Active Google Redirect Virus

Ytse · 2009/11/28

[Active] Google Redirect Virus

Hi everyone, thanks a lot in advance for running a site like this.

I get redirected from google search links.
At first it only happened with IE 8 and Firefox. It got pretty bad, so I tried MBAM and it didn't help.

I reinstalled windows, and everything was fine for a week or so, then the redirects began again.

I uninstalled Firefox, installed Chrome and was good for while. A couple of days ago Chrome started doing it too, and in addition to the redirects I get between 5-10 new tabs opening randomly in Chrome. The tabs have no address, only a series of numbers in the address bar and only display a blank page.

I have only tried McAfee and updated MBAM scans since.

DDS (Ver_09-11-24.02) - NTFSx86
Run by David Lopez at 11:55:34.79 on Sat 11/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1041 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Three Rings Design\Puzzle Pirates\java_vm\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\David Lopez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\david lopez\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [sealmon.exe] c:\program files\oracle\information rights management\desktop\sealmon.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257039762895
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 91.212.127.227 winwarepro.microsoft.com
Hosts: 91.212.127.227 winwarepro.com
Hosts: 91.212.127.227 www.winwarepro.com

============= SERVICES / DRIVERS ===============

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-31 203280]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 MR97310_VGA_DUAL_CAMERA;DC2130;c:\windows\system32\drivers\MR97310v.sys [2009-11-15 116686]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]

=============== Created Last 30 ================

2009-11-25 05:31:56 0 d-----w- c:\documents and settings\all users\Microsoft
2009-11-25 05:29:41 0 d-----w- c:\program files\Microsoft Analysis Services
2009-11-25 05:29:23 0 d-----w- c:\windows\SHELLNEW
2009-11-24 03:52:32 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-24 03:52:32 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-24 03:52:23 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-24 03:52:23 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-24 03:52:05 0 d-----w- C:\logs
2009-11-24 03:51:20 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-11-24 03:51:20 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-11-18 15:22:11 0 d-----w- c:\docume~1\davidl~1\applic~1\eMusic
2009-11-18 05:45:12 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-18 05:45:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-18 05:44:00 0 d-----w- c:\program files\iPod
2009-11-18 05:43:52 0 d-----w- c:\program files\iTunes
2009-11-18 05:43:52 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-18 05:43:30 0 d-----w- c:\program files\Bonjour
2009-11-18 05:41:54 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-18 05:41:54 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-17 14:17:36 0 d--h--w- c:\windows\PIF
2009-11-16 05:36:09 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-16 05:36:09 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-16 05:34:31 0 d-----w- c:\program files\common files\DivX Shared
2009-11-16 05:33:06 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2009-11-16 05:33:04 208500 ----a-w- c:\windows\system32\ReyXpBasics.tlb
2009-11-16 05:33:04 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-11-16 05:33:04 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-11-16 05:33:03 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2009-11-16 05:33:03 84512 ----a-w- c:\windows\system32\PICCLP32.OCX
2009-11-16 05:33:03 364544 ----a-w- c:\windows\system32\PropertyGrid.ocx
2009-11-16 05:33:01 24576 ----a-w- c:\windows\system32\ControlSubX.ocx
2009-11-16 05:33:01 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-11-16 05:33:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-11-16 05:33:00 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2009-11-16 05:33:00 0 d-----w- c:\program files\Free FLV Converter
2009-11-16 05:33:00 0 d-----w- c:\docume~1\davidl~1\applic~1\FreeFLVConverter
2009-11-15 21:38:46 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-15 21:33:23 0 d-----r- c:\program files\Skype
2009-11-15 21:24:22 37 ----a-w- c:\windows\marscam.ini
2009-11-15 21:14:03 0 d-----w- c:\program files\Ulead Systems
2009-11-15 21:08:37 49152 ----a-w- c:\windows\system32\mr310exv.dll
2009-11-15 21:08:37 352256 ----a-w- c:\windows\system32\ijl15.dll
2009-11-15 21:08:37 28672 ----a-w- c:\windows\system32\mr310exd.dll
2009-11-15 21:08:37 15164 ----a-w- c:\windows\Mr310twv.ini
2009-11-15 21:08:37 12106 ----a-w- c:\windows\Mr310twv.src
2009-11-15 21:08:37 102400 ----a-w- c:\windows\system32\mr310ifv.dll
2009-11-15 21:08:37 0 d-----w- c:\program files\MARS
2009-11-15 21:08:36 73728 ----a-w- c:\windows\system32\mr310ipv.dll
2009-11-15 21:08:36 116686 ----a-w- c:\windows\system32\drivers\MR97310v.sys
2009-11-13 07:20:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-11 00:36:43 0 d-----w- c:\docume~1\davidl~1\applic~1\TaxCut
2009-11-11 00:36:43 0 d-----w- c:\docume~1\alluse~1\applic~1\TaxCut
2009-11-11 00:23:11 0 d-----w- c:\program files\TaxCut08
2009-11-08 23:11:33 0 d-----w- c:\docume~1\davidl~1\applic~1\Malwarebytes
2009-11-08 23:11:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 23:11:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-08 23:11:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 23:11:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 21:56:09 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-07 21:56:09 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-07 21:56:08 129520 ------w- c:\windows\system32\pxafs.dll
2009-11-05 01:22:45 0 d-----w- c:\docume~1\davidl~1\applic~1\SealedMedia
2009-11-05 01:22:37 0 d-----w- c:\program files\Oracle
2009-11-02 20:32:03 0 d-sh--w- c:\documents and settings\david lopez\IECompatCache
2009-11-02 19:04:24 0 d-----w- c:\docume~1\davidl~1\applic~1\OpenOffice.org
2009-11-02 15:02:15 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-02 15:02:14 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-02 15:02:14 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-02 15:02:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-02 03:32:10 0 d-----w- c:\program files\JRE
2009-11-02 03:31:53 0 d-----w- c:\program files\OpenOffice.org 3
2009-11-02 03:31:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 22:55:07 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-01 22:33:38 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-01 22:33:38 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-01 22:33:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-11-01 05:42:36 0 d-----w- c:\windows\system32\LogFiles
2009-11-01 05:27:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-01 05:27:01 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2009-11-01 05:26:56 0 d-----w- c:\program files\AIM
2009-11-01 05:26:51 0 d-----w- c:\program files\common files\AOL
2009-11-01 05:26:38 363 ---ha-w- C:\IPH.PH
2009-11-01 04:13:04 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-01 04:13:04 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-01 04:13:02 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-11-01 04:13:02 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-11-01 04:13:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-01 04:13:00 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-01 04:12:00 32 ----a-r- c:\documents and settings\all users\hash.dat
2009-11-01 04:08:56 0 d-----w- c:\documents and settings\david lopez\Tracing
2009-11-01 04:07:10 0 d-----w- c:\program files\Microsoft
2009-11-01 04:06:54 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-01 03:57:30 0 d-----w- c:\program files\common files\Windows Live
2009-11-01 03:56:34 0 d-----w- c:\program files\Three Rings Design
2009-11-01 03:40:43 0 d-sh--w- c:\documents and settings\david lopez\UserData
2009-11-01 03:04:49 0 d-sh--w- c:\documents and settings\david lopez\PrivacIE
2009-11-01 03:01:38 0 d-sh--w- c:\documents and settings\david lopez\IETldCache
2009-11-01 02:55:09 0 d-----w- c:\windows\system32\appmgmt
2009-11-01 02:53:40 0 dc-h--w- c:\windows\ie8
2009-11-01 02:46:14 0 d-----w- c:\program files\MSXML 4.0
2009-11-01 02:40:57 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-11-01 02:40:22 0 d-sh--w- c:\documents and settings\david lopez\Temporary Internet Files
2009-11-01 02:40:22 0 d-sh--w- c:\documents and settings\david lopez\History
2009-11-01 02:39:42 1659 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv6000 (RG253UA#ABA)_YN_0Pavi_QCNF6414QVM_E432250002_46_I30B7_SQuanta_V65.2B_BF.3E_T071227_WXP2_L409_M959_J80_7AMD_8Turion 64 Technology MK-36_92.01_#060919_N14E44311_(RG253UA#ABA)_XMOBILE.MRK
2009-11-01 02:39:41 17643 ----a-w- c:\windows\system32\Config.MPF
2009-11-01 02:38:59 0 d-----w- c:\docume~1\davidl~1\applic~1\Intuit
2009-11-01 02:37:35 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-01 02:37:35 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-01 02:37:35 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-01 02:37:34 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-01 02:37:16 0 d-----w- c:\program files\common files\McAfee
2009-11-01 02:37:14 0 d-----w- c:\program files\McAfee.com
2009-11-01 02:37:04 0 d-----w- c:\program files\McAfee
2009-11-01 02:34:40 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-11-01 02:34:40 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-11-01 02:34:39 66594 ----a-w- c:\windows\system32\c_864.nls
2009-11-01 02:34:39 66594 ----a-w- c:\windows\system32\c_862.nls
2009-11-01 02:34:39 66594 ----a-w- c:\windows\system32\c_720.nls
2009-11-01 02:34:39 66082 ----a-w- c:\windows\system32\c_708.nls
2009-11-01 02:34:39 66082 ----a-w- c:\windows\system32\C_28596.NLS
2009-11-01 02:34:39 66082 ----a-w- c:\windows\system32\c_10005.nls
2009-11-01 02:34:39 66082 ----a-w- c:\windows\system32\c_10004.nls
2009-11-01 02:34:39 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-11-01 02:34:38 66082 ----a-w- c:\windows\system32\c_10021.nls
2009-11-01 02:34:38 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-11-01 02:33:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-01 02:30:36 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-11-01 02:30:16 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-11-01 02:29:24 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-11-01 02:29:08 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-01 02:28:50 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-11-01 02:28:46 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-11-01 02:28:43 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-01 02:28:36 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-01 02:27:28 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-01 02:27:27 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-01 02:27:26 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-01 02:27:06 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-11-01 02:27:04 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-11-01 02:21:33 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-01 02:21:32 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-11-01 02:21:32 1203922 ------w- c:\windows\system32\dllcache\sysmain.sdb
2009-11-01 02:10:42 0 d-----w- c:\windows\system32\scripting
2009-11-01 02:10:41 0 d-----w- c:\windows\system32\en
2009-11-01 02:10:41 0 d-----w- c:\windows\system32\bits
2009-11-01 02:10:41 0 d-----w- c:\windows\l2schemas
2009-11-01 02:08:58 0 d-----w- c:\windows\ServicePackFiles
2009-11-01 02:07:29 0 d-----w- c:\windows\network diagnostic
2009-11-01 01:56:48 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-11-01 01:48:43 0 d-----w- c:\windows\system32\PreInstall
2009-11-01 01:41:01 0 d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-02 04:44:07 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-26 09:32:10 1205080 ----a-w- c:\windows\system32\FM20.DLL
2009-09-26 09:32:08 31600 ----a-w- c:\windows\system32\FM20ENU.DLL
2009-09-25 16:41:28 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2007-03-24 14:12:18 22 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 11:57:16.51 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/31/2009 9:37:07 PM
System Uptime: 11/28/2009 11:00:50 AM (0 hours ago)

Motherboard: Quanta | | 30B7
Processor: AMD Turion(tm) 64 Mobile Technology MK-36 | Socket S1 | 2009/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 62 GiB total, 27.193 GiB free.
D: is FIXED (FAT32) - 12 GiB total, 1.049 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&E5D621B&0&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&E5D621B&0&01
Service: NVENETFD

==== System Restore Points ===================

RP1: 10/31/2009 9:37:11 PM - System Checkpoint
RP2: 10/31/2009 9:41:28 PM - Installed Vongo
RP3: 10/31/2009 9:50:27 PM - Configured Customer Experience Enhancement
RP4: 10/31/2009 9:51:26 PM - Configured easy Internet sign-up
RP5: 10/31/2009 9:54:46 PM - Removed Microsoft Office Standard Edition 2003
RP6: 10/31/2009 9:55:48 PM - Removed Microsoft Works
RP7: 10/31/2009 9:59:22 PM - Removed Vongo
RP8: 10/31/2009 9:59:37 PM - Removed Wireless Home Network Setup
RP9: 10/31/2009 10:21:55 PM - Removed Quicken 2006
RP10: 10/31/2009 10:22:43 PM - Removed Office 2003 Trial Assistant
RP11: 10/31/2009 10:25:03 PM - Removed muvee autoProducer 5.0
RP12: 10/31/2009 10:25:43 PM - Removed HP Wireless Assistant
RP13: 10/31/2009 8:48:24 PM - Software Distribution Service 3.0
RP14: 10/31/2009 9:00:28 PM - Software Distribution Service 3.0
RP15: 10/31/2009 9:44:25 PM - Software Distribution Service 3.0
RP16: 10/31/2009 10:15:15 PM - Software Distribution Service 3.0
RP17: 11/1/2009 12:41:10 AM - Installed Windows Media Player 11
RP18: 11/1/2009 12:41:54 AM - Installed Windows XP Media Center Edition 2005 KB925766.
RP19: 11/1/2009 12:42:32 AM - Installed Windows XP Wudf01000.
RP20: 11/1/2009 12:44:56 AM - Installed Windows XP MSCompPackV1.
RP21: 11/1/2009 5:51:59 PM - Software Distribution Service 3.0
RP22: 11/1/2009 10:30:32 PM - Installed Java(TM) 6 Update 16
RP23: 11/1/2009 10:31:39 PM - Installed OpenOffice.org 3.1
RP24: 11/2/2009 10:22:08 AM - Removed Sonic MyDVD Plus
RP25: 11/2/2009 10:22:33 AM - Removed Sonic Update Manager
RP26: 11/2/2009 10:22:41 AM - Removed Sonic Copy Module
RP27: 11/2/2009 10:22:49 AM - Removed Sonic Data Module
RP28: 11/2/2009 10:23:45 AM - Removed Sonic Express Labeler
RP29: 11/2/2009 10:24:59 AM - Removed Sonic Audio Module
RP30: 11/3/2009 6:40:34 PM - Software Distribution Service 3.0
RP31: 11/3/2009 10:08:07 PM - Installed Microsoft Office Enterprise 2007
RP32: 11/4/2009 12:19:35 AM - Installed Microsoft Office Enterprise 2007
RP33: 11/4/2009 12:35:22 AM - Installed Microsoft Office Enterprise 2007
RP34: 11/4/2009 7:03:26 PM - Installed Microsoft Office Enterprise 2007
RP35: 11/4/2009 7:11:33 PM - Installed Microsoft Office Enterprise 2007
RP36: 11/4/2009 7:18:02 PM - Installed Microsoft Office Enterprise 2007
RP37: 11/4/2009 7:23:38 PM - Installed Microsoft Office Enterprise 2007
RP38: 11/4/2009 8:22:36 PM - Installed Oracle IRM Desktop 5.5.12 10gR3 PR5
RP39: 11/5/2009 2:47:32 PM - Software Distribution Service 3.0
RP40: 11/8/2009 4:56:27 PM - Pre Edit Test
RP41: 11/10/2009 8:24:10 PM - Installed Microsoft Office Enterprise 2007
RP42: 11/10/2009 8:45:56 PM - Installed Microsoft Office Enterprise 2007
RP43: 11/11/2009 5:08:02 PM - Software Distribution Service 3.0
RP44: 11/13/2009 1:09:10 AM - Installed Java(TM) 6 Update 17
RP45: 11/13/2009 1:15:37 AM - Removed J2SE Runtime Environment 5.0 Update 6
RP46: 11/13/2009 1:15:54 AM - Removed Java(TM) 6 Update 16
RP47: 11/13/2009 1:19:48 AM - Installed Java(TM) 6 Update 17
RP48: 11/14/2009 5:45:36 AM - System Checkpoint
RP49: 11/15/2009 3:21:16 PM - Unsigned driver install
RP50: 11/17/2009 12:51:19 AM - System Checkpoint
RP51: 11/17/2009 11:43:45 PM - Installed iTunes
RP52: 11/20/2009 12:24:40 AM - Software Distribution Service 3.0
RP53: 11/21/2009 2:03:19 AM - System Checkpoint
RP54: 11/22/2009 10:49:51 PM - System Checkpoint
RP55: 11/24/2009 10:19:46 AM - System Checkpoint
RP56: 11/24/2009 11:27:24 PM - Installed Microsoft Office Professional 2010
RP57: 11/24/2009 11:53:10 PM - Software Distribution Service 3.0
RP58: 11/26/2009 4:12:31 PM - System Checkpoint
RP59: 11/27/2009 5:11:57 PM - System Checkpoint

==== Installed Programs ======================

AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Messenger
AutoUpdate
Bonjour
BufferChm
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
DC2130
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Free FLV Converter V 6.7.4
FullDPAppQFolder
Google Chrome
H.264 Decoder
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Rhapsody
HP Update
HP User Guides 0031
HpSdpAppCoreApp
InstantShareDevices
iTunes
Java(TM) 6 Update 17
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2010 (Beta)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Beta)
Microsoft Office Excel MUI (English) 2010 (Beta)
Microsoft Office OneNote MUI (English) 2010 (Beta)
Microsoft Office Outlook MUI (English) 2010 (Beta)
Microsoft Office PowerPoint MUI (English) 2010 (Beta)
Microsoft Office Professional 2010
Microsoft Office Proof (English) 2010 (Beta)
Microsoft Office Proof (French) 2010 (Beta)
Microsoft Office Proof (Spanish) 2010 (Beta)
Microsoft Office Proofing (English) 2010 (Beta)
Microsoft Office Publisher MUI (English) 2010 (Beta)
Microsoft Office Send-a-Smile
Microsoft Office Shared MUI (English) 2010 (Beta)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Beta)
Microsoft Office Single Image 2010 (Beta)
Microsoft Office Word MUI (English) 2010 (Beta)
Microsoft Software Update for Web Folders (English) 14 (Beta)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NVIDIA Drivers
Office 2003 Trial Assistant
OpenOffice.org 3.1
OptionalContentQFolder
Oracle IRM Desktop 5.5.12 10gR3 PR5
PhotoGallery
Puzzle Pirates
QuickTime
RandMap
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SkinsHP1
Skype web features
Skypeâ„¢ 4.1
Soft Data Fax Modem with SmartCP
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Synaptics Pointing Device Driver
TourSetup
Ulead VideoStudio version 4.0 SE Basic
Unload
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB951978)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.4053
Vongo
WebFldrs XP
Winamp
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

11/25/2009 10:50:04 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer KOTIK-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8ABC6D3C-5D6B-4347-. The master browser is stopping or an election is being forced.
11/25/2009 10:46:56 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer JUAN-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8ABC6D3C-5D6B-4347-A. The master browser is stopping or an election is being forced.
11/24/2009 9:40:41 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/24/2009 9:40:41 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/24/2009 8:26:15 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TYGER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8ABC6D3C-5D6B-4347-. The master browser is stopping or an election is being forced.
11/24/2009 8:03:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxdnCATSCustConnectService service to connect.
11/24/2009 8:03:04 AM, error: Service Control Manager [7000] - The lxdnCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/24/2009 8:02:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0014A5F607C5 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/24/2009 10:36:38 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer E-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8ABC6D3C-5D6B-4347-A885. The master browser is stopping or an election is being forced.
11/23/2009 12:43:23 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ADORN-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8ABC6D3C-5D6B-4347-. The master browser is stopping or an election is being forced.
11/23/2009 12:42:18 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{8ABC6D3C-5D6B-4347-A885-BC3BBE7B77C2} because another computer on the network has the same name. The server could not start.
11/22/2009 12:54:45 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.101 with the system having network hardware address 00:24:8D:07:0C:85. Network operations on this system may be disrupted as a result.

==== End Of File ===========================

broni · 2009/11/28

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

Ytse · 2009/11/28

I am not entirely sure if this is the ComboFix.txt text, but it is the log that was created when the computer finished rebooting.

ComboFix 09-11-28.01 - David Lopez 11/28/2009 15:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1504 [GMT -6:00]
Running from: c:\documents and settings\David Lopez\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\clrviddc.dll
D:\Autorun.inf

c:\windows\system32\DRIVERS\nvata.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-25 05:31 . 2009-11-25 05:31 -------- d-----w- c:\documents and settings\All Users\Microsoft
2009-11-25 05:29 . 2009-11-25 05:29 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-11-25 05:29 . 2009-11-25 05:29 -------- d-----w- c:\windows\SHELLNEW
2009-11-25 05:27 . 2009-11-25 05:27 -------- d-----r- C:\MSOCache
2009-11-24 03:52 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-24 03:52 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-11-24 03:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-11-24 03:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-24 03:52 . 2009-11-24 03:52 -------- d-----w- C:\logs
2009-11-24 03:51 . 2001-08-18 04:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-11-24 03:51 . 2001-08-18 04:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-11-18 15:22 . 2009-11-18 15:33 -------- d-----w- c:\documents and settings\David Lopez\Application Data\eMusic
2009-11-18 15:22 . 2009-11-18 15:22 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\eMusic
2009-11-18 05:45 . 2009-11-18 06:17 -------- d-----w- c:\documents and settings\David Lopez\Application Data\Apple Computer
2009-11-18 05:45 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-18 05:45 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-18 05:44 . 2009-11-18 05:44 -------- d-----w- c:\program files\iPod
2009-11-18 05:43 . 2009-11-18 05:45 -------- d-----w- c:\program files\iTunes
2009-11-18 05:43 . 2009-11-18 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-18 05:43 . 2009-11-18 05:43 -------- d-----w- c:\program files\Bonjour
2009-11-18 05:42 . 2009-11-18 05:43 -------- d-----w- c:\program files\QuickTime
2009-11-18 05:42 . 2009-11-18 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-18 05:42 . 2009-11-18 05:42 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Apple
2009-11-18 05:42 . 2009-11-18 05:42 -------- d-----w- c:\program files\Apple Software Update
2009-11-18 05:41 . 2009-11-18 05:45 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-18 05:41 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-18 05:41 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-18 05:40 . 2009-11-18 05:43 -------- d-----w- c:\program files\Common Files\Apple
2009-11-18 05:40 . 2009-11-18 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-18 05:37 . 2009-11-18 06:17 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Apple Computer
2009-11-17 14:17 . 2009-11-17 14:17 -------- d--h--w- c:\windows\PIF
2009-11-16 06:02 . 2009-11-16 06:31 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\WMTools Downloaded Files
2009-11-16 05:58 . 2009-11-16 05:58 -------- d-----w- c:\documents and settings\David Lopez\Application Data\DivX
2009-11-16 05:36 . 2009-09-25 16:42 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-16 05:36 . 2009-09-25 16:42 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-16 05:34 . 2009-11-16 05:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-16 05:33 . 2009-11-11 20:50 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2009-11-16 05:33 . 2009-06-20 00:51 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-11-16 05:33 . 2009-06-20 00:51 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-11-16 05:33 . 2009-06-20 00:51 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2009-11-16 05:33 . 2009-06-20 00:51 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-11-16 05:33 . 2009-11-16 05:33 -------- d-----w- c:\documents and settings\David Lopez\Application Data\FreeFLVConverter
2009-11-16 05:33 . 2009-11-16 05:33 -------- d-----w- c:\program files\Free FLV Converter
2009-11-16 05:33 . 2009-06-20 00:51 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-11-15 21:38 . 2009-11-22 19:56 -------- d-----w- c:\documents and settings\David Lopez\Application Data\skypePM
2009-11-15 21:38 . 2009-11-15 21:38 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-15 21:34 . 2009-11-22 21:35 -------- d-----w- c:\documents and settings\David Lopez\Application Data\Skype
2009-11-15 21:33 . 2009-11-15 21:33 -------- d-----w- c:\program files\Common Files\Skype
2009-11-15 21:33 . 2009-11-15 21:33 -------- d-----r- c:\program files\Skype
2009-11-15 21:33 . 2009-11-15 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-15 21:08 . 2009-11-15 21:08 -------- d-----w- c:\program files\MARS
2009-11-15 21:08 . 2003-06-12 21:36 102400 ----a-w- c:\windows\system32\mr310ifv.dll
2009-11-15 21:08 . 2002-06-07 23:25 28672 ----a-w- c:\windows\system32\mr310exd.dll
2009-11-15 21:08 . 2002-06-07 23:25 49152 ----a-w- c:\windows\system32\mr310exv.dll
2009-11-15 21:08 . 2001-05-30 06:00 352256 ----a-w- c:\windows\system32\ijl15.dll
2009-11-15 21:08 . 2003-12-09 17:21 73728 ----a-w- c:\windows\system32\mr310ipv.dll
2009-11-15 21:08 . 2003-04-17 22:26 116686 ----a-w- c:\windows\system32\drivers\MR97310v.sys
2009-11-13 07:19 . 2009-11-13 07:19 -------- d-----w- c:\program files\Java
2009-11-13 07:08 . 2009-11-13 07:19 152576 ----a-w- c:\documents and settings\David Lopez\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-11 18:43 . 2009-11-11 18:43 -------- d-----w- c:\documents and settings\David Lopez\Application Data\HP
2009-11-11 00:36 . 2009-11-11 00:36 -------- d-----w- c:\documents and settings\David Lopez\Application Data\TaxCut
2009-11-11 00:36 . 2009-11-11 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2009-11-11 00:25 . 2009-11-11 00:25 -------- d-----w- c:\documents and settings\David Lopez\Application Data\AdobeUM
2009-11-11 00:23 . 2009-11-11 00:25 -------- d-----w- c:\program files\TaxCut08
2009-11-08 23:11 . 2009-11-08 23:11 -------- d-----w- c:\documents and settings\David Lopez\Application Data\Malwarebytes
2009-11-08 23:11 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 23:11 . 2009-11-08 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 23:11 . 2009-11-08 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 23:11 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 21:56 . 2009-04-28 20:20 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-07 21:56 . 2009-04-28 20:20 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-07 21:56 . 2009-04-28 20:20 129520 ------w- c:\windows\system32\pxafs.dll
2009-11-07 21:56 . 2009-11-18 15:22 -------- d-----w- c:\documents and settings\David Lopez\Application Data\Winamp
2009-11-07 19:50 . 2009-11-07 19:50 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-07 13:42 . 2009-11-07 13:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-07 13:37 . 2009-11-09 00:24 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\tguenr
2009-11-05 02:39 . 2009-11-05 02:39 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Yahoo
2009-11-05 02:38 . 2009-11-05 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-05 02:38 . 2009-06-20 08:04 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-05 01:22 . 2009-11-05 01:22 -------- d-----w- c:\documents and settings\David Lopez\Application Data\SealedMedia
2009-11-05 01:22 . 2009-11-05 01:22 -------- d-----w- c:\program files\Oracle
2009-11-04 03:03 . 2009-11-04 03:03 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Microsoft Help
2009-11-04 03:03 . 2009-11-25 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-02 20:32 . 2009-11-02 20:32 -------- d-sh--w- c:\documents and settings\David Lopez\IECompatCache
2009-11-02 19:18 . 2009-11-17 03:29 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Temp
2009-11-02 19:18 . 2009-11-02 19:20 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Google
2009-11-02 19:04 . 2009-11-28 03:52 1 ----a-w- c:\documents and settings\David Lopez\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-02 19:04 . 2009-11-02 19:04 -------- d-----w- c:\documents and settings\David Lopez\Application Data\OpenOffice.org
2009-11-02 15:04 . 2009-11-02 15:04 -------- d-----w- c:\documents and settings\David Lopez\Application Data\Leadertech
2009-11-02 15:02 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-02 15:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-02 15:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-02 15:02 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-02 03:34 . 2009-11-02 03:34 7424000 ----a-r- c:\documents and settings\David Lopez\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-11-02 03:32 . 2009-11-02 03:32 -------- d-----w- c:\program files\JRE
2009-11-02 03:31 . 2009-11-02 03:32 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-02 03:31 . 2009-11-13 07:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 22:55 . 2009-11-01 22:55 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-01 22:33 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-01 22:33 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-01 15:07 . 2009-11-07 21:57 -------- d-----w- c:\program files\Winamp
2009-11-01 06:12 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-01 06:07 . 2009-11-05 03:35 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Adobe
2009-11-01 05:42 . 2009-11-18 01:55 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-11-01 05:42 . 2009-11-01 05:42 -------- d-----w- c:\windows\system32\LogFiles
2009-11-01 05:27 . 2008-04-13 17:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-01 05:27 . 2009-11-01 05:27 -------- d-----w- c:\documents and settings\David Lopez\Application Data\acccore
2009-11-01 05:27 . 2009-11-01 05:27 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\AIM
2009-11-01 05:27 . 2009-11-01 05:27 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\AOL
2009-11-01 05:27 . 2009-11-01 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-11-01 05:26 . 2009-11-01 05:26 -------- d-----w- c:\program files\AIM
2009-11-01 05:26 . 2009-11-01 05:26 -------- d-----w- c:\program files\Common Files\AOL
2009-11-01 04:49 . 2009-11-01 04:49 0 ----a-w- c:\windows\nsreg.dat
2009-11-01 04:49 . 2009-11-01 04:49 -------- d-----w- c:\documents and settings\David Lopez\Local Settings\Application Data\Mozilla
2009-11-01 04:13 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-11-01 04:13 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-11-01 04:13 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-11-01 04:13 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-11-01 04:13 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-11-01 04:13 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2009-11-01 04:12 . 2009-09-02 04:12 32 ----a-r- c:\documents and settings\All Users\hash.dat
2009-11-01 04:08 . 2009-11-28 17:02 -------- d-----w- c:\documents and settings\David Lopez\Tracing
2009-11-01 04:07 . 2009-11-01 04:07 -------- d-----w- c:\program files\Microsoft
2009-11-01 04:06 . 2009-11-01 04:06 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-01 04:06 . 2009-11-01 04:07 -------- d-----w- c:\program files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 16:45 . 2006-09-19 22:05 120912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 03:07 . 2009-11-01 02:37 -------- d-----w- c:\program files\McAfee
2009-11-16 05:36 . 2006-09-19 22:50 -------- d-----w- c:\program files\DivX
2009-11-15 21:14 . 2009-11-15 21:14 -------- d-----w- c:\program files\Ulead Systems
2009-11-15 21:08 . 2006-09-19 20:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-05 02:38 . 2006-09-19 22:46 -------- d-----w- c:\program files\Yahoo!
2009-11-02 15:25 . 2006-09-19 20:58 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-02 15:23 . 2006-09-19 20:58 -------- d-----w- c:\program files\Sonic
2009-11-01 05:44 . 2006-09-19 22:51 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-01 03:25 . 2006-09-19 20:58 -------- d-----w- c:\program files\HPQ
2009-11-01 03:22 . 2006-09-19 22:51 -------- d-----w- c:\program files\Quicken
2009-11-01 03:11 . 2006-09-19 20:58 -------- d-----w- c:\program files\HP
2009-11-01 03:01 . 2006-09-19 22:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-01 03:01 . 2006-09-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-01 02:39 . 2009-11-01 02:39 1659 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv6000 (RG253UA#ABA)_YN_0Pavi_QCNF6414QVM_E432250002_46_I30B7_SQuanta_V65.2B_BF.3E_T071227_WXP2_L409_M959_J80_7AMD_8Turion 64 Technology MK-36_92.01_#060919_N14E44311_(RG253UA#ABA)_XMOBILE.MRK
2009-11-01 02:37 . 2009-11-01 02:37 -------- d-----w- c:\program files\Common Files\McAfee
2009-11-01 02:37 . 2009-11-01 02:37 -------- d-----w- c:\program files\McAfee.com
2009-11-01 02:16 . 2006-09-19 20:58 -------- d-----w- c:\program files\Windows Plus
2009-11-01 02:14 . 2006-06-29 18:43 92307 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-01 02:13 . 2006-09-19 22:34 -------- d-----w- c:\program files\Synaptics
2009-11-01 02:12 . 2006-09-19 22:51 -------- d-----w- c:\program files\Quickensetup
2009-11-01 02:12 . 2006-09-19 22:29 -------- d-----w- c:\program files\RGB
2009-11-01 02:11 . 2006-09-19 22:49 -------- d-----w- c:\program files\NetWaiting
2009-11-01 02:11 . 2006-09-19 22:47 -------- d-----w- c:\program files\Netscape
2009-11-01 02:10 . 2006-09-19 22:50 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2009-11-01 02:09 . 2006-09-19 20:58 -------- d-----w- c:\program files\microsoft frontpage
2009-11-01 02:09 . 2006-09-19 23:02 -------- d-----w- c:\program files\HP Rhapsody
2009-11-01 02:08 . 2006-09-19 20:58 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-01 02:08 . 2006-09-19 22:11 -------- d-----w- c:\program files\CONEXANT
2009-11-01 02:07 . 2006-09-19 23:04 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-01 02:07 . 2006-09-19 20:58 -------- d-----w- c:\program files\Common Files\Java
2009-11-01 02:07 . 2006-09-19 20:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-01 02:07 . 2006-09-19 22:37 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-01 02:07 . 2006-09-19 20:58 -------- d-----w- c:\program files\Common Files\HP
2009-11-01 02:00 . 2006-09-19 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-01 02:00 . 2006-09-19 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2009-11-01 02:00 . 2006-09-19 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-11-01 02:00 . 2006-09-19 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-11-01 02:00 . 2006-09-19 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-11-01 02:00 . 2006-09-19 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-11-01 02:00 . 2009-11-01 02:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-11-01 02:00 . 2009-11-01 02:38 -------- d-----w- c:\documents and settings\David Lopez\Application Data\Intuit
2009-11-01 02:00 . 2009-11-01 02:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2009-11-01 02:00 . 2006-09-19 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2009-10-29 02:58 . 2009-10-29 02:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-09-26 09:32 . 2009-09-26 09:32 1205080 ----a-w- c:\windows\system32\FM20.DLL
2009-09-26 09:32 . 2009-09-26 09:32 31600 ----a-w- c:\windows\system32\FM20ENU.DLL
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 05:37 . 2009-09-25 05:37 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-16 16:22 . 2009-11-01 02:37 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 16:22 . 2009-11-01 02:37 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 16:22 . 2009-09-16 16:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18 . 2006-03-16 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-03-16 04:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2007-03-24 14:12 . 2009-11-01 02:30 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 03:12 556432 ----a-w- c:\progra~1\MICROS~3\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update "= "c:\documents and settings\David Lopez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl "= "c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset "= "c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard "= "c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI "= "c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"sealmon.exe "= "c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2009-03-13 370952]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-11-13 149280]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-18 1617920]
"MsmqIntCert "= "mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut "= "CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mqsvc.exe "=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\AIM\\aim.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe "=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE "=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/31/2009 8:39 PM 203280]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 2:39 PM 61952]
S3 MR97310_VGA_DUAL_CAMERA;DC2130;c:\windows\system32\drivers\MR97310v.sys [11/15/2009 3:08 PM 116686]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 AM 4639136]
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-187164049-1506346959-837222081-1005Core.job
- c:\documents and settings\David Lopez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-02 19:18]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-187164049-1506346959-837222081-1005UA.job
- c:\documents and settings\David Lopez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-02 19:18]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-01 18:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-01 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvunrm.exe UninstallGUI

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????w??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89C1750C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d2852
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71b2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf71bfa21
SendHandler -> NDIS.sys @ 0xf719d87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-28 16:11
ComboFix-quarantined-files.txt 2009-11-28 22:11

Pre-Run: 29,075,439,616 bytes free
Post-Run: 29,095,550,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - CCD86F10A0744A0599649584FF1A160D

Ytse · 2009/11/28

Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:31 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winwarepro.microsoft.com
O1 - Hosts: 91.212.127.227 winwarepro.com
O1 - Hosts: 91.212.127.227 www.winwarepro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [sealmon.exe] C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David Lopez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257039762895
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10583 bytes

broni · 2009/11/28

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

File::
c:\windows\system32\DRIVERS\nvata.sys
c:\windows\system32\ezsidmv.dat


Folder::

Driver::

Registry::

RegLockDel::

MIA::
c:\windows\system32\DRIVERS\nvata.sys

mbr::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Ytse · 2009/11/29

After moving the CFScript file into ComboFix, ComboFix started and ran like the first time. It rebooted and went through the stages, though after it finished, it rebooted again.
This time, it gave me the option of running Windows Recovery Console or Windows XP.

Under the first option, I was taken to a Command Line-type screen, where it asked me to look for a Windows Installation (in C:Windows, D:MiniNT or F:Windows).

Under the second option, I have the choice of using three different Safe Modes (stand alone, networking or command prompt), or using the last known working Windows XP Mode. Any of these choices brings up a blue screen with text, then the machine reboots all over again. The screen flashes too quickly for me to make out the words.

broni · 2009/11/29

If you have Windows CD...(if you don't have Windows CD, scroll down)

1. Insert your Windows XP CD into your CD and assure that your CD-ROM drive is capable of booting the CD.
2. Once you have booted from CD, do NOT select the option that states: Press F2 to initiate the Automated System Recovery (ASR) tool.
You’re going to proceed until you see the following screen, at which point you will press the “R” key to enter the recovery console:

3. After you have selected the appropriate option from step two, you will be prompted to select a valid Windows installation (typically number 1).
Select the installation number, and hit Enter.
If there is an administrator password for the administrator account, enter it and hit Enter (if asked for the password, and you don't know it, you're out of luck).
You will be greeted with this screen, which indicates a recovery console at the ready:

4. There are eight commands you must enter in sequence to repair your problem..
NOTE. Make sure, you press Enter after each command. Make sure, all commands are exact, including "spaces ".
These commands are as follows:

CD..
ATTRIB -H C:\boot.ini
ATTRIB -S C:\boot.ini
ATTRIB -R C:\boot.ini
del boot.ini
BOOTCFG /Rebuild

Note about the above command.
BOOTCFG /REBUILD command which searches for pre-existing installations of Windows XP and rebuilds sundry essential components of the Windows operating system, recompiles the BOOT.INI file and corrects a litany of common Windows errors.
It is very important that you do one or both of the following two things:
A.) Every Windows XP owner must use /FASTDETECT as OS Load Option when the rebuild process is finalizing.
B.) If you are the owner of a CPU featuring Intel’s XD or AMD’s NX buffer overflow protection, you must also use /NOEXECUTE=OPTIN as an OS Load Option.
For the Enter Load Identifier portion of this command, you should enter the name of the operating system you have installed.
If, for example, you are using Windows XP Home, you could type Microsoft Windows XP Home Edition for the identifier (it's not crucial, however what the name is, as long, as it's meaningful).
Here is your computer screen:

5. Following command verifies the integrity of the hard drive containing the Windows XP installation. While this step is not an essential function in our process, it’s still good to be sure that the drive is physically capable of running windows, in that it contains no bad sectors or other corruptions that might be the culprit:

CHKDSK /R

6. This last command writes a new boot sector to the hard drive and cleans up all the loose ends we created by rebuilding the BOOT.INI file and the system files. When the Windows Recovery Console asks you if you are Sure you want to write a new bootsector to the partition C: ? just hit “Y”, then Enter to confirm your decision:

FIXBOOT

7. It’s time to reboot your PC by typing
EXIT
and pressing Enter.

With any luck, your PC will boot successfully into Windows XP as if your various DLL, Hive, EXE and NTLDR errors never existed.

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Then, follow instructions from Step #3 above.

Ytse · 2009/11/29

I'm sorry, but I'm stuck on step 4. It shows 3 installations of Windows:
C:\Windows
D:\MiniNT
F:\Windows

Do I use "Windows XP Media Center Edition 2005" as each Identifier? Same with the "/fastload" OS Load Option?

Also, the "DEL BOOT.INI" Command returned: No matching files were found.
Is that normal?

Thank you.

broni · 2009/11/29

You want to select C:\Windows

the "DEL BOOT.INI" Command returned: No matching files were found
Click to expand...

That's most likely part of your problem (missing file), so simply go to next step.

Ytse · 2009/11/29

Okay, I skipped that step.

At Step 4, it shows 3 installations of Windows.
I have tried naming them all the same title, just 1, 2, and 3; and using the same OS Load Option.
I have tried skipping D:\miniNT and F:\Windows.
Though whatever I do, the computer will not boot correctly after the last step. It does the same it did before the recovery CDs. The screen with the different Safe Modes and "Last Known Good Configurations."

Is it time to start considering formatting my hard drive?

broni · 2009/11/29

I suggest, you start a new topic under Windows section.
Malware forum has very restricted access, so under Windows you'll get more attention.
Once, bootable again, you may come back here

Ytse · 2009/11/29

Will do Broni. Thanks so much for your help. =J

broni · 2009/11/29

Sure thing

Log in or Sign up

Active Google Redirect Virus

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active Google Redirect Virus

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Ytse Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches