SID: 23615 Tidserv 2 Request

katm · June 16, 2010

Hi,

I picked up Trojan.Hiloti, Malware.Packer.Gen, Trojan.Scar, Rootkit.Dropper, Rogue.AntimalwareDoctor & Trojan.FakeAlert yesterday. I ran several Malwarebyte scans and a full Norton scan and thought I had removed it. I even used the recovery console and overwrote the system files suggested by Norton, but I still get the popup from Norton that a tidserv request is being blocked. I have not gone anywhere requiring a password since the attack and used a never before used password to do a new registration here. Also, when I log into my network, it can't find my roaming profile and loads a local one instead.

Here are my logs:

Malwarebytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4201

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/16/2010 1:47:59 PM

mbam-log-2010-06-16 (13-47-59).txt

Scan type: Quick scan

Objects scanned: 218694

Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Katrina at 12:39:42.86 on Wed 06/16/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1228 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\DIAS\CnxDIAS.exe

C:\Program Files\Citrix\GoToMyPC\g2svc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Citrix\GoToMyPC\g2comm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Citrix\GoToMyPC\g2pre.exe

C:\Program Files\Citrix\GoToMyPC\g2tray.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Slacker\Software Player\slacker.tray.exe

C:\Program Files\Stickies\stickies.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\katrina.REXART\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rexart.com/

uWindow Title =

mWindow Title =

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\katrina.rexart\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [nwiz] nwiz.exe /install

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [DMXLauncher] "c:\program files\sonic\product\media experience\DMXLauncher.exe"

mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

dRunOnce: [_Sym_MI_] "c:\temp\clt-inst\setup.exe" /qn /z /nosp

StartupFolder: c:\docume~1\katrin~1.rex\startm~1\programs\startup\hotsyn~1.lnk - \\sales-2\sales-2 c\program files\handspring\HOTSYNC.EXE

StartupFolder: c:\docume~1\katrin~1.rex\startm~1\programs\startup\slacke~1.lnk - c:\program files\slacker\software player\slacker.tray.exe

StartupFolder: c:\docume~1\katrin~1.rex\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\slacke~1.lnk - c:\program files\slacker\radio\slacker.tray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\katrin~1.rex\applic~1\mozilla\firefox\profiles\ng127ito.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.rexart.com

FF - plugin: c:\documents and settings\katrina.rexart\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {B86CBFE2-8581-4E21-9715-BFF7C2EF8906} - c:\documents and settings\katrina.rexart\local settings\application data\{B86CBFE2-8581-4E21-9715-BFF7C2EF8906}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-17 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-17 108392]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-17 1768376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100615.022\NAVENG.SYS [2010-6-15 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100615.022\NAVEX15.SYS [2010-6-15 1347504]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [2009-10-17 23888]

S4 Dlaservtad;Dlaservtad; [x]

=============== Created Last 30 ================

2010-06-16 16:38:31 0 ----a-w- c:\documents and settings\katrina.rexart\defogger_reenable

2010-06-16 11:56:15 182912 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-06-16 11:54:25 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll

2010-06-16 11:53:32 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-15 20:56:40 120 ----a-w- c:\windows\Ohujadebirit.dat

2010-06-15 20:56:40 0 ----a-w- c:\windows\Mdakiles.bin

2010-06-15 20:55:52 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-06-15 20:55:52 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-06-15 20:55:50 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-06-15 20:55:50 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-06-15 20:54:40 0 d-----w- c:\docume~1\katrin~1.rex\applic~1\6056D0F78BE4937307A2237B14AF6BB8

2010-06-11 16:09:00 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 16:56:47 72080 ----a-w- c:\documents and settings\katrina.rexart\g2mdlhlpx.exe

2010-04-27 22:02:07 41360 ----a-w- c:\docume~1\katrin~1.rex\applic~1\GDIPFONTCACHEV1.DAT

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-08 19:47:03 108920 ----a-w- c:\documents and settings\katrina.rexart\g2ax_customer_downloadhelper_win32_x86.exe

2010-04-06 08:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll

2009-03-30 17:12:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033020090331\index.dat

============= FINISH: 12:41:11.05 ===============

Thank you in advance for your help.

ark.zip

Attach.zip

kahdah · June 16, 2010

Hello katm

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

====================

Download TDSSKiller and save it to your Desktop.

Right click on the file and choose extract all extract the file to your desktop then run it.
If prompted to restart the computer type in Y then it will restart.
Or if you are prompted with a hidden service warning do go ahead and delete it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log

========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

katm · June 16, 2010

Hi Kahdah,

Thank you so much for your quick reply. I ran TDSSKiller and it found one file. I also ran combofix. Here are the results:

ComboFix 10-06-15.04 - Katrina 06/16/2010 14:41:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1310 [GMT -4:00]

Running from: c:\documents and settings\katrina.REXART\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\katrina.REXART\Application Data\6056D0F78BE4937307A2237B14AF6BB8

c:\documents and settings\katrina.REXART\Application Data\6056D0F78BE4937307A2237B14AF6BB8\enemies-names.txt

c:\documents and settings\katrina.REXART\Application Data\6056D0F78BE4937307A2237B14AF6BB8\local.ini

c:\documents and settings\katrina.REXART\g2ax_customer_downloadhelper_win32_x86.exe

c:\documents and settings\katrina.REXART\g2mdlhlpx.exe

c:\documents and settings\katrina.REXART\Local Settings\Application Data\{B86CBFE2-8581-4E21-9715-BFF7C2EF8906}

c:\documents and settings\katrina.REXART\Local Settings\Application Data\{B86CBFE2-8581-4E21-9715-BFF7C2EF8906}\chrome.manifest

c:\documents and settings\katrina.REXART\Local Settings\Application Data\{B86CBFE2-8581-4E21-9715-BFF7C2EF8906}\chrome\content\_cfg.js

c:\documents and settings\katrina.REXART\Local Settings\Application Data\{B86CBFE2-8581-4E21-9715-BFF7C2EF8906}\chrome\content\overlay.xul

c:\documents and settings\katrina.REXART\Local Settings\Application Data\{B86CBFE2-8581-4E21-9715-BFF7C2EF8906}\install.rdf

c:\documents and settings\katrina.REXART\Recent\Thumbs.db

c:\documents and settings\katrina.REXART\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\katrina.REXART\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\katrina.REXART\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\documents and settings\katrina\g2mdlhlpx.exe

c:\documents and settings\katrina\System

c:\documents and settings\katrina\System\win_qs7.jqx

c:\windows\xpsp1hfm.log

c:\windows\system32\gotomon.log . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))

.

2010-06-16 11:56 . 2004-08-03 23:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-06-16 11:54 . 2004-08-04 00:56 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll

2010-06-16 11:53 . 2004-08-03 22:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-06-15 20:56 . 2010-06-15 20:56 120 ----a-w- c:\windows\Ohujadebirit.dat

2010-06-15 20:56 . 2010-06-15 20:56 0 ----a-w- c:\windows\Mdakiles.bin

2010-06-15 20:55 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-06-15 20:55 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-06-15 20:55 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-06-15 20:55 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-06-11 16:09 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-11 13:33 . 2010-06-10 18:08 61440 ----a-w- c:\documents and settings\marshall.REXART\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4478a08a-n\decora-sse.dll

2010-06-11 13:33 . 2010-06-10 18:08 503808 ----a-w- c:\documents and settings\marshall.REXART\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e52cd06-n\msvcp71.dll

2010-06-11 13:33 . 2010-06-10 18:08 499712 ----a-w- c:\documents and settings\marshall.REXART\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e52cd06-n\jmc.dll

2010-06-11 13:33 . 2010-06-10 18:08 348160 ----a-w- c:\documents and settings\marshall.REXART\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e52cd06-n\msvcr71.dll

2010-06-11 13:33 . 2010-06-10 18:08 12800 ----a-w- c:\documents and settings\marshall.REXART\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4478a08a-n\decora-d3d.dll

2010-06-11 13:33 . 2010-06-10 18:01 -------- d-----w- c:\documents and settings\marshall.REXART\Application Data\Foxit Software

2010-06-11 13:33 . 2010-06-09 22:29 -------- d-----w- c:\documents and settings\marshall.REXART\Application Data\Avira

2010-05-24 17:02 . 2010-05-24 17:02 503808 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7296fcd8-n\msvcp71.dll

2010-05-24 17:02 . 2010-05-24 17:02 499712 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7296fcd8-n\jmc.dll

2010-05-24 17:02 . 2010-05-24 17:02 348160 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7296fcd8-n\msvcr71.dll

2010-05-24 12:58 . 2010-05-24 12:58 -------- d-----w- c:\documents and settings\marshall.REXART\Application Data\Research In Motion

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-16 18:56 . 2009-03-20 17:03 -------- d-----w- c:\documents and settings\katrina.REXART\Application Data\stickies

2010-06-16 18:25 . 2004-08-04 02:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys

2010-06-15 00:12 . 2008-09-09 17:16 -------- d-----w- c:\documents and settings\katrina.REXART\Application Data\FileZilla

2010-06-10 18:36 . 2010-05-06 12:29 -------- d-----w- c:\documents and settings\marshall.REXART\Application Data\Windows Desktop Search

2010-06-09 22:00 . 2009-06-17 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-04 21:43 . 2008-04-24 20:20 256 ----a-w- c:\windows\system32\pool.bin

2010-06-03 18:15 . 2009-10-08 12:22 4086272 ----a-w- c:\documents and settings\marshall.REXART\Application Data\Endicia\DAZzle\setup.exe

2010-06-03 16:32 . 2008-08-20 17:52 4086272 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Endicia\DAZzle\setup.exe

2010-05-12 22:52 . 2010-05-11 22:37 69632 ----a-r- c:\documents and settings\katrina.REXART\Application Data\Microsoft\Installer\{EE024764-FA19-4CD4-AA9E-E06DE4B766E8}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe

2010-05-12 22:52 . 2010-05-11 22:37 49152 ----a-r- c:\documents and settings\katrina.REXART\Application Data\Microsoft\Installer\{EE024764-FA19-4CD4-AA9E-E06DE4B766E8}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe

2010-05-12 22:52 . 2010-05-11 22:37 49152 ----a-r- c:\documents and settings\katrina.REXART\Application Data\Microsoft\Installer\{EE024764-FA19-4CD4-AA9E-E06DE4B766E8}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe

2010-05-12 22:52 . 2010-05-11 22:37 69632 ----a-r- c:\documents and settings\katrina.REXART\Application Data\Microsoft\Installer\{EE024764-FA19-4CD4-AA9E-E06DE4B766E8}\DesktopMgr.exe

2010-05-12 22:52 . 2010-05-11 22:37 49152 ----a-r- c:\documents and settings\katrina.REXART\Application Data\Microsoft\Installer\{EE024764-FA19-4CD4-AA9E-E06DE4B766E8}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe

2010-05-11 23:33 . 2010-05-11 23:33 5258637 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Research In Motion\BlackBerry Media Sync\AutoUpdate\Updates\3.0.0.39\BlackBerryMediaSync.exe

2010-05-11 23:32 . 2008-05-30 00:01 -------- d-----w- c:\documents and settings\katrina.REXART\Application Data\Research In Motion

2010-05-11 22:46 . 2007-08-02 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2010-05-11 22:46 . 2007-08-02 14:39 -------- d-----w- c:\program files\Roxio

2010-05-11 22:46 . 2007-08-02 14:39 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-05-11 22:46 . 2007-08-02 14:39 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-05-11 22:40 . 2008-04-22 21:49 -------- d-----w- c:\program files\Research In Motion

2010-05-11 22:37 . 2010-05-11 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-05-11 22:37 . 2008-04-22 21:49 -------- d-----w- c:\program files\Common Files\Research In Motion

2010-05-06 16:00 . 2010-05-05 22:13 -------- d-----w- c:\program files\Windows Desktop Search

2010-05-06 10:41 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-05 22:15 . 2010-05-05 22:15 -------- d-----w- c:\documents and settings\katrina.REXART\Application Data\Windows Desktop Search

2010-05-05 21:00 . 2008-09-09 17:13 -------- d-----w- c:\program files\FileZilla FTP Client

2010-05-02 05:22 . 2004-08-11 21:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-06-17 21:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-06-17 21:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 21:51 . 2008-02-25 19:06 -------- d-----w- c:\program files\Citrix

2010-04-23 21:17 . 2008-07-08 20:09 41360 ----a-w- c:\documents and settings\katrina.REXART\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-22 20:49 . 2010-04-22 20:49 7358 ----a-r- c:\documents and settings\kat_install.REXART\Application Data\Microsoft\Installer\{71D7B62B-8E49-4842-B117-12D629670F28}\NewShortcut7_CE7B846F960449AEA912254330956304.exe

2010-04-22 20:49 . 2010-04-22 20:49 7358 ----a-r- c:\documents and settings\kat_install.REXART\Application Data\Microsoft\Installer\{71D7B62B-8E49-4842-B117-12D629670F28}\ARPPRODUCTICON.exe

2010-04-20 23:52 . 2010-04-20 23:52 -------- d-----w- c:\documents and settings\katrina.REXART\Application Data\Pyroto, Inc

2010-04-20 23:52 . 2010-04-20 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Pyroto, Inc

2010-04-20 05:30 . 2004-08-11 21:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-13 15:12 . 2010-03-22 19:38 79488 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-26 14:33 . 2010-04-08 17:33 1496064 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Mozilla\Firefox\Profiles\ng127ito.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-03-26 14:33 . 2010-04-08 17:33 43008 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Mozilla\Firefox\Profiles\ng127ito.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-03-26 14:33 . 2010-04-08 17:33 339456 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Mozilla\Firefox\Profiles\ng127ito.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-03-26 14:32 . 2010-04-08 17:33 346112 ----a-w- c:\documents and settings\katrina.REXART\Application Data\Mozilla\Firefox\Profiles\ng127ito.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2008-01-23 20:49 . 2008-01-23 20:49 62864 ----a-w- c:\program files\mozilla firefox\plugins\ateccli.dll

2008-01-23 20:48 . 2008-01-23 20:48 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-05-22 17:54 . 2008-01-23 20:48 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-01-23 20:49 . 2008-01-23 20:49 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-11-18 17:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"Google Update"="c:\documents and settings\katrina.REXART\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 148888]

"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"nwiz"="nwiz.exe" [2007-06-29 1626112]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-01-15 37376]

"DMXLauncher"="c:\program files\Sonic\Product\Media Experience\DMXLauncher.exe" [2007-04-02 113400]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-17 115560]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_Sym_MI_"="c:\temp\Clt-Inst\setup.exe" [2009-10-17 300384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-24 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2007-06-20 15:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:05 PM 102448]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [10/17/2009 3:58 PM 23888]

S4 Dlaservtad;Dlaservtad; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1361088152-702637160-2373470872-1129Core.job

- c:\documents and settings\katrina.REXART\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:41]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1361088152-702637160-2373470872-1129UA.job

- c:\documents and settings\katrina.REXART\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:41]

2010-06-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-08-23 05:04]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.rexart.com/

mWindow Title =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\katrina.REXART\Application Data\Mozilla\Firefox\Profiles\ng127ito.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.rexart.com

FF - plugin: c:\documents and settings\katrina.REXART\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

SafeBoot-klmdb.sys

SafeBoot-Symantec Antvirus

AddRemove-Order Manager PDF Writer - c:\rexordermanager\\pdfwriter\uninstpw.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-16 14:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)

c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(1032)

c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2324)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\DIAS\CnxDIAS.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\program files\Windows Desktop Search\WindowsSearch.exe

c:\program files\Slacker\Software Player\slacker.tray.exe

c:\program files\Stickies\stickies.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2010-06-16 15:02:01 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-16 19:01

Pre-Run: 33,249,038,336 bytes free

Post-Run: 38,508,371,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EC5723CF2809B23C66928DEFEBD22516

I am on another computer changing passwords. How does the program gather passwords? From the second I got the virus I ceased all browser activity requiring me to enter passwords, so I'm hopeful that none were transmitted. However, if they transfer my firefox saved passwords that's another story.

Thank you again.

kahdah · June 17, 2010

I am on another computer changing passwords. How does the program gather passwords? From the second I got the virus I ceased all browser activity requiring me to enter passwords, so I'm hopeful that none were transmitted. However, if they transfer my firefox saved passwords that's another story.

That is good that you stopped.

I wasn't saying they always do but just to take precaution to change the passwords.

They can use key-logging techniques to retrieve the information or intercept web pages you visit.

Not saying it has happened but just to let you know about it's capabilities.

=====================

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\Ohujadebirit.dat
c:\windows\Mdakiles.bin

Driver::
Dlaservtad

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

=============

katm · June 17, 2010

Hi Kadah,

Thanks for your reply. I ran the script. Here is my log:

ComboFix 10-06-16.04 - Katrina 06/17/2010 12:18:45.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1244 [GMT -4:00]

Running from: c:\documents and settings\katrina.REXART\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\katrina.REXART\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::

"c:\windows\Mdakiles.bin"

"c:\windows\Ohujadebirit.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Mdakiles.bin

c:\windows\Ohujadebirit.dat

c:\windows\system32\gotomon.log

c:\windows\system32\win.com

c:\windows\system32\gotomon.log . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_Dlaservtad

((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))