hi cypher:
I'm sorry i wasnt following your directions exactly but it seems as though when i chose to save combofix it didnt
allow me to choose a location to save it to...anyways i hope i got it right this time... i have a cfscript which i will post below
as for the malwarebyte i tried at least three times to run a full scan and the pc just powered off in the middle each time...
i was able to run a quick scan but no full scan...sorry
ComboFix 11-04-29.04 - ABC STUDENT 04/30/2011 15:05:41.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1149 [GMT -5:00]
Running from: c:\documents and settings\ABC STUDENT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ABC STUDENT\Desktop\cfscript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\NetworkService\Local Settings\Application Data\sqd.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\i386\volsnap.sys --> c:\windows\system32\drivers\volsnap.sys
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-30 01:21 . 2011-04-30 01:21 -------- d-----w- c:\windows\system32\LogFiles
2011-04-29 15:51 . 2011-04-29 15:51 76800 --sha-r- c:\windows\system32\dmdskres2.dll
2011-04-26 23:51 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-26 07:13 . 2011-04-26 07:13 -------- dc----w- c:\program files\QuickTime
2011-04-25 22:29 . 2011-04-25 22:30 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-04-25 02:51 . 2011-04-25 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-04-23 19:03 . 2011-04-23 19:03 -------- d-sh--w- c:\documents and settings\ABC STUDENT\IECompatCache
2011-04-23 05:48 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-23 05:48 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-23 05:48 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-23 05:48 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-23 05:48 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-23 05:48 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-23 05:48 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-23 05:48 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-23 05:48 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-23 05:48 . 2011-04-23 05:49 -------- d-----w- c:\program files\Common Files\Mcafee
2011-04-23 05:47 . 2011-04-30 00:59 -------- dc----w- c:\program files\McAfee
2011-04-23 00:15 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-23 00:15 . 2011-04-24 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-20 23:50 . 2011-04-20 23:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 23:40 . 2011-04-25 22:48 0 -c--a-w- c:\windows\Fpemita.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 18:56 . 2008-10-08 15:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-04-30 18:56 . 2008-01-30 21:07 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-04-25 22:29 . 2006-03-01 21:37 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-25 22:11 . 2008-10-08 15:41 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-03-07 05:33 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 18:51 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 18:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-10 18:51 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 18:51 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 22:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 20:33 . 2010-03-17 20:54 34816 ----a-w- c:\windows\system32\identprv.dll
2011-02-15 12:56 . 2004-08-10 18:50 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 19:01 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 18:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 18:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 18:51 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 18:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-10 19:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
2009-03-27 21:46 . 2009-03-27 21:55 2869536 -c--a-w- c:\program files\spywareblastersetup41.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll
2010-10-14 03:28 . 2011-04-23 05:48 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-26_23.41.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-30 18:56 . 2011-04-30 18:56 16384 c:\windows\Temp\Perflib_Perfdata_268.dat
- 2009-03-08 02:46 . 2009-12-03 22:14 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-03-08 02:46 . 2010-12-20 23:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2004-08-10 18:51 . 2008-04-13 18:41 52352 c:\windows\system32\dllcache\volsnap.sys
+ 2004-08-10 18:51 . 2004-08-04 11:00 52352 c:\windows\system32\dllcache\volsnap.sys
- 2008-01-30 20:28 . 2011-04-26 04:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 20:28 . 2011-04-30 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-30 20:28 . 2011-04-30 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-30 20:28 . 2011-04-26 04:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-04-30 17:52 . 2011-04-30 18:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-24 303104]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\ABC STUDENT\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-14 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [1/14/2008 3:53 PM 3456]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2011 12:48 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2011 12:48 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/23/2011 12:48 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/22/2011 7:15 PM 141792]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2011 12:48 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2011 12:48 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2011 12:48 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2011 12:48 AM 84264]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/12/2009 9:11 PM 14424]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://home.jzip.comFF - ProfilePath - c:\documents and settings\ABC STUDENT\Application Data\Mozilla\Firefox\Profiles\uq02s0i7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://www.yahoo.com/FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter:
jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Move Media Player:
moveplayer@movenetworks.com - c:\documents and settings\ABC STUDENT\Application Data\Move Networks
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-04-30 15:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.netWindows 5.1.2600 Disk: Hitachi_HTS541660J9SA00 rev.SBBOC7KP -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5EE33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1368)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1740)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-30 15:18:56
ComboFix-quarantined-files.txt 2011-04-30 20:18
ComboFix2.txt 2011-04-30 17:08
ComboFix3.txt 2011-04-26 23:45
ComboFix4.txt 2011-04-26 01:34
.
Pre-Run: 25,917,190,144 bytes free
Post-Run: 25,948,459,008 bytes free
.
- - End Of File - - 4177852D255867EF4B4E82642AE248F4
thx a bunch, b2thej1