ASDFGHJKL:
-
Posts
10 -
Joined
-
Last visited
-
Combofix isn't doing anything. Nothing happens after the initial loading bar that appears.
-
The computer is opening new tabs in Firefox and trying to direct them somewhere. It's also disconnecting the internet. DDS (Ver_10-10-21.02) - NTFSx86 Run by george p at 14:37:57.46 on Sat 10/30/2010 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.540 [GMT -5:00] AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe svchost.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\vVX1000.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\Documents and Settings\george p\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\tbh\monitor\bin\tbhMonitor.exe C:\WINDOWS\system32\wuauclt.exe c:\Program Files\tbh\base\bin\tbhDaemon.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\TeamViewer\Version5\TeamViewer.exe C:\Documents and Settings\george p\Desktop\dds.scr ============== Pseudo HJT Report =============== mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: Search panel: {dbbd06c3-dc6f-e008-0295-9ca5121418f6} - c:\windows\system32\arfxdxdwletftdpk.dll uRun: [Google Update] "c:\documents and settings\george p\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX1000] c:\windows\vVX1000.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\oqcgxdhy.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - plugin: c:\documents and settings\george p\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-6-29 11608] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] R2 AntiVirScheduler;Avira AntiVir Personal Attach.zip mbam_log_2010_10_30__14_24_38_.txt
-
A friend had accounts hacked, as well as the internet being disconnected frequently. Malwarebytes didn't catch anything. Here are the log files. DDS (Ver_10-10-21.02) - NTFSx86 Run by AMD at 13:50:42.65 on Sun 10/24/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1244 [GMT -4:00] AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\PROGRA~1\AVG\AVG10\avgchsvx.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\AVG\AVG10\avgwdsvc.exe C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe C:\Program Files\AVG\AVG10\avgnsx.exe C:\Program Files\AVG\AVG10\avgemcx.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\AVG\AVG10\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe C:\PROGRA~1\AVG\AVG10\avgrsx.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\AVG\AVG PC Tuneup 2011\boostspeed.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\DOCUME~1\AMD\LOCALS~1\Temp\TeamViewer\Version5\TeamViewer.exe c:\docume~1\amd\locals~1\temp\teamviewer\version5\TeamViewer_Desktop.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\AMD\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.wow-petopia.com/ uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe IE: &Search IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249420604105 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424] R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448] R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-7-31 13696] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-9-3 6104144] R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-18 38224] S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-21 517448] =============== Created Last 30 ================ 2010-10-24 16:39:23 -------- d-----w- c:\docume~1\amd\applic~1\AVG 2010-10-21 15:01:19 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll 2010-10-21 15:01:19 8704 ----a-w- c:\windows\system32\kbdjpn.dll 2010-10-21 15:01:19 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll 2010-10-21 15:01:19 8192 ----a-w- c:\windows\system32\kbdkor.dll 2010-10-21 15:01:19 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll 2010-10-21 15:01:19 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll 2010-10-21 15:01:19 6144 ----a-w- c:\windows\system32\kbd101c.dll 2010-10-21 15:01:19 6144 ----a-w- c:\windows\system32\kbd101b.dll 2010-10-21 15:01:19 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll 2010-10-21 15:01:19 5632 ----a-w- c:\windows\system32\kbd103.dll 2010-10-21 15:01:18 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll 2010-10-21 15:01:18 6144 ----a-w- c:\windows\system32\kbd106.dll 2010-10-21 11:33:03 -------- d-----w- c:\docume~1\amd\applic~1\AVG10 2010-10-21 11:31:43 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files 2010-10-21 11:31:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar 2010-10-21 11:29:53 -------- d-----w- c:\windows\system32\drivers\AVG 2010-10-21 11:29:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10 2010-10-20 21:38:09 -------- d--h--w- C:\$AVG 2010-10-20 21:34:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData 2010-10-19 11:16:01 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-10-19 11:16:01 215920 ----a-w- c:\windows\system32\muweb.dll 2010-10-19 11:16:01 16736 ----a-w- c:\windows\system32\mucltui.dll.mui 2010-10-18 13:59:42 -------- d-----w- c:\documents and settings\amd\Tracing 2010-10-18 13:59:01 -------- d-----w- c:\program files\Microsoft 2010-10-18 13:58:47 -------- d-----w- c:\program files\Windows Live SkyDrive 2010-10-18 13:55:04 -------- d-----w- c:\program files\common files\Windows Live 2010-10-18 13:36:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-10-18 13:36:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-10-18 13:36:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-10-18 13:33:09 -------- d-----w- c:\docume~1\amd\applic~1\TeamViewer 2010-10-16 20:10:27 -------- d-----w- c:\windows\pss 2010-10-14 11:07:14 -------- d-----w- C:\0bce43e8a11e7be311959202 2010-10-14 10:52:19 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-10-14 10:52:19 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-11 00:31:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation 2010-10-11 00:31:05 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin 2010-10-11 00:31:04 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin 2010-10-11 00:31:04 1 ----a-w- c:\windows\system32\nvdrssel.bin 2010-10-11 00:30:54 -------- d-----w- c:\program files\NVIDIA Corporation 2010-10-02 14:43:09 -------- d-----w- c:\docume~1\amd\applic~1\W Photo Studio 2010-10-02 14:40:00 -------- d-----w- c:\docume~1\amd\applic~1\W Photo Studio Viewer ==================== Find3M ==================== 2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38:00 78336 ------w- c:\windows\system32\ieencode.dll 2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-08 15:57:57 389120 ------w- c:\windows\system32\html.iec 2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll ============= FINISH: 13:51:06.34 =============== attach.zip hijackthis.log mbam_log_2010_10_24__13_30_13_.txt
-
So far, so good. The main problems were the google redirects, crashing Firefox, and popup spam when Firefox did open. So far, none of that. Also, the computer seems to be running a bit quicker. Thank you for your help! This was one I haven't run into before.
-
Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4336 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 7/21/2010 4:31:29 PM mbam-log-2010-07-21 (16-31-29).txt Scan type: Quick scan Objects scanned: 130349 Time elapsed: 7 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:33:30 PM, on 7/21/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\vVX1000.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\george p\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\tbh\monitor\bin\tbhMonitor.exe c:\Program Files\tbh\base\bin\tbhDaemon.exe C:\WINDOWS\system32\sessmgr.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\WINDOWS\system32\RDSHOST.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Documents and Settings\george p\My Documents\Downloads\mnbh.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\george p\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal
-
The TFC download link gives a 403 Forbidden error when I go to it.
-
C:\Documents and Settings\george p\Desktop\HelpAsst_mebroot_fix.exe Wed 07/21/2010 at 15:12:09.57 HelpAssistant account is Active ~ attempting to de-activate Account active Yes Local Group Memberships *Administrators HelpAssistant successfully set Inactive ~~ Checking for termsrv32.dll ~~ termsrv32.dll present! ~ attempting to remove termsrv32.dll successfully removed ~~ Checking firewall ports ~~ backing up DomainProfile\GloballyOpenPorts\List registry key closing rogue ports HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list "65533:TCP"=- "52344:TCP"=- "5758:TCP"=- "5759:TCP"=- "3389:TCP"=- "8881:TCP"=- "8880:TCP"=- "7302:TCP"=- "7303:TCP"=- "5662:TCP"=- "9824:TCP"=- 80:TCP=- 443:TCP=- backing up StandardProfile\GloballyOpenPorts\List registry key closing rogue ports HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list "65533:TCP"=- "52344:TCP"=- "5758:TCP"=- "5759:TCP"=- "3389:TCP"=- "8881:TCP"=- "8880:TCP"=- "7302:TCP"=- "7303:TCP"=- "9824:TCP"=- "5662:TCP"=- ~~ Checking profile list ~~ HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-299502267-2000478354-682003330-1000 HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove ~ All C:\Documents and Settings\HelpAssistant files successfully removed ~ ~~ Checking mbr ~~ mbr infection detected! ~ running mbr -f Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully copy of MBR has been found in sector 0x094FE9BD malicious code @ sector 0x094FE9C0 ! PE file found in sector at 0x094FE9D6 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. original MBR restored successfully ! Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 0x094FE9BD malicious code @ sector 0x094FE9C0 ! PE file found in sector at 0x094FE9D6 ! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Status check on Wed 07/21/2010 at 15:52:54.07 Account active Yes Local Group Memberships ~~ Checking mbr ~~ Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS kernel: MBR read successfully user & kernel MBR OK copy of MBR has been found in sector 0x094FE9BD malicious code @ sector 0x094FE9C0 ! PE file found in sector at 0x094FE9D6 ! ~~ Checking for termsrv32.dll ~~ termsrv32.dll not found HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll ~~ Checking profile list ~~ No HelpAssistant profile in registry ~~ Checking for HelpAssistant directories ~~ HelpAssistant ~~ Checking firewall ports ~~ [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List] 80:TCP=80:TCP:*:Enabled:Services 443:TCP=443:TCP:*:Enabled:Services [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] ~~ EOF ~~
-
Defogger was run previously before posting, I ran it again per your instructions. Here's the log for that. defogger_disable by jpshortstuff (23.02.10.1) Log created at 14:45 on 21/07/2010 (george p) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- MBRCheck, version 1.1.1 © 2010, AD \\.\C: --> \\.\PhysicalDrive0 Size Device Name MBR Status -------------------------------------------- 74 GB \\.\PhysicalDrive0 MBR Code Faked! Found non-standard or infected MBR. Enter 'Y' and hit ENTER for more options, or 'N' to exit: Done! Press ENTER to exit... HAlog.txt
-
ComboFix 10-07-19.05 - george p 07/21/2010 13:36:04.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.632 [GMT -5:00] Running from: c:\documents and settings\george p\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 ))))))))))))))))))))))))))))))) . 2010-07-20 02:51 . 2010-07-20 02:51 -------- d-----w- c:\documents and settings\george p\Local Settings\Application Data\Temp 2010-07-20 02:51 . 2010-07-20 02:52 -------- d-----w- c:\documents and settings\george p\Local Settings\Application Data\Google 2010-07-20 02:51 . 2010-07-20 02:51 -------- d-----w- c:\documents and settings\george p\Local Settings\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-21 18:32 . 2008-06-29 05:00 -------- d-----w- c:\documents and settings\george p\Application Data\Skype 2010-07-21 17:59 . 2008-06-29 05:01 -------- d-----w- c:\documents and settings\george p\Application Data\skypePM 2010-07-21 05:40 . 2008-07-05 00:03 -------- d-----w- c:\documents and settings\george p\Application Data\FrostWire 2010-07-05 17:15 . 2008-07-29 23:53 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-07-05 17:13 . 2008-07-29 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-06-24 14:22 . 2008-07-30 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-14 14:30 . 2008-06-29 04:30 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-12 09:00 . 2008-10-16 22:08 51024 ----a-w- c:\documents and settings\george p\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-06-04 00:35 . 2009-11-06 03:35 -------- d-----w- c:\program files\Microsoft Silverlight 2010-05-22 03:30 . 2010-05-22 03:30 61440 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-133a0ecb-n\decora-sse.dll 2010-05-22 03:30 . 2010-05-22 03:30 503808 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-465ee9b8-n\msvcp71.dll 2010-05-22 03:30 . 2010-05-22 03:30 499712 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-465ee9b8-n\jmc.dll 2010-05-22 03:30 . 2010-05-22 03:30 348160 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-465ee9b8-n\msvcr71.dll 2010-05-22 03:30 . 2010-05-22 03:30 12800 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-133a0ecb-n\decora-d3d.dll 2010-05-03 01:46 . 2010-05-03 01:46 61440 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54bf35d9-n\decora-sse.dll 2010-05-03 01:46 . 2010-05-03 01:46 503808 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79395077-n\msvcp71.dll 2010-05-03 01:46 . 2010-05-03 01:46 499712 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79395077-n\jmc.dll 2010-05-03 01:46 . 2010-05-03 01:46 348160 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79395077-n\msvcr71.dll 2010-05-03 01:46 . 2010-05-03 01:46 12800 ----a-w- c:\documents and settings\george p\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54bf35d9-n\decora-d3d.dll 2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 20:39 . 2008-07-30 01:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 20:39 . 2008-07-30 01:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . ((((((((((((((((((((((((((((( SnapShot@2010-07-20_16.44.32 ))))))))))))))))))))))))))))))))))))))))) . + 2010-07-21 18:34 . 2010-07-21 18:34 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520] "Google Update"="c:\documents and settings\george p\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-20 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"= "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5191:TCP"= 5191:TCP:The Browser Highlighter XCOM "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "5758:TCP"= 5758:TCP:Services "5759:TCP"= 5759:TCP:Services "3389:TCP"= 3389:TCP:Remote Desktop "8881:TCP"= 8881:TCP:Services "8880:TCP"= 8880:TCP:Services "7302:TCP"= 7302:TCP:Services "7303:TCP"= 7303:TCP:Services "9824:TCP"= 9824:TCP:Services "5662:TCP"= 5662:TCP:Services R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952] . Contents of the 'Scheduled Tasks' folder 2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-2000478354-682003330-1003Core.job - c:\documents and settings\george p\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-20 02:51] 2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-2000478354-682003330-1003UA.job - c:\documents and settings\george p\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-20 02:51] . . ------- Supplementary Scan ------- . mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com FF - ProfilePath - c:\documents and settings\george p\Application Data\Mozilla\Firefox\Profiles\oqcgxdhy.default\ FF - plugin: c:\documents and settings\george p\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-21 13:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x85D8B78A]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7602fc3 \Driver\ACPI -> ACPI.sys @ 0xf7495cb8 \Driver\atapi -> ntkrnlpa.exe @ 0x8057b351 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578086 ParseProcedure -> ntkrnlpa.exe @ 0x80576ce8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578086 ParseProcedure -> ntkrnlpa.exe @ 0x80576ce8 NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x85df1b60 PacketIndicateHandler -> NDIS.sys @ 0xf7340b21 SendHandler -> NDIS.sys @ 0xf731e87b copy of MBR has been found in sector 0x094FE9BD malicious code @ sector 0x094FE9C0 ! PE file found in sector at 0x094FE9D6 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. ************************************************************************** . Completion time: 2010-07-21 13:45:10 ComboFix-quarantined-files.txt 2010-07-21 18:45 Pre-Run: 66,508,562,432 bytes free Post-Run: 66,514,288,640 bytes free - - End Of File - - 45FC802ABF03A2213923E52A4A00886D 13:25:47:109 1484 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49 13:25:47:109 1484 ================================================================================ 13:25:47:109 1484 SystemInfo: 13:25:47:109 1484 OS Version: 5.1.2600 ServicePack: 2.0 13:25:47:109 1484 Product type: Workstation 13:25:47:109 1484 ComputerName: GEORGE 13:25:47:109 1484 UserName: george p 13:25:47:109 1484 Windows directory: C:\WINDOWS 13:25:47:109 1484 System windows directory: C:\WINDOWS 13:25:47:109 1484 Processor architecture: Intel x86 13:25:47:109 1484 Number of processors: 1 13:25:47:109 1484 Page size: 0x1000 13:25:47:109 1484 Boot type: Normal boot 13:25:47:109 1484 ================================================================================ 13:25:47:484 1484 Initialize success 13:25:47:484 1484 13:25:47:484 1484 Scanning Services ... 13:25:47:968 1484 Raw services enum returned 312 services 13:25:47:984 1484 13:25:47:984 1484 Scanning Drivers ... 13:25:49:015 1484 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 13:25:49:062 1484 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 13:25:49:140 1484 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys 13:25:49:203 1484 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys 13:25:49:359 1484 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 13:25:49:437 1484 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 13:25:49:484 1484 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 13:25:49:531 1484 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 13:25:49:687 1484 avgio (afa456a6210abe5798561a5758517340) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys 13:25:49:750 1484 avgntflt (906f73c4f6b8ba5daabc41a1f04cecfe) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys 13:25:49:890 1484 avipbb (bdb37b3b217f5181a5bc129c50844f98) C:\WINDOWS\system32\DRIVERS\avipbb.sys 13:25:49:937 1484 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 13:25:50:125 1484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 13:25:50:156 1484 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 13:25:50:234 1484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 13:25:50:312 1484 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 13:25:50:375 1484 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 13:25:50:500 1484 cmuda3 (e02e0ebbed23d6efbf1300d08d57d7aa) C:\WINDOWS\system32\drivers\cmuda3.sys 13:25:50:640 1484 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 13:25:50:703 1484 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 13:25:50:812 1484 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 13:25:50:921 1484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 13:25:50:968 1484 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 13:25:51:031 1484 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 13:25:51:078 1484 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys 13:25:51:156 1484 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 13:25:51:187 1484 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys 13:25:51:312 1484 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 13:25:51:375 1484 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 13:25:51:484 1484 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 13:25:51:546 1484 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 13:25:51:546 1484 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 13:25:51:593 1484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 13:25:51:718 1484 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 13:25:51:734 1484 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys 13:25:51:796 1484 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys 13:25:51:890 1484 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys 13:25:52:000 1484 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 13:25:52:109 1484 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 13:25:52:140 1484 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys 13:25:52:171 1484 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys 13:25:52:218 1484 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 13:25:52:406 1484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 13:25:52:562 1484 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 13:25:52:640 1484 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys 13:25:52:656 1484 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 13:25:52:781 1484 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 13:25:52:812 1484 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 13:25:52:828 1484 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 13:25:52:843 1484 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 13:25:52:875 1484 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys 13:25:52:921 1484 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys 13:25:52:968 1484 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys 13:25:53:109 1484 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 13:25:53:156 1484 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 13:25:53:203 1484 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 13:25:53:250 1484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 13:25:53:265 1484 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 13:25:53:328 1484 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 13:25:53:484 1484 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 13:25:53:531 1484 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 13:25:53:578 1484 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 13:25:53:593 1484 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 13:25:53:609 1484 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 13:25:53:656 1484 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 13:25:53:703 1484 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys 13:25:53:828 1484 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 13:25:53:906 1484 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 13:25:53:953 1484 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 13:25:54:046 1484 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 13:25:54:078 1484 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 13:25:54:140 1484 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 13:25:54:265 1484 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 13:25:54:281 1484 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 13:25:54:328 1484 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 13:25:54:359 1484 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 13:25:54:390 1484 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 13:25:54:468 1484 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys 13:25:54:593 1484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 13:25:54:640 1484 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 13:25:54:671 1484 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 13:25:54:734 1484 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys 13:25:54:781 1484 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 13:25:54:796 1484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 13:25:54:843 1484 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 13:25:54:890 1484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys 13:25:54:937 1484 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys 13:25:55:031 1484 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 13:25:55:046 1484 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 13:25:55:062 1484 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 13:25:55:109 1484 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 13:25:55:140 1484 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 13:25:55:156 1484 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 13:25:55:187 1484 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 13:25:55:250 1484 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys 13:25:55:375 1484 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 13:25:55:406 1484 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 13:25:55:453 1484 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys 13:25:55:468 1484 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 13:25:55:515 1484 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 13:25:55:562 1484 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys 13:25:55:578 1484 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 13:25:55:703 1484 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys 13:25:55:750 1484 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys 13:25:55:796 1484 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 13:25:55:875 1484 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys 13:25:55:890 1484 ssmdrv (3d2829fde1c52fc64da5413889ce4dee) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 13:25:55:937 1484 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 13:25:56:046 1484 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 13:25:56:093 1484 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 13:25:56:171 1484 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 13:25:56:281 1484 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys 13:25:56:375 1484 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 13:25:56:421 1484 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 13:25:56:484 1484 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 13:25:56:546 1484 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 13:25:56:625 1484 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys 13:25:56:687 1484 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys 13:25:56:828 1484 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 13:25:56:828 1484 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 13:25:56:843 1484 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 13:25:56:890 1484 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys 13:25:56:906 1484 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys 13:25:56:937 1484 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 13:25:57:000 1484 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 13:25:57:062 1484 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 13:25:57:218 1484 VX1000 (f4fab0b9d43a65f79fc838c94006f643) C:\WINDOWS\system32\DRIVERS\VX1000.sys 13:25:57:265 1484 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 13:25:57:343 1484 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys 13:25:57:390 1484 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 13:25:57:500 1484 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 13:25:57:515 1484 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 13:25:57:515 1484 13:25:57:515 1484 Completed 13:25:57:515 1484 13:25:57:515 1484 Results: 13:25:57:515 1484 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 13:25:57:515 1484 File objects infected / cured / cured on reboot: 0 / 0 / 0 13:25:57:515 1484 13:25:57:531 1484 KLMD(ARK) unloaded successfully
-
I'm trying to get a virus infection out of my dad's computer, and this one just won't get out. I'm almost certain this is a rootkit/MBR virus as nothing seems to be detecting it. Attached are MBAM log and the Attach.txt/ARK.txt logs. DDS (Ver_10-03-17.01) - NTFSx86 Run by george p at 13:16:21.85 on Tue 07/20/2010 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.456 [GMT -5:00] AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\vVX1000.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\george p\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\tbh\monitor\bin\tbhMonitor.exe c:\Program Files\tbh\base\bin\tbhDaemon.exe C:\WINDOWS\system32\sessmgr.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\RDSHOST.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Documents and Settings\george p\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\george p\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\george p\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\george p\Desktop\dds.scr ============== Pseudo HJT Report =============== mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: Search panel: {dbbd06c3-dc6f-e008-0295-9ca5121418f6} - c:\windows\system32\arfxdxdwletftdpk.dll uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Google Update] "c:\documents and settings\george p\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX1000] c:\windows\vVX1000.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\oqcgxdhy.default\ FF - plugin: c:\documents and settings\george p\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-6-29 11608] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] R2 AntiVirScheduler;Avira AntiVir Personal Attach.zip mbam_log_2010_07_20__13_13_22_.txt