Jump to content

Recommended Posts

Getting random pop-ups and occasional redirects from google links. Noticed deployjava1.dll in the logs. Symantec AV and Malwarebytes showing clean.

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 22:04:24.53 on Tue 05/18/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.985 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\program files\steam\steam.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=c:\windows\system32\Userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"

mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: shipdli.com\email

Trusted Zone: stkate.edu\cscmail2

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238539290765

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\dzvve335.default\

FF - component: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll

FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100517.002\naveng.sys [2010-5-17 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100517.002\navex15.sys [2010-5-17 1347504]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-26 17408]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-05-18 20:56:41 0 d-----w- C:\Backup

2010-05-18 03:14:43 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 03:10:26 215152 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-04-29 02:35:30 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 22:05:28.34 ===============

MalwareBytes Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/18/2010 7:26:00 PM

mbam-log-2010-05-18 (19-26-00).txt

Scan type: Full scan (C:\|)

Objects scanned: 242419

Time elapsed: 58 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thank you in advance for your help!!

attach.zip

Link to post
Share on other sites

I also have my hijackthis logs, figure I will give you all the ammo you need up front.

HJT Log

ComboFix 10-05-17.01 - Administrator 05/18/2010 22:46:13.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1538 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))

.

2010-05-18 20:56 . 2010-05-18 21:23 -------- d-----w- C:\Backup

2010-05-18 03:15 . 2010-05-18 03:15 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26238f43-n\msvcp71.dll

2010-05-18 03:15 . 2010-05-18 03:15 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26238f43-n\jmc.dll

2010-05-18 03:15 . 2010-05-18 03:15 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72d6020e-n\decora-sse.dll

2010-05-18 03:15 . 2010-05-18 03:15 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26238f43-n\msvcr71.dll

2010-05-18 03:15 . 2010-05-18 03:15 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72d6020e-n\decora-d3d.dll

2010-05-18 03:14 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-19 03:45 . 2009-02-15 00:19 -------- d-----w- c:\program files\Symantec AntiVirus

2010-05-18 10:52 . 2009-02-22 22:47 -------- d-----w- c:\program files\Steam

2010-05-18 10:34 . 2009-02-15 00:20 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-18 03:14 . 2009-03-07 01:41 -------- d-----w- c:\program files\Common Files\Java

2010-05-18 03:14 . 2009-03-07 01:41 -------- d-----w- c:\program files\Java

2010-05-16 21:16 . 2009-03-01 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-16 20:56 . 2009-07-20 02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-16 12:37 . 2010-03-20 13:31 -------- d-----w- c:\program files\Google

2010-04-29 20:39 . 2009-07-20 02:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2009-07-20 02:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 03:10 . 2009-02-15 01:40 215152 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-04-29 02:35 . 2009-02-15 01:41 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-03-30 03:23 . 2009-03-14 18:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire

2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 23:54 . 2009-11-11 12:10 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-06 17:50 . 2010-03-06 17:50 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe

2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-25 23:11 . 2010-02-25 23:11 0 ----a-w- c:\windows\nsreg.dat

2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2010-05-08 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 131072]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

"SoundMan"="SOUNDMAN.EXE" [2005-07-22 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2009-2-16 6144]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^rncsys32.exe]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\rncsys32.exe

backup=c:\windows\pss\rncsys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2009-03-27 15:03 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 8:07 PM 102448]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:31 AM 136176]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/26/2009 7:48 AM 17408]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

.

Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 13:31]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 13:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

Trusted Zone: shipdli.com\email

Trusted Zone: stkate.edu\cscmail2

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dzvve335.default\

FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

MSConfigStartUp-Administrator - c:\documents and settings\Administrator\Administrator.exe

MSConfigStartUp-ttool - c:\windows\9129837.exe

MSConfigStartUp-xoayiipc - c:\documents and settings\Administrator\Local Settings\Application Data\dselanprb\yofxlxctssd.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-18 22:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D0FCEC]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9e07bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9e14a21

SendHandler -> NDIS.sys @ 0xb9df287b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-926492609-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,65,05,7d,0f,42,53,44,b0,db,1a,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1096)

c:\windows\system32\WININET.dll

.

Completion time: 2010-05-18 23:00:03

ComboFix-quarantined-files.txt 2010-05-19 03:59

Pre-Run: 138,746,675,200 bytes free

Post-Run: 139,381,338,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 042806F809A4CF2389FB081A79EDA1CE

Link to post
Share on other sites

Hi,

I also have my hijackthis logs, figure I will give you all the ammo you need up front.

That's actually a log from ComboFix tool that shouldn't be run without supervision.

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).

2. Execute the file TDSSKiller.exe and wait for the process to finish.

3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Link to post
Share on other sites

Hi,

That's actually a log from ComboFix tool that shouldn't be run without supervision.

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).

2. Execute the file TDSSKiller.exe and wait for the process to finish.

3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Sorry about that, it was ComboFix, when I posted that I was very tired.

Here are the results from TDSSKiller:

12:18:20:859 3628 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17

12:18:20:859 3628 ================================================================================

12:18:20:859 3628 SystemInfo:

12:18:20:859 3628 OS Version: 5.1.2600 ServicePack: 3.0

12:18:20:859 3628 Product type: Workstation

12:18:20:859 3628 ComputerName: MAIN

12:18:20:859 3628 UserName: Administrator

12:18:20:859 3628 Windows directory: C:\WINDOWS

12:18:20:859 3628 Processor architecture: Intel x86

12:18:20:859 3628 Number of processors: 1

12:18:20:859 3628 Page size: 0x1000

12:18:20:859 3628 Boot type: Normal boot

12:18:20:859 3628 ================================================================================

12:18:20:859 3628 UnloadDriverW: NtUnloadDriver error 2

12:18:20:859 3628 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2

12:18:20:937 3628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

12:18:20:937 3628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:18:20:937 3628 wfopen_ex: Trying to KLMD file open

12:18:20:937 3628 wfopen_ex: File opened ok (Flags 2)

12:18:20:937 3628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

12:18:20:937 3628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:18:20:937 3628 wfopen_ex: Trying to KLMD file open

12:18:20:937 3628 wfopen_ex: File opened ok (Flags 2)

12:18:20:937 3628 KLAVA engine initialized

12:18:21:156 3628 Initialize success

12:18:21:156 3628

12:18:21:156 3628 Scanning Services ...

12:18:21:187 3628 Raw services enum returned 331 services

12:18:21:203 3628

12:18:21:203 3628 Scanning Drivers ...

12:18:21:328 3628 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

12:18:21:359 3628 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

12:18:21:421 3628 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

12:18:21:484 3628 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

12:18:21:656 3628 ALCXWDM (2c6322e8ff56f624033e7642c49044f3) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

12:18:21:843 3628 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

12:18:21:906 3628 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

12:18:21:937 3628 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

12:18:21:984 3628 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

12:18:22:031 3628 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

12:18:22:078 3628 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

12:18:22:156 3628 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

12:18:22:187 3628 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

12:18:22:218 3628 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

12:18:22:281 3628 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

12:18:22:328 3628 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

12:18:22:390 3628 CVPNDRVA (26deef07394624247d1f549bd94f0b15) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

12:18:22:453 3628 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

12:18:22:500 3628 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

12:18:22:593 3628 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

12:18:22:625 3628 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

12:18:22:656 3628 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

12:18:22:687 3628 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys

12:18:22:703 3628 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

12:18:22:843 3628 eeCtrl (96bcd90ed9235a21629effde5e941fb1) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

12:18:22:875 3628 EraserUtilRebootDrv (392c86f6b45c0bc696c32c27f51e749f) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

12:18:22:921 3628 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

12:18:22:937 3628 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

12:18:22:968 3628 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

12:18:23:015 3628 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

12:18:23:109 3628 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

12:18:23:125 3628 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

12:18:23:187 3628 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

12:18:23:250 3628 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

12:18:23:296 3628 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

12:18:23:343 3628 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

12:18:23:390 3628 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

12:18:23:453 3628 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

12:18:23:500 3628 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

12:18:23:546 3628 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

12:18:23:593 3628 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

12:18:23:625 3628 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

12:18:23:640 3628 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

12:18:23:703 3628 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

12:18:23:718 3628 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

12:18:23:734 3628 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

12:18:23:765 3628 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys

12:18:23:796 3628 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

12:18:23:828 3628 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

12:18:23:859 3628 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

12:18:23:875 3628 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

12:18:23:890 3628 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

12:18:23:921 3628 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

12:18:23:953 3628 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

12:18:24:000 3628 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

12:18:24:062 3628 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

12:18:24:093 3628 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

12:18:24:140 3628 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

12:18:24:234 3628 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

12:18:24:281 3628 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

12:18:24:312 3628 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

12:18:24:328 3628 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

12:18:24:343 3628 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

12:18:24:375 3628 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

12:18:24:390 3628 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

12:18:24:578 3628 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100517.002\naveng.sys

12:18:24:625 3628 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100517.002\navex15.sys

12:18:24:656 3628 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

12:18:24:687 3628 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

12:18:24:703 3628 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

12:18:24:718 3628 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

12:18:24:734 3628 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

12:18:24:765 3628 Netaapl (29c45722e20572b6440b57e3359e73ee) C:\WINDOWS\system32\DRIVERS\netaapl.sys

12:18:24:812 3628 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

12:18:24:859 3628 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

12:18:24:890 3628 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

12:18:24:937 3628 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

12:18:24:984 3628 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

12:18:25:031 3628 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

12:18:25:265 3628 nv (23b95a09677e62ec8d1641ecf39b9bfb) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

12:18:25:625 3628 nvatabus (e4f1f95a6bbbfbbff9a713c6063aa2cb) C:\WINDOWS\system32\DRIVERS\nvatabus.sys

12:18:25:687 3628 nvax (c940418d48b98359e9ccbad695e5f530) C:\WINDOWS\system32\drivers\nvax.sys

12:18:25:718 3628 NVENETFD (812f45da883bdb87c5960b25295a7e9c) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

12:18:25:750 3628 nvnetbus (507b332b431392ed37c23b7cfb66dcf7) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

12:18:25:812 3628 nvnforce (b000a8b4946f786a56c7b020620b3a46) C:\WINDOWS\system32\drivers\nvapu.sys

12:18:25:890 3628 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

12:18:25:937 3628 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

12:18:26:000 3628 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

12:18:26:046 3628 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

12:18:26:062 3628 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

12:18:26:093 3628 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

12:18:26:140 3628 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

12:18:26:171 3628 PCIIde (473547a9d49ef91a1ad731ff6b85a4cf) C:\WINDOWS\system32\DRIVERS\pciide.sys

12:18:26:171 3628 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: 473547a9d49ef91a1ad731ff6b85a4cf, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0

12:18:26:171 3628 File "C:\WINDOWS\system32\DRIVERS\pciide.sys" infected by TDSS rootkit ... 12:18:26:421 3628 Backup copy found, using it..

12:18:26:484 3628 will be cured on next reboot

12:18:26:531 3628 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

12:18:26:609 3628 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

12:18:26:656 3628 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

12:18:26:671 3628 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

12:18:26:671 3628 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

12:18:26:703 3628 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

12:18:26:750 3628 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

12:18:26:781 3628 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

12:18:26:796 3628 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

12:18:26:812 3628 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

12:18:26:812 3628 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

12:18:26:890 3628 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

12:18:26:921 3628 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

12:18:26:937 3628 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

12:18:26:968 3628 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

12:18:27:015 3628 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

12:18:27:140 3628 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

12:18:27:156 3628 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

12:18:27:187 3628 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

12:18:27:234 3628 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

12:18:27:281 3628 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

12:18:27:328 3628 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

12:18:27:359 3628 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

12:18:27:406 3628 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

12:18:27:453 3628 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

12:18:27:515 3628 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

12:18:27:515 3628 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

12:18:27:546 3628 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

12:18:27:593 3628 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

12:18:27:625 3628 SYMREDRV (626f733be7f951116c5c0804b068666c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

12:18:27:687 3628 SYMTDI (cb7cc4ddbe09e224d4cd876760ba982c) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

12:18:27:750 3628 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

12:18:27:812 3628 tbhsd (c26c6dff638d9e51dc5cc60a7785d057) C:\WINDOWS\system32\drivers\tbhsd.sys

12:18:27:906 3628 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

12:18:27:937 3628 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

12:18:27:984 3628 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

12:18:28:031 3628 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

12:18:28:046 3628 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

12:18:28:109 3628 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

12:18:28:156 3628 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys

12:18:28:265 3628 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

12:18:28:296 3628 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

12:18:28:328 3628 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

12:18:28:359 3628 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

12:18:28:406 3628 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

12:18:28:468 3628 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

12:18:28:515 3628 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

12:18:28:531 3628 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

12:18:28:578 3628 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys

12:18:28:609 3628 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

12:18:28:687 3628 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

12:18:28:750 3628 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

12:18:28:796 3628 yukonwxp (bac4e920c920168c302c90c0f37740f6) C:\WINDOWS\system32\DRIVERS\yk51x86.sys

12:18:28:812 3628 Reboot required for cure complete..

12:18:28:843 3628 Cure on reboot scheduled successfully

12:18:28:843 3628

12:18:28:843 3628 Completed

12:18:28:843 3628

12:18:28:843 3628 Results:

12:18:28:843 3628 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

12:18:28:843 3628 File objects infected / cured / cured on reboot: 1 / 0 / 1

12:18:28:843 3628

12:18:28:843 3628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

12:18:28:843 3628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

12:18:28:843 3628 UnloadDriverW: NtUnloadDriver error 1

12:18:28:843 3628 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

GMER:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-19 16:12:57

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdypob.sys

---- System - GMER 1.0.15 ----

SSDT 89BC8DA8 ZwAlertResumeThread

SSDT 89C1A8C0 ZwAlertThread

SSDT 89C63100 ZwAllocateVirtualMemory

SSDT 89BFF788 ZwConnectPort

SSDT 89C4E170 ZwCreateMutant

SSDT 89367628 ZwCreateThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAE038350]

SSDT 890336C8 ZwFreeVirtualMemory

SSDT 899B3B10 ZwImpersonateAnonymousToken

SSDT 89A75DC8 ZwImpersonateThread

SSDT 89CC69F8 ZwMapViewOfSection

SSDT 89C51170 ZwOpenEvent

SSDT 89067750 ZwOpenProcessToken

SSDT 89897A90 ZwOpenThreadToken

SSDT 89B2C3D0 ZwQueryValueKey

SSDT 89891A90 ZwResumeThread

SSDT 89BF1498 ZwSetContextThread

SSDT 89896A90 ZwSetInformationProcess

SSDT 894F0730 ZwSetInformationThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAE038580]

SSDT 89C8F170 ZwSuspendProcess

SSDT 89A50DC8 ZwSuspendThread

SSDT 89894A90 ZwTerminateProcess

SSDT 898E5B08 ZwTerminateThread

SSDT 89895A90 ZwUnmapViewOfSection

SSDT 893A0628 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? klmdb.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5298380, 0x34C81F, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi again,

LimeWire

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\rncsys32.exe
c:\windows\pss\rncsys32.exeStartup
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^rncsys32.exe]

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall this old Java:

Java 2 Runtime Environment, SE v1.4.2_06

Download ATF (Atribune Temp File) Cleaner

Link to post
Share on other sites

Machine seems to be running much better, though I am not doing much of anything on it until I get the all clear.

I am running DDS overnight, here are the other logs:

COMBOFIX:

ComboFix 10-05-17.01 - Administrator 05/20/2010 12:40:53.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1459 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::

"c:\documents and settings\Administrator\Start Menu\Programs\Startup\rncsys32.exe"

"c:\windows\pss\rncsys32.exeStartup"

.

((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))

.

2010-05-19 17:15 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-05-19 17:15 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-05-19 17:15 . 2008-04-13 17:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-05-19 17:15 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-05-19 17:15 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-05-19 17:15 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-05-18 20:56 . 2010-05-18 21:23 -------- d-----w- C:\Backup

2010-05-18 03:15 . 2010-05-18 03:15 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26238f43-n\msvcp71.dll

2010-05-18 03:15 . 2010-05-18 03:15 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26238f43-n\jmc.dll

2010-05-18 03:15 . 2010-05-18 03:15 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72d6020e-n\decora-sse.dll

2010-05-18 03:15 . 2010-05-18 03:15 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-26238f43-n\msvcr71.dll

2010-05-18 03:15 . 2010-05-18 03:15 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72d6020e-n\decora-d3d.dll

2010-05-18 03:14 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-20 17:39 . 2009-02-15 00:19 -------- d-----w- c:\program files\Symantec AntiVirus

2010-05-20 16:24 . 2009-02-22 22:47 -------- d-----w- c:\program files\Steam

2010-05-19 17:19 . 2006-02-28 12:00 3328 ----a-w- c:\windows\system32\drivers\pciide.sys

2010-05-18 10:34 . 2009-02-15 00:20 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-18 03:14 . 2009-03-07 01:41 -------- d-----w- c:\program files\Common Files\Java

2010-05-18 03:14 . 2009-03-07 01:41 -------- d-----w- c:\program files\Java

2010-05-16 21:16 . 2009-03-01 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-16 20:56 . 2009-07-20 02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-16 12:37 . 2010-03-20 13:31 -------- d-----w- c:\program files\Google

2010-04-29 20:39 . 2009-07-20 02:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2009-07-20 02:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 03:10 . 2009-02-15 01:40 215152 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-04-29 02:35 . 2009-02-15 01:41 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-03-30 03:23 . 2009-03-14 18:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire

2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 23:54 . 2009-11-11 12:10 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-06 17:50 . 2010-03-06 17:50 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe

2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-25 23:11 . 2010-02-25 23:11 0 ----a-w- c:\windows\nsreg.dat

2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-05-19_03.57.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-20 16:21 . 2010-05-20 16:21 16384 c:\windows\Temp\Perflib_Perfdata_128.dat

+ 2010-01-16 02:00 . 2010-05-19 03:44 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2010-01-16 02:00 . 2010-05-18 11:03 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2010-05-08 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 131072]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

"SoundMan"="SOUNDMAN.EXE" [2005-07-22 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2009-2-16 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2009-03-27 15:03 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 8:07 PM 102448]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/20/2010 8:31 AM 136176]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/26/2009 7:48 AM 17408]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

.

Contents of the 'Scheduled Tasks' folder

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 13:31]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-20 13:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk

Trusted Zone: shipdli.com\email

Trusted Zone: stkate.edu\cscmail2

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dzvve335.default\

FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-20 12:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-926492609-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,65,05,7d,0f,42,53,44,b0,db,1a,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,7f,1e,ac,0e,69,b2,4d,a2,f4,19,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3476)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-05-20 12:49:05

ComboFix-quarantined-files.txt 2010-05-20 17:49

ComboFix2.txt 2010-05-19 04:00

Pre-Run: 139,374,280,704 bytes free

Post-Run: 139,358,806,016 bytes free

- - End Of File - - 4A6D368344A89638B22088255B24A0D7

Kaspersky:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, May 20, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, May 20, 2010 14:19:02

Records in database: 4142983

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

E:\

F:\

Scan statistics:

Objects scanned: 117582

Threats found: 14

Infected objects found: 28

Suspicious objects found: 0

Scan duration: 03:28:08

File name / Threat / Threats count

C:\Backup\User Accounts\jbrockman_old\Desktop\SolarWinds-TFTP-Server.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 1

C:\Backup\User Accounts\jbrockman_old\Desktop\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2

C:\Backup\User Accounts\jbrockman_old\Desktop\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00F00000\4AF2ED8A.VBN Infected: Virus.MSWord.Thus.ew 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN Infected: Trojan-Downloader.NSIS.Agent.bk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN Infected: not-a-virus:AdWare.Win32.Agent.oma 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN Infected: Trojan-Downloader.Win32.Zlob.bjhe 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN Infected: Trojan-Downloader.Win32.Zlob.bgzo 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN Infected: Trojan-Downloader.Win32.Zlob.bfea 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN Infected: Trojan-Downloader.Win32.Zlob.bfeb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\021C0000\4A7FBB2D.VBN Infected: Rootkit.Win32.Agent.maf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05CC0000.VBN Infected: Trojan-Downloader.Java.Agent.al 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C00000\4FF20D99.VBN Infected: Backdoor.Win32.Bredolab.els 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C00001\4FF20EBD.VBN Infected: Backdoor.Win32.Bredolab.els 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08240000\4A6D338D.VBN Infected: Virus.MSWord.Thus.ew 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08440000\4A67B3BE.VBN Infected: Rootkit.Win32.Agent.maf 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40000.VBN Infected: Trojan-Downloader.Win32.VB.qly 2

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AA40001.VBN Infected: Trojan-Downloader.Win32.VB.qly 2

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB40000\4AF743D2.VBN Infected: Virus.MSWord.Thus.ew 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240000\4B65CBFA.VBN Infected: Trojan-Downloader.Win32.VB.qly 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240001\4B65CC6A.VBN Infected: Trojan-Downloader.Win32.VB.qly 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240003\4B65E732.VBN Infected: Trojan-Downloader.Win32.VB.qly 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240004\4B65E8C8.VBN Infected: Trojan-Downloader.Win32.VB.qly 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240005\4B65E8DB.VBN Infected: Trojan-Downloader.Win32.VB.qly 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240006\4B65E8E5.VBN Infected: Trojan-Downloader.Win32.VB.qly 1

Selected area has been scanned.

Link to post
Share on other sites

DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 22:05:02.43 on Thu 05/20/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1371 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\program files\steam\steam.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: shipdli.com\email

Trusted Zone: stkate.edu\cscmail2

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238539290765

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\dzvve335.default\

FF - component: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll

FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100517.002\naveng.sys [2010-5-17 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100517.002\navex15.sys [2010-5-17 1347504]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-26 17408]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-05-19 17:15:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-05-19 17:15:58 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-05-19 17:15:57 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-05-19 17:15:57 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-05-19 17:15:53 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-05-19 17:15:53 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-05-19 03:39:51 0 d-sha-r- C:\cmdcons

2010-05-19 03:37:39 98816 ----a-w- c:\windows\sed.exe

2010-05-19 03:37:39 77312 ----a-w- c:\windows\MBR.exe

2010-05-19 03:37:39 256512 ----a-w- c:\windows\PEV.exe

2010-05-19 03:37:39 161792 ----a-w- c:\windows\SWREG.exe

2010-05-18 20:56:41 0 d-----w- C:\Backup

2010-05-18 03:14:43 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-19 17:19:40 3328 ----a-w- c:\windows\system32\drivers\pciide.sys

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 03:10:26 215152 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-04-29 02:35:30 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 22:05:23.96 ===============

Attach.zip

Link to post
Share on other sites

Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

    [*]Run Secunia vulnerability check here and fix its findings.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.