Jump to content

Recommended Posts

Hello. Malwarebytes is blocking access to malicious website and my firefox is hijacked. Can someone please help me clean this from my PC?

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by bcarsto at 9:42:44 on 2011-11-25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1026 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\windows\system32\Ati2evxx.exe

C:\windows\system32\svchost -k DcomLaunch

svchost.exe

C:\windows\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\windows\System32\WLTRYSVC.EXE

C:\windows\System32\bcmwltry.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\oracle\ora92\bin\omtsreco.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe

C:\windows\system32\Ati2evxx.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\windows\Explorer.EXE

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\windows\stsystra.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\windows\svcs.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\windows\system32\notepad.exe

C:\windows\system32\wuauclt.exe

C:\windows\System32\ping.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

{555d4d79-4bd2-4094-a395-cfc534424a05}

uRun: [Google Update] "c:\documents and settings\bcarsto\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [NWEReboot]

mRun: [seagull Drivers] ssdal_nc.exe startup

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

LSP: mswsock.dll

Trusted Zone: dyndns.info\emsweb

Trusted Zone: hazox.com\vpn

Trusted Zone: intuit.com\ttlc

Trusted Zone: localhost

Trusted Zone: ts4

Trusted Zone: turbotax.com

Trusted Zone: vertellus.com\mycow

DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182273289609

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182273258609

DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}

DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://ts3/viewer/ActiveXViewer/CRViewer.dll

DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://connect.vwr.com/downloads/VMware-viewclient.cab

DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/webex/ieatgpc.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.us.henkel.com/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.us.henkel.com/dana-cached/sc/JuniperSetupClient.cab

TCP: DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0

TCP: Interfaces\{55998922-994C-4034-B7C9-4FFFA62E8241} : DhcpNameServer = 68.87.64.150 68.87.75.198 0.0.0.0

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bcarsto\application data\mozilla\firefox\profiles\hjzswzir.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2

FF - plugin: c:\documents and settings\bcarsto\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\documents and settings\bcarsto\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll

FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}

FF - Ext: XUL Cache: {1b669e51-7af0-4aec-bcfa-8414277b0396} - %profile%\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152]

R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2011-3-17 29261152]

R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-11-24 508928]

R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2008-11-5 147456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216]

R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [2007-5-10 17632]

R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [2010-4-5 18656]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 Label Print;EMS Label Print;c:\hazox\emsrvr40\labelp~1\emslab~2.exe --> c:\hazox\emsrvr40\labelp~1\EMSLAB~2.EXE [?]

S3 Label;EMS Label;c:\hazox\emsrvr40\labels~1\emslab~2.exe --> c:\hazox\emsrvr40\labels~1\EMSLAB~2.EXE [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]

S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2011-3-17 202592]

S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2011-3-17 13664]

S3 RkHit;RkHit;\??\c:\windows\system32\drivers\rkhit.sys --> c:\windows\system32\drivers\RKHit.sys [?]

S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2008-11-24 346976]

S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

.

=============== File Associations ===============

.

.txt=TextPad.txt

.

=============== Created Last 30 ================

.

2011-11-24 15:18:23 508928 ----a-w- c:\windows\svcs.exe

2011-11-24 14:42:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-22 01:51:21 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2011-11-21 02:58:08 -------- d-----w- c:\documents and settings\bcarsto\application data\Tific

2011-11-21 02:57:37 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\Symantec

2011-11-20 00:22:22 -------- d-----w- c:\documents and settings\bcarsto\local settings\application data\NPE

2011-11-19 01:52:31 -------- d-----w- c:\documents and settings\bcarsto\application data\Malwarebytes

2011-11-19 01:51:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-19 01:51:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-19 01:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\TVrrllOBtxP0cSi

2011-11-19 01:07:33 -------- d-----w- c:\documents and settings\bcarsto\application data\tLL99hTXqjUClIr

2011-11-18 23:37:09 -------- d-----w- c:\program files\F1B49

2011-11-18 23:36:26 -------- d-----w- c:\program files\LP

2011-11-18 23:36:26 -------- d-----w- c:\documents and settings\bcarsto\application data\207F1

2011-11-18 23:36:23 -------- d-----w- c:\documents and settings\bcarsto\application data\QQQJJ6dEK8f

2011-11-18 23:36:22 -------- d-----w- c:\documents and settings\bcarsto\application data\CAA00uvS2ibFpm5

2011-11-18 23:36:16 -------- d-----w- c:\documents and settings\bcarsto\application data\neeekIIBrzOy

2011-11-18 23:36:15 -------- d-----w- c:\documents and settings\bcarsto\application data\qQQJJ6dEK8fR9hX

2011-11-15 22:57:21 -------- d-----w- c:\program files\Winmail Reader

.

==================== Find3M ====================

.

2011-11-16 13:25:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-19 13:07:16 216064 ----a-w- c:\windows\iun3405.exe

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 9:50:47.09 ===============

Link to post
Share on other sites

Hello and :welcome:

Unfortunately you have a nasty rootkit on your computer. Before starting the cleaning process, please read the following.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Thanks for the advice Elise. I think I am going to format the hard drive - is it safe for me to copy some data files from the PC before I do or is it possible that anything I copy may have the infection? Rr would u recommend cleaning it first and then copy the files before formatting the drive.

Bob

Link to post
Share on other sites

Combofix was not able to install the windows recovery console. It said the master boot record was corrupt, but it continued anyway. The first reboot did not happen after an hour, so I powered down the PC and restart and then combofix continued, did its scan, did the auto reboot and produced a log.

Link to post
Share on other sites

My apologies, I thought I had. Here it is:

ComboFix 11-11-30.01 - bcarsto 11/30/2011 12:17:54.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1475 [GMT -5:00]

Running from: C:\ComboFix.exe

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\bcarsto\Application Data\JuniperExtXP.exe

c:\documents and settings\bcarsto\Application Data\JuniperSetup.exe

c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}

c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\chrome.manifest

c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\chrome\xulcache.jar

c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\defaults\preferences\xulcache.js

c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\extensions\{1b669e51-7af0-4aec-bcfa-8414277b0396}\install.rdf

c:\documents and settings\bcarsto\g2mdlhlpx.exe

c:\documents and settings\bcarsto\Recent\Thumbs.db

c:\documents and settings\bcarsto\Start Menu\Programs\AV Protection 2011

c:\documents and settings\bcarsto\Start Menu\Programs\AV Protection 2011\AV Protection 2011.lnk

c:\documents and settings\bcarsto\WINDOWS

c:\documents and settings\mail\~inbox.pst.tmp

c:\program files\LP

c:\program files\LP\D0C2\4.tmp

c:\program files\LP\D0C2\57.tmp

c:\program files\LP\D0C2\59.tmp

C:\Thumbs.db

c:\windows\$NtUninstallKB45751$

c:\windows\$NtUninstallKB45751$\3265949725\@

c:\windows\$NtUninstallKB45751$\3265949725\bckfg.tmp

c:\windows\$NtUninstallKB45751$\3265949725\cfg.ini

c:\windows\$NtUninstallKB45751$\3265949725\Desktop.ini

c:\windows\$NtUninstallKB45751$\3265949725\keywords

c:\windows\$NtUninstallKB45751$\3265949725\kwrd.dll

c:\windows\$NtUninstallKB45751$\3265949725\L\lfisamud

c:\windows\$NtUninstallKB45751$\3265949725\lsflt7.ver

c:\windows\$NtUninstallKB45751$\3265949725\U\00000001.@

c:\windows\$NtUninstallKB45751$\3265949725\U\00000002.@

c:\windows\$NtUninstallKB45751$\3265949725\U\00000004.@

c:\windows\$NtUninstallKB45751$\3265949725\U\80000000.@

c:\windows\$NtUninstallKB45751$\3265949725\U\80000004.@

c:\windows\$NtUninstallKB45751$\3265949725\U\80000032.@

c:\windows\$NtUninstallKB45751$\979825987

c:\windows\CSC\d6

c:\windows\dasetup.log

c:\windows\svcs.exe

c:\windows\system32\Cache

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\PowerToyReadme.htm

c:\windows\system32\usmt\migwiz_a.exe

.

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_RkHit

-------\Legacy_NetworkLog

-------\Service_NetworkLog

.

.

((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 )))))))))))))))))))))))))))))))

.

.

2011-11-30 16:44 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-11-22 01:51 . 2011-11-22 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-11-21 02:58 . 2011-11-21 02:58 -------- d-----w- c:\documents and settings\bcarsto\Application Data\Tific

2011-11-21 02:57 . 2011-11-21 02:57 -------- d-----w- c:\documents and settings\bcarsto\Local Settings\Application Data\Symantec

2011-11-21 01:20 . 2011-11-21 01:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE

2011-11-20 01:47 . 2011-11-20 01:47 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-11-20 01:46 . 2011-11-20 01:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache

2011-11-20 01:45 . 2011-11-20 01:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Juniper Networks

2011-11-20 00:22 . 2011-11-21 01:44 -------- d-----w- c:\documents and settings\bcarsto\Local Settings\Application Data\NPE

2011-11-19 12:24 . 2011-11-19 12:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ID Vault

2011-11-19 12:24 . 2011-11-19 12:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault

2011-11-19 01:52 . 2011-11-19 01:52 -------- d-----w- c:\documents and settings\bcarsto\Application Data\Malwarebytes

2011-11-19 01:51 . 2011-11-19 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-19 01:51 . 2011-11-19 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-19 01:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-19 01:07 . 2011-11-19 01:07 -------- d-----w- c:\documents and settings\bcarsto\Application Data\tLL99hTXqjUClIr

2011-11-19 01:07 . 2011-11-19 01:07 -------- d-----w- c:\documents and settings\bcarsto\Application Data\TVrrllOBtxP0cSi

2011-11-18 23:37 . 2011-11-19 02:28 -------- d-----w- c:\program files\F1B49

2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\207F1

2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\QQQJJ6dEK8f

2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\CAA00uvS2ibFpm5

2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\neeekIIBrzOy

2011-11-18 23:36 . 2011-11-18 23:36 -------- d-----w- c:\documents and settings\bcarsto\Application Data\qQQJJ6dEK8fR9hX

2011-11-15 22:57 . 2011-11-15 22:57 -------- d-----w- c:\program files\Winmail Reader

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-16 13:25 . 2011-05-18 11:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-19 13:07 . 2011-10-17 20:03 216064 ----a-w- c:\windows\iun3405.exe

2011-10-10 14:22 . 2007-06-18 23:44 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2007-10-09 17:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2009-03-13 16:28 . 2009-03-13 16:28 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-03-13 16:28 . 2009-03-13 16:28 107936 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Seagull Drivers"="ssdal_nc.exe startup" [X]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-10-20 6144]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Dialer (OnStartup).lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk

backup=c:\windows\pss\VPN Dialer (OnStartup).lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

2006-01-02 21:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2007-10-25 20:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2006-11-05 15:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2004-02-23 03:44 32881 ----a-w- c:\program files\Business Objects\JRE\bin\jusched.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Visual Studio .NET 2003\\Common7\\IDE\\devenv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Telerik\\RadControls for ASP.NET AJAX Q2 2010\\Live Demos\\StartExamples.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Telerik\\RadControls for ASP.NET AJAX Q1 2011\\Live Demos\\StartExamples.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6160:TCP"= 6160:TCP:Seagull Driver Networking

.

R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 10:23 PM 64160]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/18/2011 8:51 PM 366152]

R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3/17/2011 6:08 PM 29261152]

R2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [11/5/2008 4:49 PM 147456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/18/2011 8:51 PM 22216]

R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;c:\windows\system32\drivers\NGSSLDrv.sys [5/10/2007 1:54 PM 17632]

R3 SSLDrv;Virtual Passage SSLDrv Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/5/2010 1:07 PM 18656]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 Label Print;EMS Label Print;c:\hazox\EMSRVR40\LABELP~1\EMSLAB~2.EXE --> c:\hazox\EMSRVR40\LABELP~1\EMSLAB~2.EXE [?]

S3 Label;EMS Label;c:\hazox\EMSRVR40\LABELS~1\EMSLAB~2.EXE --> c:\hazox\EMSRVR40\LABELS~1\EMSLAB~2.EXE [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]

S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/17/2011 6:08 PM 202592]

S3 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 8:22 AM 95592]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [3/17/2011 6:08 PM 13664]

S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [11/24/2008 9:31 PM 346976]

S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1645522239-839522115-1609Core.job

- c:\documents and settings\bcarsto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 01:00]

.

2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1645522239-839522115-1609UA.job

- c:\documents and settings\bcarsto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 01:00]

.

2011-11-30 c:\windows\Tasks\User_Feed_Synchronization-{BB6A73FA-2B80-4959-847F-6148C906F98E}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = https://vpn.hazox.com/scgi-bin/index.htm/hazox

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

Trusted Zone: dyndns.info\emsweb

Trusted Zone: hazox.com\vpn

Trusted Zone: intuit.com\ttlc

Trusted Zone: localhost

Trusted Zone: ts4

Trusted Zone: turbotax.com

Trusted Zone: vertellus.com\mycow

DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {19DFFB5D-E30A-4E3B-8524-0AD8F4D88D32} - hxxps://vpn.hazox.com/XTunnel.cab

DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vpn.hazox.com/WebCacheCleaner.cab

DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}

DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://76.116.153.195/NGVPNTunnel.cab

FF - ProfilePath - c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://www.3quarksdaily.com/|http://sz0042.wc.mail.comcast.net/zimbra/mail#2

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

.

------- File Associations -------

.

.txt=TextPad.txt

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKLM-Run-NWEReboot - (no file)

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

AddRemove-KB955706_DTS9 - c:\windows\DTS9_KB955706_ENU\Hotfix.exe

AddRemove-KB955706_NS9 - c:\windows\NS9_KB955706_ENU\Hotfix.exe

AddRemove-KB955706_RS9 - c:\windows\RS9_KB955706_ENU\Hotfix.exe

AddRemove-KB955706_SQL9 - c:\windows\SQL9_KB955706_ENU\Hotfix.exe

AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-30 13:12

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\bcarsto\Application Data\Mozilla\Firefox\Profiles\hjzswzir.default\prefs.js.BAK 41924 bytes

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql$SQL2005]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2005"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1409082233-1645522239-839522115-1609\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1156)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(6240)

c:\windows\system32\WININET.dll

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\oracle\ora92\bin\omtsreco.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\windows\stsystra.exe

.

**************************************************************************

.

Completion time: 2011-11-30 13:25:01 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-30 18:24

.

Pre-Run: 31,720,448,000 bytes free

Post-Run: 32,838,901,760 bytes free

.

- - End Of File - - C5C3CDAD601DBB779257AF5DB9D138D0

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.