Jump to content

AV Security Suite is being a pain


Recommended Posts

Good day folks, I have been having problems deleting the AV security suit virus on my windows XP laptop. I have been following this guide with no success. For some reason no other programs will open. I have tried reinstalling malware-bytes and it still does not allow me to open the program. I have also tried generating a randomly named MBAM.exe program but AV security suite will still not allow me to open it. Both times I still get the warning window saying the file is infected, and clicking "yes" opens up the AV Security "Website" or "no" does nothing. I have been searching the forums frantically for a solution, but it seems that all other problems regarding this specific malware were solved without an issue of opening up malware-bytes. Any suggestions would be greatly appreciated as I would like to have peace of mind as I need to check my college class grades and order a book online. Thanks in advance.

Link to post
Share on other sites

  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

--

Download GMER here by clicking download exe -button and then saving it your desktop:

  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Link to post
Share on other sites

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

--

Download GMER here by clicking download exe -button and then saving it your desktop:

  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Thank you and my apologies for any delays, I finally found out the miracles of safe mode with networkingAttach.rar. Here is the DDS and Attach Logs, I am doing the GMER scan as I am posting this.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by SergioM at 15:30:34.57 on Thu 06/24/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1460 [GMT -7:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\SergioM\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://myspace.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-

US&ie=utf8&oe=utf8

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1

\mcieplg.dll

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [akoceddm] c:\documents and settings\sergiom\local settings\application data\khxuuhlat\mlealowtssd.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [HPHmon03] c:\windows\system32\hphmon03.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus

Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-

2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-

2f227fca9a08}\AlertEng.dll"

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [EPSON Stylus C42 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series"

/O6 "USB002" /M "Stylus C42"

mRun: [Vgihaxeyuv] rundll32.exe "c:\windows\ufekalibikixe.dll",Startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [akoceddm] c:\documents and settings\sergiom\local settings\application data\khxuuhlat\mlealowtssd.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunServices: [internet Explorer] iexplore.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3

\program\quickstart.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess

manager\VZAccess Manager.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\yahoo!~1.lnk - c:\program

files\pixoria\konfabulator\YahooWidgetEngine.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion

webcam\HPWebcam.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital

imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{649c4b1a-6a76-499a-

9aec-0c9530fa7d2c}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe

uPolicies-disallowrun: 4 = kav.eng

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1

\INetRepl.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: srrqiq.dll drxfiy.dll szuvxy.dll swfsoc.dll yaqney.dll szsbdh.dll hddhqs.dll tohivivo.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnoOFyy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sergiom\applic~1\mozilla\firefox\profiles\kww5uh4e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\sergiom\application

data\mozilla\firefox\profiles\kww5uh4e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\sergiom\application

data\mozilla\firefox\profiles\kww5uh4e.default\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}

\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\sergiom\local settings\application data\yahoo!\browserplus\2.8.1

\plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32} - c:\documents and settings\sergiom\local

settings\application data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-

3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S0 loqhj;loqhj; [x]

S0 oggikyq;oggikyq;c:\windows\system32\drivers\iqqvgx.sys --> c:\windows\system32\drivers\iqqvgx.sys [?]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-20 93320]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-1-14 139264]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-22

24652]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [2006-6-6 61952]

S3 Agpstubio;Agpstubio; [x]

S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-8-3 18864]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des

-service [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2010-05-27 17:50:06 0 dc----w- c:\program files\NavNetApp

2010-05-27 17:50:06 0 dc----w- c:\docume~1\sergiom\applic~1\NavNet Solutions

==================== Find3M ====================

2010-06-22 05:03:53 2520 -c--a-w- c:\windows\Ugoyiyawevanuz.dat

2010-04-29 22:39:38 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys

2010-04-08 20:20:02 91424 -c--a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 -c--a-w- c:\windows\system32\dns-sd.exe

2006-03-16 04:00:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll

2008-04-14 00:12:01 57344 -csh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:02 551936 -csh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:02 84992 -csha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12:32 11776 -csh--w- c:\windows\system32\regsvr32.exe

2009-02-01 17:23:39 277100 -csha-w- c:\windows\system32\yyFOonmp.ini2

============= FINISH: 15:31:34.85 ===============

Link to post
Share on other sites

Here is the GMER log, thanks again!

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-24 15:58:26

Windows 5.1.2600 Service Pack 3

Running: 545b51sp.exe; Driver: C:\DOCUME~1\SergioM\LOCALS~1\Temp\pxtdypob.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1844] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6C563FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6C56458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F6C56684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F6C56684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F6C566B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6C563FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6C56458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Cdfs \Cdfs F395B400

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi,

Please use t_reply.gif -button while replying to not quote previous post in your reply.

Before following next steps make sure word wrap in notepad is disabled. That makes next logs more readable. Then re-run DDS and post both dds.txt and attach.txt log contents back here.

Link to post
Share on other sites

*Fixed DDS and Attach logs without word wrap on notepad.*

Attach.rar

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by SergioM at 15:10:17.93 on Fri 06/25/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1429 [GMT -7:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\SergioM\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://myspace.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [akoceddm] c:\documents and settings\sergiom\local settings\application data\khxuuhlat\mlealowtssd.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [HPHmon03] c:\windows\system32\hphmon03.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [EPSON Stylus C42 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB002" /M "Stylus C42"

mRun: [Vgihaxeyuv] rundll32.exe "c:\windows\ufekalibikixe.dll",Startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [akoceddm] c:\documents and settings\sergiom\local settings\application data\khxuuhlat\mlealowtssd.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunServices: [internet Explorer] iexplore.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\pixoria\konfabulator\YahooWidgetEngine.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{649c4b1a-6a76-499a-9aec-0c9530fa7d2c}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe

uPolicies-disallowrun: 4 = kav.eng

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: srrqiq.dll drxfiy.dll szuvxy.dll swfsoc.dll yaqney.dll szsbdh.dll hddhqs.dll tohivivo.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnoOFyy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sergiom\applic~1\mozilla\firefox\profiles\kww5uh4e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\sergiom\application data\mozilla\firefox\profiles\kww5uh4e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\sergiom\application data\mozilla\firefox\profiles\kww5uh4e.default\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\sergiom\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32} - c:\documents and settings\sergiom\local settings\application data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S0 loqhj;loqhj; [x]

S0 oggikyq;oggikyq;c:\windows\system32\drivers\iqqvgx.sys --> c:\windows\system32\drivers\iqqvgx.sys [?]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-20 93320]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-1-14 139264]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-22 24652]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [2006-6-6 61952]

S3 Agpstubio;Agpstubio; [x]

S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-8-3 18864]

S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-7 38224]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2010-05-27 17:50:06 0 dc----w- c:\program files\NavNetApp

2010-05-27 17:50:06 0 dc----w- c:\docume~1\sergiom\applic~1\NavNet Solutions

==================== Find3M ====================

2010-06-22 05:03:53 2520 -c--a-w- c:\windows\Ugoyiyawevanuz.dat

2010-04-29 22:39:38 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys

2010-04-08 20:20:02 91424 -c--a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 -c--a-w- c:\windows\system32\dns-sd.exe

2006-03-16 04:00:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll

2008-04-14 00:12:01 57344 -csh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:02 551936 -csh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:02 84992 -csha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12:32 11776 -csh--w- c:\windows\system32\regsvr32.exe

2009-02-01 17:23:39 277100 -csha-w- c:\windows\system32\yyFOonmp.ini2

============= FINISH: 15:12:05.29 ===============

Link to post
Share on other sites

I was actually able to run Malware-Bytes and it looks like it scanned and can remove(I have not restarted my computer yet) the infected items. I am not sure if these are all the issues that I was having. Here is the log for reference.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4241

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

6/25/2010 4:28:13 PM

mbam-log-2010-06-25 (16-28-13).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 247936

Time elapsed: 1 hour(s), 17 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akoceddm (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akoceddm (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\SergioM\Local Settings\Application Data\khxuuhlat\mlealowtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi again,

BitTorrent

DNA

MakeTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Link to post
Share on other sites

You are right, honestly, I forgot I even had those programs still. No more torrents for me, I will uninstall those programs promptly. Combofix was a success, here is the log file. Thank you once more.

ComboFix 10-06-27.03 - SergioM 06/27/2010 23:33:22.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1563 [GMT -7:00]

Running from: c:\documents and settings\SergioM\Desktop\ComboFix.exe

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\SergioM\Local Settings\Application Data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}

c:\documents and settings\SergioM\Local Settings\Application Data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}\chrome.manifest

c:\documents and settings\SergioM\Local Settings\Application Data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}\chrome\content\_cfg.js

c:\documents and settings\SergioM\Local Settings\Application Data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}\chrome\content\overlay.xul

c:\documents and settings\SergioM\Local Settings\Application Data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}\install.rdf

C:\SUD

c:\sud\SSOW\DesKTop.ini

c:\windows\system32\23204.exe

c:\windows\system32\24304.exe

c:\windows\system32\29624.exe

c:\windows\system32\ajbqggeq.ini

c:\windows\system32\akkypjct.ini

c:\windows\system32\bkkkywjm.ini

c:\windows\system32\bwqgvwku.dll

c:\windows\system32\ddflusnp.ini

c:\windows\system32\drivers\kekrn.sys

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\edyxiebx.ini

c:\windows\system32\elubiqud.ini

c:\windows\system32\eynbvpqd.ini

c:\windows\system32\gvgpqyhi.ini

c:\windows\system32\hwbtkdsl.ini

c:\windows\system32\knmfacek.ini

c:\windows\system32\ljqjypwb.ini

c:\windows\system32\mmsfhcqs.ini

c:\windows\system32\mtkypdow.ini

c:\windows\system32\ndisapi.dll

c:\windows\system32\ndsitfna.ini

c:\windows\system32\onlsjtwf.ini

c:\windows\system32\pukeygqt.ini

c:\windows\system32\ricfcwxv.ini

c:\windows\system32\taygneam.ini

c:\windows\system32\tmeusjyy.ini

c:\windows\system32\umkwkyoc.ini

c:\windows\system32\upvrnbsr.ini

c:\windows\system32\vplhapgk.ini

c:\windows\system32\wddxfsyx.ini

c:\windows\system32\wrquvupb.ini

c:\windows\system32\ybuykxoc.ini

c:\windows\system32\yltsctgo.dll

c:\windows\system32\yyFOonmp.ini

c:\windows\system32\yyFOonmp.ini2

c:\windows\ufekalibikixe.dll

c:\windows\xpsp1hfm.log

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISRD

-------\Legacy_SSHNAS

-------\Service_NDISRD

-------\Service_plbx

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))

.

2010-06-21 19:26 . 2010-06-25 23:28 -------- dc----w- c:\documents and settings\SergioM\Local Settings\Application Data\khxuuhlat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-28 06:43 . 2008-10-22 23:21 -------- dc----w- c:\program files\DNA

2010-06-28 06:43 . 2008-10-22 23:21 -------- dc----w- c:\documents and settings\SergioM\Application Data\DNA

2010-06-28 06:42 . 2009-01-01 07:19 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-06-22 05:03 . 2009-12-07 19:18 2520 -c--a-w- c:\windows\Ugoyiyawevanuz.dat

2010-06-21 20:12 . 2009-04-07 18:11 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 19:02 . 2009-12-07 19:18 0 -c--a-w- c:\windows\Wpiboq.bin

2010-06-14 18:52 . 2008-12-25 18:26 -------- dc----w- c:\program files\MioNet

2010-06-08 21:29 . 2008-06-04 00:51 -------- dc----w- c:\documents and settings\SergioM\Application Data\U3

2010-06-05 01:01 . 2010-04-06 07:19 -------- dc----w- c:\program files\Ask.com

2010-05-27 17:50 . 2010-05-27 17:50 -------- dc----w- c:\program files\NavNetApp

2010-05-27 17:50 . 2010-05-27 17:50 -------- dc----w- c:\documents and settings\SergioM\Application Data\NavNet Solutions

2010-05-17 23:28 . 2007-06-02 00:29 -------- dc----w- c:\program files\iTunes

2010-05-17 23:27 . 2006-12-26 08:56 -------- dc----w- c:\program files\iPod

2010-05-17 23:27 . 2007-07-19 00:22 -------- dc----w- c:\program files\Common Files\Apple

2010-05-17 23:15 . 2010-05-17 23:15 -------- dc----w- c:\program files\Bonjour

2010-05-07 17:25 . 2009-04-21 00:19 -------- dc----w- c:\program files\McAfee

2010-05-04 20:40 . 2010-05-04 20:40 -------- dc----w- c:\program files\Gmask 1.70 English

2010-04-29 22:39 . 2009-04-07 18:11 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-04-07 18:12 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys

2010-04-08 20:20 . 2010-04-08 20:20 91424 -c--a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 -c--a-w- c:\windows\system32\dns-sd.exe

2010-04-03 23:40 . 2010-04-03 23:40 56 -c-ha-w- c:\windows\system32\ezsidmv.dat

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2006-03-16 04:00 . 2006-03-16 04:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12 . 2006-03-16 04:00 50688 -csh--w- c:\windows\twain_32.dll

2008-08-15 06:27 . 2008-08-15 06:08 1697401 -csha-w- c:\windows\system32\gvgpqyhi.tmp

2008-04-14 00:12 . 2006-03-16 04:00 57344 -csh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 . 2006-03-16 04:00 551936 -csh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 . 2006-03-16 04:00 84992 -csha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12 . 2006-03-16 04:00 11776 -csh--w- c:\windows\system32\regsvr32.exe

.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2006-10-19 05:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[7] 2006-03-16 04:00 . 6EAA72FD9EF993EC1FA9A06DE65105DA . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-05-26 22:23 1385864 -c--a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-19 323392]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-04 196608]

"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-04 311296]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]

"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2009-09-30 32768]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"EPSON Stylus C42 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE" [2002-02-19 74240]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\SergioM\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-11-4 1677464]

Yahoo! Widget Engine.lnk - c:\program files\Pixoria\Konfabulator\YahooWidgetEngine.exe [2007-7-20 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-26 102400]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

WD Anywhere Backup Launcher.lnk - c:\windows\Installer\{649C4B1A-6A76-499A-9AEC-0C9530FA7D2C}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-12-25 9662]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\MioNet\\MioNetManager.exe"=

"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"990:TCP"= 990:TCP:open inbound TCP port

"999:TCP"= 999:TCP:open inbound TCP port

"5678:TCP"= 5678:TCP:open inbound TCP port

"5679:UDP"= 5679:UDP:open outbound UDP port

"5721:TCP"= 5721:TCP:open inbound TCP port

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

"67:UDP"= 67:UDP:DHCP Discovery Service

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/20/2009 5:20 PM 93320]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/22/2008 10:40 AM 24652]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]

S0 loqhj;loqhj; [x]

S0 oggikyq;oggikyq;c:\windows\system32\drivers\iqqvgx.sys --> c:\windows\system32\drivers\iqqvgx.sys [?]

S2 MioNet;MioNet;c:\program files\MioNet\MioNetManager.exe [1/14/2008 3:14 PM 139264]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [6/6/2006 1:39 PM 61952]

S3 Agpstubio;Agpstubio; [x]

S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/3/2001 7:24 PM 18864]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 6:19 PM 50048]

.

Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 01:34]

2010-06-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://myspace.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\SergioM\Application Data\Mozilla\Firefox\Profiles\kww5uh4e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\SergioM\Application Data\Mozilla\Firefox\Profiles\kww5uh4e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\SergioM\Application Data\Mozilla\Firefox\Profiles\kww5uh4e.default\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\SergioM\Local Settings\Application Data\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe

HKLM-Run-Vgihaxeyuv - c:\windows\ufekalibikixe.dll

AddRemove-Aptana Studio 1.2 - g:\program files\uninstall.exe

AddRemove-Magic Workstation_is1 - g:\program files\Magic Workstation\unins000.exe

AddRemove-MakeTorrent 2 - c:\program files\Maketorrent 2\uninstall.exe

AddRemove-MTG GamePack for Magic Workstation_is1 - g:\program files\Magic Workstation\unins001.exe

AddRemove-SMPlayer - g:\program files\SMPlayer\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-27 23:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ??? T??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2600)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

c:\windows\system32\mqsvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\wscntfy.exe

c:\windows\system32\dllhost.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\eHome\ehmsas.exe

c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe

.

**************************************************************************

.

Completion time: 2010-06-28 00:00:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-28 06:59

Pre-Run: 2,248,331,264 bytes free

Post-Run: 746,115,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - E20FD0F6F3A07EA6ACA6E4A2E29DA7F9

Link to post
Share on other sites

New DDS log in normal mode. I hope I did this right; so correct me if I'm wrong but I rescanned using DDS.com and here is the DDS.txt log it produced.

DDS (Ver_10-03-17.01) - NTFSx86

Run by SergioM at 1:57:43.92 on Mon 06/28/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.915 [GMT -7:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\igfxpers.exe

svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\system32\hphmon03.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE

C:\WINDOWS\system32\mqtgsvc.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Pixoria\Konfabulator\YahooWidgetEngine.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\SergioM\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://myspace.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [HPHmon03] c:\windows\system32\hphmon03.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [EPSON Stylus C42 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB002" /M "Stylus C42"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\pixoria\konfabulator\YahooWidgetEngine.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{649c4b1a-6a76-499a-9aec-0c9530fa7d2c}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sergiom\applic~1\mozilla\firefox\profiles\kww5uh4e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\sergiom\application data\mozilla\firefox\profiles\kww5uh4e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\sergiom\application data\mozilla\firefox\profiles\kww5uh4e.default\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\sergiom\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-20 93320]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-22 24652]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]

S0 loqhj;loqhj; [x]

S0 oggikyq;oggikyq;c:\windows\system32\drivers\iqqvgx.sys --> c:\windows\system32\drivers\iqqvgx.sys [?]

S2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-1-14 139264]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [2006-6-6 61952]

S3 Agpstubio;Agpstubio; [x]

S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-8-3 18864]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2010-06-28 06:06:57 0 dcsha-r- C:\cmdcons

2010-06-28 06:00:57 98816 -c--a-w- c:\windows\sed.exe

2010-06-28 06:00:57 77312 -c--a-w- c:\windows\MBR.exe

2010-06-28 06:00:57 256512 -c--a-w- c:\windows\PEV.exe

2010-06-28 06:00:57 161792 -c--a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-06-22 05:03:53 2520 -c--a-w- c:\windows\Ugoyiyawevanuz.dat

2010-04-29 22:39:38 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys

2010-04-08 20:20:02 91424 -c--a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 -c--a-w- c:\windows\system32\dns-sd.exe

2006-03-16 04:00:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll

2008-04-14 00:12:01 57344 -csh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:02 551936 -csh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:32 11776 -csh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 1:58:02.47 ===============

Link to post
Share on other sites

You are right, honestly, I forgot I even had those programs still. No more torrents for me, I will uninstall those programs promptly.

You may want to uninstall DNA too since it's still appearing in your latest log. If you won't uninstall then make it so that it's not running.

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
loqhj
oggikyq
DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
File::
c:\windows\system32\drivers\iqqvgx.sys
c:\windows\Ugoyiyawevanuz.dat
c:\windows\Wpiboq.bin
c:\windows\system32\gvgpqyhi.tmp
Folder::
c:\documents and settings\SergioM\Local Settings\Application Data\khxuuhlat

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Uninstall these:

Macromedia Flash Player 8

Macromedia Shockwave Player

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Link to post
Share on other sites

Java has been updated, Macromedia has been uninstalled.

I have been having issues with Kapersky. At about 75% way through the scan my computer overheats and it crashes completely. This has happened 4 times all of yesterday, about 2 hours into the scans. From what the scans were saying, I had 6 threats found and 17 files infected. If there is any alternative to this step, please let me know.

Link to post
Share on other sites

Please have a try with ESET online scanner:

* Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish. Post back the results if found.

Link to post
Share on other sites

I apologize for taking long, my work schedule has been rather hectic lately. Here is the ESeT scan log. Will post the latest combofix and dds.com logs asap.

C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent trojan

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe probably a variant of Win32/Agent trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-31fedb2f Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-3a9d8b3b Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-459a1c5d Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-501d03cd Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-5d3b8f9c Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-5f3940ea Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-5f5f4897 Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-657af93f Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-68c21850 Win32/TrojanDownloader.Unruy.BP trojan

C:\Documents and Settings\SergioM\Application Data\Sun\Java\Deployment\cache\6.0\57\a441979-693e388a Win32/TrojanDownloader.Unruy.BP trojan

C:\Program Files\Mozilla Firefox\0.9118712332371249.exe Win32/TrojanDownloader.Unruy.BP trojan

C:\Qoobox\Quarantine\C\Documents and Settings\SergioM\Local Settings\Application Data\{E7B50D0C-095D-4BE6-A5A9-CCB380ED3F32}\chrome\content\overlay.xul.vir JS/Gord.A trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\ajbqggeq.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\akkypjct.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\bkkkywjm.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\ddflusnp.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\edyxiebx.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\elubiqud.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\eynbvpqd.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\gvgpqyhi.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\gvgpqyhi.tmp.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\hwbtkdsl.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\knmfacek.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\ljqjypwb.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\mmsfhcqs.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\mtkypdow.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\ndsitfna.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\onlsjtwf.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\pukeygqt.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\ricfcwxv.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\taygneam.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\tmeusjyy.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\umkwkyoc.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\upvrnbsr.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\vplhapgk.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\wddxfsyx.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\wrquvupb.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\ybuykxoc.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\yyFOonmp.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\WINDOWS\system32\yyFOonmp.ini2.vir Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\Microsoft\services.exe a variant of Win32/TrojanDownloader.Unruy.BV trojan

C:\System Volume Information\Microsoft\smss.exe a variant of Win32/TrojanDownloader.Unruy.BV trojan

C:\WINDOWS\system32\gloihbuh.dll Win32/Adware.Virtumonde application

C:\WINDOWS\system32\lbnrwfbp.dll Win32/Adware.Virtumonde application

C:\WINDOWS\system32\mbffbdva.dll Win32/Adware.Virtumonde application

C:\WINDOWS\system32\mtohsaoc.dll Win32/Adware.Virtumonde application

C:\WINDOWS\system32\oxvcbmxk.dll a variant of Win32/Adware.Virtumonde application

C:\WINDOWS\system32\srscryug.dll a variant of Win32/Adware.Virtumonde application

Link to post
Share on other sites

Fresh DDS log. Will post latest Combofix log in a sec.

DDS (Ver_10-03-17.01) - NTFSx86

Run by SergioM at 13:16:55.07 on Sun 07/04/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1401 [GMT -7:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\system32\hphmon03.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

svchost.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\Pixoria\Konfabulator\YahooWidgetEngine.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\SergioM\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://myspace.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [HPHmon03] c:\windows\system32\hphmon03.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [EPSON Stylus C42 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB002" /M "Stylus C42"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe

StartupFolder: c:\docume~1\sergiom\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\pixoria\konfabulator\YahooWidgetEngine.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdanyw~1.lnk - c:\windows\installer\{649c4b1a-6a76-499a-9aec-0c9530fa7d2c}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sergiom\applic~1\mozilla\firefox\profiles\kww5uh4e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\sergiom\application data\mozilla\firefox\profiles\kww5uh4e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\sergiom\application data\mozilla\firefox\profiles\kww5uh4e.default\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\sergiom\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-20 93320]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-22 24652]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]

S2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-1-14 139264]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [2006-6-6 61952]

S3 Agpstubio;Agpstubio; [x]

S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-8-3 18864]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2010-07-02 19:32:16 0 dc----w- c:\program files\ESET

2010-06-28 19:51:34 73728 -c--a-w- c:\windows\system32\javacpl.cpl

2010-06-28 19:51:34 411368 -c--a-w- c:\windows\system32\deployJava1.dll

2010-06-28 06:57:34 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-06-28 06:06:57 0 dcsha-r- C:\cmdcons

2010-06-28 06:00:57 98816 -c--a-w- c:\windows\sed.exe

2010-06-28 06:00:57 77312 -c--a-w- c:\windows\MBR.exe

2010-06-28 06:00:57 256512 -c--a-w- c:\windows\PEV.exe

2010-06-28 06:00:57 161792 -c--a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-05-02 05:22:50 1851264 -c--a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 -c--a-w- c:\windows\system32\atmfd.dll

2010-04-16 16:09:09 667136 -c--a-w- c:\windows\system32\wininet.dll

2010-04-16 16:09:05 81920 -c--a-w- c:\windows\system32\ieencode.dll

2010-04-08 20:20:02 91424 -c--a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 -c--a-w- c:\windows\system32\dns-sd.exe

2006-03-16 04:00:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll

2008-04-14 00:12:01 57344 -csh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:02 551936 -csh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:32 11776 -csh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 13:17:13.32 ===============

Link to post
Share on other sites

Finally, here is the most recent Combofix log.

ComboFix 10-06-27.06 - SergioM 06/28/2010 11:56:32.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1432 [GMT -7:00]

Running from: c:\documents and settings\SergioM\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\SergioM\Desktop\CFScript.txt

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::

"c:\windows\system32\drivers\iqqvgx.sys"

"c:\windows\system32\gvgpqyhi.tmp"

"c:\windows\Ugoyiyawevanuz.dat"

"c:\windows\Wpiboq.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\SergioM\Local Settings\Application Data\khxuuhlat

c:\windows\system32\gvgpqyhi.tmp

c:\windows\Ugoyiyawevanuz.dat

c:\windows\Wpiboq.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LOQHJ

-------\Legacy_OGGIKYQ

-------\Service_loqhj

-------\Service_oggikyq

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))

.

2010-06-28 06:57 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-28 19:06 . 2008-10-22 23:21 -------- dc----w- c:\program files\DNA

2010-06-28 19:06 . 2008-10-22 23:21 -------- dc----w- c:\documents and settings\SergioM\Application Data\DNA

2010-06-28 06:42 . 2009-01-01 07:19 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-06-21 20:12 . 2009-04-07 18:11 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-14 18:52 . 2008-12-25 18:26 -------- dc----w- c:\program files\MioNet

2010-06-08 21:29 . 2008-06-04 00:51 -------- dc----w- c:\documents and settings\SergioM\Application Data\U3

2010-06-05 01:01 . 2010-04-06 07:19 -------- dc----w- c:\program files\Ask.com

2010-05-27 17:50 . 2010-05-27 17:50 -------- dc----w- c:\program files\NavNetApp

2010-05-27 17:50 . 2010-05-27 17:50 -------- dc----w- c:\documents and settings\SergioM\Application Data\NavNet Solutions

2010-05-17 23:28 . 2007-06-02 00:29 -------- dc----w- c:\program files\iTunes

2010-05-17 23:27 . 2006-12-26 08:56 -------- dc----w- c:\program files\iPod

2010-05-17 23:27 . 2007-07-19 00:22 -------- dc----w- c:\program files\Common Files\Apple

2010-05-17 23:15 . 2010-05-17 23:15 -------- dc----w- c:\program files\Bonjour

2010-05-07 17:25 . 2009-04-21 00:19 -------- dc----w- c:\program files\McAfee

2010-05-04 20:40 . 2010-05-04 20:40 -------- dc----w- c:\program files\Gmask 1.70 English

2010-05-02 05:22 . 2006-03-16 04:00 1851264 -c--a-w- c:\windows\system32\win32k.sys

2010-04-29 22:39 . 2009-04-07 18:11 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2009-04-07 18:12 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2006-03-16 04:00 285696 -c--a-w- c:\windows\system32\atmfd.dll

2010-04-16 16:09 . 2006-03-16 04:00 667136 -c--a-w- c:\windows\system32\wininet.dll

2010-04-16 16:09 . 2006-03-16 04:00 81920 -c--a-w- c:\windows\system32\ieencode.dll

2010-04-08 20:20 . 2010-04-08 20:20 91424 -c--a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20 . 2010-04-08 20:20 107808 -c--a-w- c:\windows\system32\dns-sd.exe

2010-04-03 23:40 . 2010-04-03 23:40 56 -c-ha-w- c:\windows\system32\ezsidmv.dat

2010-03-31 07:16 . 2010-03-31 07:16 99176 -c--a-w- c:\windows\system32\PresentationHostProxy.dll

2010-03-31 07:10 . 2010-03-31 07:10 295264 -c--a-w- c:\windows\system32\PresentationHost.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2006-03-16 04:00 . 2006-03-16 04:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12 . 2006-03-16 04:00 50688 -csh--w- c:\windows\twain_32.dll

2008-04-14 00:12 . 2006-03-16 04:00 57344 -csh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 . 2006-03-16 04:00 551936 -csh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 . 2006-03-16 04:00 11776 -csh--w- c:\windows\system32\regsvr32.exe

.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2006-10-19 05:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[7] 2006-03-16 04:00 . 6EAA72FD9EF993EC1FA9A06DE65105DA . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

[-] 2005-08-04 09:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-05-26 22:23 1385864 -c--a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-19 323392]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]

"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-04 196608]

"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-04 311296]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]

"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2009-09-30 32768]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"EPSON Stylus C42 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE" [2002-02-19 74240]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\SergioM\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-11-4 1677464]

Yahoo! Widget Engine.lnk - c:\program files\Pixoria\Konfabulator\YahooWidgetEngine.exe [2007-7-20 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-26 102400]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

WD Anywhere Backup Launcher.lnk - c:\windows\Installer\{649C4B1A-6A76-499A-9AEC-0C9530FA7D2C}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-12-25 9662]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\MioNet\\MioNetManager.exe"=

"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"990:TCP"= 990:TCP:open inbound TCP port

"999:TCP"= 999:TCP:open inbound TCP port

"5678:TCP"= 5678:TCP:open inbound TCP port

"5679:UDP"= 5679:UDP:open outbound UDP port

"5721:TCP"= 5721:TCP:open inbound TCP port

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0

"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1

"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2

"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3

"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4

"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5

"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6

"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7

"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8

"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9

"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration

"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

"67:UDP"= 67:UDP:DHCP Discovery Service

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/20/2009 5:20 PM 93320]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/22/2008 10:40 AM 24652]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]

S2 MioNet;MioNet;c:\program files\MioNet\MioNetManager.exe [1/14/2008 3:14 PM 139264]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [6/6/2006 1:39 PM 61952]

S3 Agpstubio;Agpstubio; [x]

S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/3/2001 7:24 PM 18864]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 6:19 PM 50048]

.

Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 01:34]

2010-06-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://myspace.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\SergioM\Application Data\Mozilla\Firefox\Profiles\kww5uh4e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\SergioM\Application Data\Mozilla\Firefox\Profiles\kww5uh4e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\SergioM\Application Data\Mozilla\Firefox\Profiles\kww5uh4e.default\extensions\capturefoxmovie@advancity.net\components\capturefoxxpi_win32.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\SergioM\Local Settings\Application Data\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-28 12:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ??? T??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5864)

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\mqtgsvc.exe

c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\eHome\ehmsas.exe

c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe

.

**************************************************************************

.

Completion time: 2010-06-28 12:20:22 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-28 19:20

ComboFix2.txt 2010-06-28 07:00

Pre-Run: 683,651,072 bytes free

Post-Run: 790,323,200 bytes free

- - End Of File - - 851F2F938AD80C0C2BC6AE710EFD0005

Link to post
Share on other sites

Hi,

1. Download Bootkit Remover (note: it's a RAR archived file so you have to install compatible program, like 7-Zip if there's not one installed).

2. Extract the contents to own folder (BRemover folder) on your desktop.

3. Click start->run->type cmd.exe and press enter.

4. In command prompt type this (I assume you extracted folder contents to BRemover folder on your desktop):

"%userprofile%\desktop\Bremover\remover.exe" >"%userprofile%\desktop\logit.txt"

5. Press enter once more to bring cursor back visible after entering the command above. After that operation there should be logit.txt file on your desktop. Attach it to your post, please.

Link to post
Share on other sites

Logit.txt

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: b5ea3a26c2ce29f225a541a7d699387b

\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

Press any key to quit...

Link to post
Share on other sites

Hi,

1. Restart your computer

2. Before Windows loads, you will be prompted to choose which Operating System to start

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press enter.

5. At the C:\Windows prompt, type the following bolded text, and press Enter (accept confirmation):

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. After that run Bootkit remover as instructed in my previous post and post back fresh logit.txt contents.

Link to post
Share on other sites

Hello, when I choose to use Windows Recovery Console it gives me the message "NTLDR is Compressed. Press ctrl+alt+delete to restart" It just basically restarts the computer. Is this a necessary step, or am I missing something in order to be able to do this? Should I just start the computer in safe mode with prompt instead? Thanks.

Link to post
Share on other sites

Hi,

Click start->run->type cmd.exe and press enter.

In command prompt type this (I assume you still have the BRemover folder on your desktop):

"%userprofile%\desktop\Bremover\remover.exe" fix \\.\PhysicalDrive0

Then repeat steps 3-5 listed here.

Link to post
Share on other sites

I've been attempting to follow the recommended steps and in command prompt I get "Error 123 Can't Open Physical Disk Device." And then I try to do steps 3-5 from the previous post, which do nothing. Please note Bremover folder is still in desktop, no files have been removed from it. Remover.exe runs fine by clicking it but I am not able to produce logit.txt as intended. What is your recommendation for this? Should I remover Bremover and then download it once more? My apologies if this taking long; as I've said, I have been having a hectic work schedule as of late. Thank you for your patience, it is greatly appreciated.

Link to post
Share on other sites

Hi,

Delete c:\cmdcons folder. Then download a fresh copy of ComboFix.exe (from one of two locations listed here) and run it. Make sure you have internet connection enabled and let ComboFix install recovery console. Post back the report.

Link to post
Share on other sites

hello! c:\cmdcons can not be deleted, access is denied despite me being administrator. is there a specific file I need to delete in the folder in order to continue with the process? I went ahead and downloaded a new version of combofix though, so I am good to go on that. Thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.