Jump to content

heks

Honorary Members
  • Posts

    25
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Ok, thanks again for your help. Maybe at some future point you'll be available to help me double-check the health of my main system Take care, heks
  2. Hi Elise, So my system seems to be working fine at this point. I really appreciate all your help. Also, your timing couldn't have been better. Just before you responded to this thread I had decided that if I didn't hear from someone within an hour or two I was just going to bite the bullet and reformat. I'm really glad I didn't have to go that route. In addition to Avira Antivirus, would you recommend using an online virus scanner? If so, which one? I'm not sure that just using a local one is sufficient since the virus I had before would never seem to allow Avira to finish a scan. Take care, heks
  3. Hi Elise, All the work we've done so far has been for my XP system. Should I remove and update Java on my Windows 7 64 bit system as well? And if so, would I use jre-7u1-windows-x64.exe from this page: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html Thanks, heks
  4. In terms of firewalls, I am running through a router and also have the Windows Firewall activated. Is that sufficient? heks
  5. Hi Elise, Should I delete the files quarantined by ESET Scanner? heks
  6. Hi Elise, Ok, here's the resulting log. Just a note, I'm not particularly concerned about the first two entries in the infected files list (core10.exe and keygen.exe), which were used to test a php programming editor. I don't think they're actual viruses. I also don't think the one associated with "windows 7 all edition" is an actual virus/malware either. I downloaded it as a backup for my legit copy of my Windows 7 Pro 64-bit CD after I got my new system with that OS. I don't want to get rid of this because the reason I got it in the first place was because I lost my original legit Win XP Pro CD and then had to go out and spend the $200 to buy it again. So I now have legit copies of both OS's as well as downloaded versions of both that I can use my legit CD keys with if necessary. So like I said, I don't want to delete these. I currently still have MBAM open showing the list of infections (I'm mainly worried about items 3, 4 and 5 in the list) because I didn't want to proceed with removal until you have a chance to look at the log. So, without further ado, here you go: Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 8149 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/12/2011 7:52:11 PM mbam-log-2011-11-12 (19-52-01).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 346695 Time elapsed: 42 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users\documents\programming stuff\cr-fse10\CORE10k.EXE (Dont.Steal.Our.Software) -> No action taken. c:\documents and settings\all users\documents\programming stuff\cr-fse10\keygen.exe (RiskWare.Tool.HCK) -> No action taken. c:\system volume information\_restore{7f69a12d-5c02-4622-9a8f-5793d6bfcc46}\RP0\A0001005.exe (Exploit.Drop.Gen) -> No action taken. c:\system volume information\_restore{7f69a12d-5c02-4622-9a8f-5793d6bfcc46}\RP0\A0001006.exe (Backdoor.Bot) -> No action taken. c:\WINDOWS\system32\mfc40u4.dll (Trojan.Crypt) -> No action taken. d:\Torrent\download final\windows 7 all edition\chew-wga 0.9\CW.eXe (Hacktool.ChewWGA) -> No action taken. Thanks, heks
  7. Hi Elise, In terms of uninstalling all the older versions of Java, do you just mean from the Add/Remove Programs panel? Cause the only thing I see in there is "Java 6 Update 23". Is there somewhere else I should be looking? heks
  8. No visible ones that I can tell. Well, actually, I do have some files in my AVIRA quarantine that I'm wondering what they are and if and how I should safely get rid of them. This is the list: Contains regonition pattern of the JS/Agent.HG.2 Java script virus -- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\U9GOQMRZ\main[1].htm Is the TR/PSW.Zbot.3266 Trojan -- C:\Documents and Settings\Ryan\Application Data\pikoh\syce.exe Is the TR/Crypt.XPACK.Gen5 Trojan -- C:\Documents and Settings\Ryan\Local Settings\Application Data\advapiSupport\appMouseSched.dll Is the TR/Crypt.XPACK.Gen5 Trojan -- C:\Documents and Settings\Ryan\Local Settings\Application Data\advapiSupport\appMouseSched.dll (so this one seems to be here twice) Is the TR/Crypt.XPACK.Gen Trojan -- C:\Windows\system32\mfc40u4.dll Is the TR/Dropper.Gen Trojan -- C:\Windows\Temp\hki266.exe Is the TR/PSW.Fareit.A.49 Trojan -- C:\Windows\Temp\14c33f.exe Is the TR/Kazy.dznsa Trojan -- D:\temp\RECOVER\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2WKW2LFZ\windows-update-sp2-kb77666-setup[1].exe Is the TR/Dropper.Gen Trojan -- C:\Windows\Temp\hki254.exe These are all files already in quarantine from previous scans in August and September. I haven't been able to do a complete system scan in a while and haven't done one since you started helping me with this stuff. Here's the new ComboFix log: ComboFix 11-11-10.02 - Ryan 11/11/2011 12:21:33.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1539 [GMT -5:00] Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . FILE :: "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe . . ((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 ))))))))))))))))))))))))))))))) . . 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll 2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll . . ((((((((((((((((((((((((((((( SnapShot@2011-11-10_16.42.51 ))))))))))))))))))))))))))))))))))))))))) . + 2011-11-11 17:09 . 2011-11-11 17:09 16384 c:\windows\Temp\Perflib_Perfdata_748.dat + 2008-04-14 12:00 . 2011-11-11 08:17 83380 c:\windows\system32\perfc009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 83380 c:\windows\system32\perfc009.dat + 2007-04-09 16:32 . 2007-04-09 16:32 19968 c:\windows\system32\CTXFIHLP.exe + 2008-04-14 12:00 . 2011-11-11 08:17 471508 c:\windows\system32\perfh009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 471508 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768] "Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe] path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe backup=c:\windows\pss\dunoi.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\xampp\\mysql\\bin\\mysqld.exe"= "c:\\xampp\\apache\\bin\\httpd.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "49156:TCP"= 49156:TCP:Vuze Port TCP "49156:UDP"= 49156:UDP:Vuze Port UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 216.254.141.2 209.90.160.222 FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . HKCU-Run-appMouseSched - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-11 12:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(764) c:\windows\system32\Ati2evxx.dll . Completion time: 2011-11-11 12:28:37 ComboFix-quarantined-files.txt 2011-11-11 17:28 ComboFix2.txt 2011-11-11 08:20 ComboFix3.txt 2011-11-10 16:44 . Pre-Run: 436,172,918,784 bytes free Post-Run: 436,156,936,192 bytes free . - - End Of File - - CA871B46FBF91F1D384EB0812B2E454E Any idea what's up with those proxy settings, or what that IP address is? Thanks, heks
  9. Hi Elise, Just an additional note... I opened up Firefox and looked in Tools > Options > Advanced > Network. I see that it is set to "Use system proxy settings". I'm not sure what the system proxy settings are, but I notice greyed out settings under the Manual proxy option that uses 151.100.59.11 Port: 3128 for all the proxy types, then for "No Proxy for:" it has "localhost, 127.0.0.1". I have no idea what these IP addresses are. Also, for the second time in a row starting up Firefox it has told me it's not my default browser and asked if I want to set it to default, even though I selected yes for that option last time. Don't know if that's a symptom of anything. It seems like it might just be a fluke because I just tried it a 3rd time to be sure and it didn't ask this time. Take care, heks
  10. To be honest, I don't recall. It doesn't seem like I should need a proxy to be set up, but hard to say. Here's the new ComboFix.txt content: ComboFix 11-11-10.02 - Ryan 11/11/2011 3:01.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1508 [GMT -5:00] Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 ))))))))))))))))))))))))))))))) . . 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll 2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll . <pre> c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe </pre> . ((((((((((((((((((((((((((((( SnapShot@2011-11-10_16.42.51 ))))))))))))))))))))))))))))))))))))))))) . + 2011-11-11 08:06 . 2011-11-11 08:06 16384 c:\windows\Temp\Perflib_Perfdata_758.dat + 2008-04-14 12:00 . 2011-11-11 08:17 83380 c:\windows\system32\perfc009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 83380 c:\windows\system32\perfc009.dat + 2007-04-09 16:32 . 2007-04-09 16:32 19968 c:\windows\system32\CTXFIHLP.exe + 2008-04-14 12:00 . 2011-11-11 08:17 471508 c:\windows\system32\perfh009.dat - 2008-04-14 12:00 . 2011-11-06 15:57 471508 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "appMouseSched"="" [N/A] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768] "Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe] path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe backup=c:\windows\pss\dunoi.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\xampp\\mysql\\bin\\mysqld.exe"= "c:\\xampp\\apache\\bin\\httpd.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "49156:TCP"= 49156:TCP:Vuze Port TCP "49156:UDP"= 49156:UDP:Vuze Port UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 216.254.141.2 209.90.160.222 FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.ftp - 151.100.59.11 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.gopher - 151.100.59.11 FF - prefs.js: network.proxy.gopher_port - 3128 FF - prefs.js: network.proxy.http - 151.100.59.11 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 151.100.59.11 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 151.100.59.11 FF - prefs.js: network.proxy.ssl_port - 3128 FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-11 03:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2820) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Synergy\synergyc.exe c:\program files\Brother\ControlCenter3\brccMCtl.exe c:\program files\Brother\Brmfcmon\BrMfcmon.exe . ************************************************************************** . Completion time: 2011-11-11 03:20:04 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-11 08:20 ComboFix2.txt 2011-11-10 16:44 . Pre-Run: 436,229,734,400 bytes free Post-Run: 436,200,947,712 bytes free . - - End Of File - - 6FB4DD2308A61631C7CC02F74FB0098F Ok, off to bed now. I'll check back in the morning. Thanks, heks
  11. Hi Elise, Here's the ComboFix log... ComboFix 11-11-10.02 - Ryan 11/10/2011 11:37:25.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1500 [GMT -5:00] Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Ryan\Application Data\Adobe\plugs c:\documents and settings\Ryan\Application Data\Adobe\shed c:\documents and settings\Ryan\Application Data\inst.exe c:\documents and settings\Ryan\Application Data\mIRC\logs\status.log c:\documents and settings\Ryan\WINDOWS . . ((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 ))))))))))))))))))))))))))))))) . . 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-11-07 05:52 . 2011-11-07 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-07 05:52 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2006-02-23 12:16 . 2009-07-20 22:18 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll 2006-02-23 12:16 . 2009-07-20 22:18 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll . <pre> c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exe c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VERSIO~2 .exe c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe c:\program files\Common Files\Java\Java Update\jusched .exe c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe c:\program files\DAEMON Tools\daemon .exe c:\program files\Microsoft Office\Office12\GrooveMonitor .exe c:\program files\ScanSoft\PaperPort\IndexSearch .exe c:\program files\ScanSoft\PaperPort\Ereg\Ereg .exe c:\windows\system32\CTXFIHLP .exe </pre> . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "appMouseSched"="" [N/A] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk * . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator.LITTLEBONES^Start Menu^Programs^Startup^dunoi.exe] path=c:\documents and settings\Administrator.LITTLEBONES\Start Menu\Programs\Startup\dunoi.exe backup=c:\windows\pss\dunoi.exeStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\phpDesigner 2008\\phpDesigner2008.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\xampp\\mysql\\bin\\mysqld.exe"= "c:\\xampp\\apache\\bin\\httpd.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "49156:TCP"= 49156:TCP:Vuze Port TCP "49156:UDP"= 49156:UDP:Vuze Port UDP "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/20/2009 11:58 AM 642560] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 10:49 AM 77312] R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1.LIT\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2011 12:53 PM 136360] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/25/2009 7:00 PM 47360] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 216.254.141.2 209.90.160.222 FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\qjohnile.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.ftp - 151.100.59.11 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.gopher - 151.100.59.11 FF - prefs.js: network.proxy.gopher_port - 3128 FF - prefs.js: network.proxy.http - 151.100.59.11 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 151.100.59.11 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 151.100.59.11 FF - prefs.js: network.proxy.ssl_port - 3128 FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} FF - Ext: Answers: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} - %profile%\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} FF - Ext: UnPlug: unplug@compunach - %profile%\extensions\unplug@compunach FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-10 11:42 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,7c,0e,17,db,a3,03,48,a7,2d,f4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(768) c:\windows\system32\Ati2evxx.dll . Completion time: 2011-11-10 11:44:32 ComboFix-quarantined-files.txt 2011-11-10 16:44 . Pre-Run: 433,995,689,984 bytes free Post-Run: 436,240,900,096 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - ED486F042C89B3BFD72F92BAAB33C4BD Take care, heks
  12. I'll get working on this in the morning (it's 3:00 am here right now). Thanks, heks
  13. It seems to be running Ok now, as far as I can tell. Is there anything else I should do to make sure the system is clean? heks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.