . 2010-08-07 15:03 145184 c:\windows\SYSTEM32\javaw.exe
+ 2010-08-07 15:03 . 2010-08-07 15:03 145184 c:\windows\SYSTEM32\java.exe
+ 2004-08-04 11:00 . 2010-06-24 12:21 184320 c:\windows\SYSTEM32\iepeers.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2004-08-04 11:00 . 2010-06-24 12:21 387584 c:\windows\SYSTEM32\iedkcs32.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 387584 c:\windows\SYSTEM32\iedkcs32.dll
+ 2004-08-04 11:00 . 2010-06-23 12:08 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2004-08-04 11:00 . 2010-02-24 09:54 173056 c:\windows\SYSTEM32\ie4uinit.exe
+ 2004-08-10 19:08 . 2010-08-11 08:25 238352 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2004-08-10 19:08 . 2009-11-14 19:14 238352 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2004-08-04 11:00 . 2010-06-24 12:22 916480 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 916480 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-10-14 18:02 . 2010-06-21 15:27 354304 c:\windows\SYSTEM32\DLLCACHE\srv.sys
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\SYSTEM32\DLLCACHE\schannel.dll
- 2006-10-17 19:04 . 2010-02-25 06:24 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2006-10-17 19:04 . 2010-06-24 12:22 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2006-05-10 05:23 . 2010-02-25 06:24 611840 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
+ 2006-05-10 05:23 . 2010-06-24 12:22 611840 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
+ 2007-05-08 19:44 . 2010-06-24 12:21 599040 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2009-06-10 22:42 . 2010-06-24 12:21 247808 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
- 2009-06-10 22:42 . 2010-02-25 06:24 247808 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
- 2004-08-04 11:00 . 2010-02-25 06:24 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2004-08-04 11:00 . 2010-06-24 12:21 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
- 2006-10-27 08:44 . 2010-02-25 06:24 387584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2006-10-27 08:44 . 2010-06-24 12:21 387584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2006-10-27 08:44 . 2010-02-24 09:54 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2006-10-27 08:44 . 2010-06-23 12:08 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-04-20 05:30 285696 c:\windows\SYSTEM32\DLLCACHE\atmfd.dll
+ 2009-05-27 00:24 . 2010-08-11 08:25 262144 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2004-08-04 11:00 . 2008-04-14 00:09 285696 c:\windows\SYSTEM32\atmfd.dll
+ 2004-08-04 11:00 . 2010-04-20 05:30 285696 c:\windows\SYSTEM32\atmfd.dll
+ 2010-03-31 19:51 . 2010-03-31 19:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-03-31 19:49 . 2010-03-31 19:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-03-31 20:32 . 2010-03-31 20:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-08-07 15:04 . 2010-08-07 15:04 180224 c:\windows\Installer\b0110.msi
+ 2010-08-07 15:02 . 2010-08-07 15:02 676352 c:\windows\Installer\b010b.msi
+ 2010-07-28 08:03 . 2010-02-25 06:24 916480 c:\windows\ie8updates\KB982381-IE8\wininet.dll
+ 2010-07-28 08:03 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB982381-IE8\spuninst\updspapi.dll
+ 2010-07-28 08:03 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB982381-IE8\spuninst\spuninst.exe
+ 2010-07-28 08:03 . 2010-02-25 06:24 206848 c:\windows\ie8updates\KB982381-IE8\occache.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 611840 c:\windows\ie8updates\KB982381-IE8\mstime.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 594432 c:\windows\ie8updates\KB982381-IE8\msfeeds.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 247808 c:\windows\ie8updates\KB982381-IE8\ieproxy.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 184320 c:\windows\ie8updates\KB982381-IE8\iepeers.dll
+ 2010-07-28 08:03 . 2009-03-08 09:35 742912 c:\windows\ie8updates\KB982381-IE8\iedvtool.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 387584 c:\windows\ie8updates\KB982381-IE8\iedkcs32.dll
+ 2010-07-28 08:03 . 2010-02-24 09:54 173056 c:\windows\ie8updates\KB982381-IE8\ie4uinit.exe
+ 2010-08-11 08:07 . 2010-05-06 10:41 916480 c:\windows\ie8updates\KB2183461-IE8\wininet.dll
+ 2010-08-11 08:07 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2183461-IE8\spuninst\updspapi.dll
+ 2010-08-11 08:07 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2183461-IE8\spuninst\spuninst.exe
+ 2010-08-11 08:07 . 2010-05-06 10:41 206848 c:\windows\ie8updates\KB2183461-IE8\occache.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 611840 c:\windows\ie8updates\KB2183461-IE8\mstime.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 599040 c:\windows\ie8updates\KB2183461-IE8\msfeeds.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 247808 c:\windows\ie8updates\KB2183461-IE8\ieproxy.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 184320 c:\windows\ie8updates\KB2183461-IE8\iepeers.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 743424 c:\windows\ie8updates\KB2183461-IE8\iedvtool.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 387584 c:\windows\ie8updates\KB2183461-IE8\iedkcs32.dll
+ 2010-08-11 08:07 . 2010-05-05 13:30 173056 c:\windows\ie8updates\KB2183461-IE8\ie4uinit.exe
+ 2010-08-05 23:28 . 2010-08-05 23:28 464272 c:\windows\Downloaded Program Files\wlscBase.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 835584 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_15c77e04\System.Drawing.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 192512 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_d4ef21a5\System.Drawing.Design.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 118784 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_42593173\CustomMarshalers.dll
+ 2004-08-04 11:00 . 2010-04-06 09:52 2462720 c:\windows\SYSTEM32\WMVCore.dll
+ 2004-08-04 11:00 . 2010-06-24 12:22 1210368 c:\windows\SYSTEM32\urlmon.dll
+ 2004-08-04 11:00 . 2010-07-27 06:30 8462336 c:\windows\SYSTEM32\shell32.dll
- 2004-08-04 11:00 . 2009-11-27 17:11 1291776 c:\windows\SYSTEM32\quartz.dll
+ 2004-08-04 11:00 . 2010-02-05 18:27 1291776 c:\windows\SYSTEM32\quartz.dll
- 2004-08-04 11:00 . 2010-02-17 14:10 2189952 c:\windows\SYSTEM32\ntoskrnl.exe
+ 2004-08-04 11:00 . 2010-04-28 02:25 2189952 c:\windows\SYSTEM32\ntoskrnl.exe
- 2004-08-04 11:00 . 2010-02-16 13:25 2066816 c:\windows\SYSTEM32\ntkrnlpa.exe
+ 2004-08-04 11:00 . 2010-04-27 13:05 2066816 c:\windows\SYSTEM32\ntkrnlpa.exe
+ 2004-08-04 11:00 . 2010-06-24 12:22 5951488 c:\windows\SYSTEM32\mshtml.dll
+ 2006-10-17 18:57 . 2010-06-24 12:21 1986560 c:\windows\SYSTEM32\iertutil.dll
+ 2004-08-04 11:00 . 2010-04-06 09:52 2462720 c:\windows\SYSTEM32\DLLCACHE\WMVCore.dll
+ 2008-10-14 18:01 . 2010-06-23 13:44 1851904 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2004-08-04 11:00 . 2010-06-24 12:22 1210368 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\SYSTEM32\DLLCACHE\shell32.dll
- 2008-05-07 05:12 . 2009-11-27 17:11 1291776 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 c:\windows\SYSTEM32\DLLCACHE\quartz.dll
+ 2008-10-14 18:01 . 2010-04-28 02:25 2189952 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
- 2008-10-14 18:01 . 2010-02-17 14:10 2189952 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
- 2008-10-14 18:01 . 2010-02-16 13:25 2024448 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
+ 2008-10-14 18:01 . 2010-04-27 13:05 2024448 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
- 2008-10-14 18:01 . 2010-02-16 13:25 2066816 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
+ 2008-10-14 18:01 . 2010-04-27 13:05 2066816 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
- 2008-10-14 18:01 . 2010-02-16 14:08 2146304 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2008-10-14 18:01 . 2010-04-27 13:59 2146304 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
- 2008-11-12 09:16 . 2009-07-31 04:35 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
+ 2008-11-12 09:16 . 2010-06-14 07:41 1172480 c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
+ 2004-08-04 11:00 . 2010-06-24 12:22 5951488 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2010-03-10 07:27 . 2010-06-18 13:36 3558912 c:\windows\SYSTEM32\DLLCACHE\moviemk.exe
- 2010-03-10 07:27 . 2009-10-23 15:28 3558912 c:\windows\SYSTEM32\DLLCACHE\moviemk.exe
+ 2007-05-08 19:44 . 2010-06-24 12:21 1986560 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2010-03-31 19:50 . 2010-03-31 19:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 19:50 . 2010-03-31 19:50 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-01 16:42 . 2010-04-01 16:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-08-14 16:57 . 2010-08-14 16:57 3884032 c:\windows\Installer\7ce2548.msi
+ 2010-08-14 16:57 . 2010-08-14 16:57 3493888 c:\windows\Installer\7ce2542.msi
+ 2010-08-14 16:56 . 2010-08-14 16:56 3498496 c:\windows\Installer\7ce253c.msi
+ 2010-08-14 16:56 . 2010-08-14 16:56 3489792 c:\windows\Installer\7ce2536.msi
+ 2010-08-14 16:55 . 2010-08-14 16:55 3516928 c:\windows\Installer\7ce2530.msi
+ 2010-07-28 08:03 . 2010-02-25 06:24 1209344 c:\windows\ie8updates\KB982381-IE8\urlmon.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 5944832 c:\windows\ie8updates\KB982381-IE8\mshtml.dll
+ 2010-07-28 08:03 . 2010-02-25 06:24 1985536 c:\windows\ie8updates\KB982381-IE8\iertutil.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 1209344 c:\windows\ie8updates\KB2183461-IE8\urlmon.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 5950976 c:\windows\ie8updates\KB2183461-IE8\mshtml.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 1985536 c:\windows\ie8updates\KB2183461-IE8\iertutil.dll
+ 2008-10-14 18:01 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\I386\ntoskrnl.exe
- 2008-10-14 18:01 . 2010-02-17 14:10 2189952 c:\windows\Driver Cache\I386\ntoskrnl.exe
- 2008-10-14 18:01 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\I386\ntkrpamp.exe
+ 2008-10-14 18:01 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\I386\ntkrpamp.exe
+ 2008-10-14 18:01 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\I386\ntkrnlpa.exe
- 2008-10-14 18:01 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\I386\ntkrnlpa.exe
+ 2008-10-14 18:01 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\I386\ntkrnlmp.exe
- 2008-10-14 18:01 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\I386\ntkrnlmp.exe
+ 2009-10-15 08:03 . 2009-10-15 08:03 3391488 c:\windows\ASSEMBLY\TEMP\QX39FLQW17\mscorlib.dll
+ 2009-10-15 08:02 . 2009-10-15 08:02 1232896 c:\windows\ASSEMBLY\TEMP\LSY4AGMSY4\System.dll
+ 2009-10-15 08:03 . 2009-10-15 08:03 2088960 c:\windows\ASSEMBLY\TEMP\BHMSY4AFLQ\System.Xml.dll
+ 2009-10-15 08:02 . 2009-10-15 08:02 1966080 c:\windows\ASSEMBLY\TEMP\07DJPV17DJ\System.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 4792320 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_d2f8f328\System.dll
+ 2010-07-28 08:08 . 2010-07-28 08:08 1966080 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_a9303d9b\System.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 2088960 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_4b4ac459\System.Xml.dll
+ 2010-07-28 08:10 . 2010-07-28 08:10 5513216 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_2a57ef92\System.Xml.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 3018752 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_f0a425b8\System.Windows.Forms.dll
+ 2010-07-28 08:10 . 2010-07-28 08:10 7884800 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_34ae3106\System.Windows.Forms.dll
+ 2010-07-28 08:10 . 2010-07-28 08:10 2244608 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_75ed508a\System.Drawing.dll
+ 2010-07-28 08:10 . 2010-07-28 08:10 3395584 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_aeb72902\System.Design.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 1470464 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_78623dc5\System.Design.dll
+ 2010-07-28 08:10 . 2010-07-28 08:10 8908800 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\MSCORLIB\1.0.5000.0__b77a5c561934e089_6cd4f1e4\mscorlib.dll
+ 2010-07-28 08:09 . 2010-07-28 08:09 3391488 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\MSCORLIB\1.0.5000.0__b77a5c561934e089_5ba7fe7b\mscorlib.dll
+ 2010-07-28 08:08 . 2010-07-28 08:08 1232896 c:\windows\ASSEMBLY\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-10-15 08:02 . 2009-10-15 08:02 1232896 c:\windows\ASSEMBLY\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2009-10-15 08:02 . 2009-10-15 08:02 1265664 c:\windows\ASSEMBLY\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-07-28 08:08 . 2010-07-28 08:08 1265664 c:\windows\ASSEMBLY\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2005-05-11 08:00 . 2010-08-03 18:09 35962312 c:\windows\SYSTEM32\MRT.exe
+ 2006-10-27 21:09 . 2010-06-24 22:51 11077120 c:\windows\SYSTEM32\ieframe.dll
+ 2007-05-08 19:44 . 2010-06-24 22:51 11077120 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2010-04-03 00:29 . 2010-04-03 00:29 11413504 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp
+ 2010-04-02 17:30 . 2010-04-02 17:30 17456640 c:\windows\Installer\2240d0d.msp
+ 2010-07-28 08:03 . 2010-02-25 16:54 11070976 c:\windows\ie8updates\KB982381-IE8\ieframe.dll
+ 2010-08-11 08:07 . 2010-05-06 10:41 11076096 c:\windows\ie8updates\KB2183461-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-11 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Christy^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Christy\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-08-08 01:15 6289216 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 05:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 16:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 16:06 110592 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
2009-07-24 06:07 69632 ----a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-09-24 18:57 2254120 ----a-w- c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 08:53 472112 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 20:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 16:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 02:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-02-17 14:44 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"MSK80Service"=2 (0x2)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"MDM"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2677:TCP"= 2677:TCP:Services
"3854:TCP"= 3854:TCP:Services

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [8/12/2010 6:46 PM 82952]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/12/2010 6:46 PM 141792]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/12/2010 6:46 PM 88480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [8/12/2010 6:46 PM 55456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/12/2010 6:46 PM 88480]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S4 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/12/2010 11:26 PM 188136]
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3627113128-3076315266-2767831547-1008Core.job
- c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-11 23:48]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3627113128-3076315266-2767831547-1008UA.job
- c:\documents and settings\Christy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-11 23:48]

2010-08-19 c:\windows\Tasks\User_Feed_Synchronization-{D454F472-4BC1-41F2-A46E-57CE9ADB2C66}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8994778A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bbf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> ntoskrnl.exe @ 0x805c7abe
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x899adb60
PacketIndicateHandler -> NDIS.sys @ 0xf7aeaa21
SendHandler -> NDIS.sys @ 0xf7ac887b
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-08-18 19:28:03
ComboFix-quarantined-files.txt 2010-08-19 00:27
ComboFix2.txt 2010-07-27 21:55

Pre-Run: 42,141,622,272 bytes free
Post-Run: 42,136,141,824 bytes free

- - End Of File - - A414191DF59206E41081EE8B03AA6FD7

0

BTW, I currently do not have McAfee or Spy Sweeper installed. I will wait to reinstall them until we finish this. Also, I'm not opening up IE.. have been using Chrome only.

TIA

0

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
0

Thank you so much for your help. Below is the output.


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

0

Please do not wait so long to respond.

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

==

Please make sure to restart your computer and see if the problem persists.

0

Thanks again- sorry, it had been so long since a response I had stopped checking the site every day.

Directly after running fix.bat, I get this remover log. I'll restart now and see if remover log looks the same.


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.