Jump to content

Is my system clean

EllssD
 Share

Recommended Posts

EllssD

EllssD

Posted
Posted

Hello,

Not so long ago I prevented a pretty serious infection by blocking a program with my firewall called e.exe that was trying to download stuff. Something still managed to get through and I had frequent browser redirects to ask.com for some reason until I found the .sys file responsible and deleted it in safe mode. I am posting some of the log files from my computer here just to see if that was all I got or if there is anything else lurking. Would it be useful to upload the .sys file in the appropriate forum since MBAM picked up nothing but some online filescanners are suspicious of it?

MBAM log was clean, so no point posting

The File I deleted was dfec.sys which is present in the DDS scan from before I removed it, whereas the GMER scan was taken after I removed it

DDS (Ver_10-03-17.01) - NTFSx86

Run by ****** at 12:47:20.65 on 20/06/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.862 [GMT 1:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\E-Book Systems\FlipViewer\FlipViewerLibrary.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Eraser\Eraser.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Spotify\spotify.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\******\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uWindow Title = Microsoft Internet Explorer provided by Freeserve

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.freeserve.com/

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - c:\progra~1\e-book~1\flipvi~1\fvbho140.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll

BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll

TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide

uRun: [kdx] c:\program files\kontiki\KHost.exe -all

uRun: [Aim6]

uRun: [Google Update] "c:\documents and settings\*******\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en

mRun: [NDSTray.exe] NDSTray.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [speedTouch USB Diagnostics] "c:\program files\alcatel\speedtouch usb\Dragdiag.exe" /icon

mRun: [CFSServ.exe] CFSServ.exe -NoClient

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe

mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe

mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [FlipViewer Library] "c:\program files\e-book systems\flipviewer\FlipViewerLibrary.exe" /showmode=hide

mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [Ashampoo FireWall] "c:\program files\ashampoo\ashampoo firewall\FireWall.exe" -TRAY

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htm

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\********\start menu\programs\>imvu\Run IMVU.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab

DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://67.123.251.212/kxhcm10.ocx

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\*****~1\applic~1\mozilla\firefox\profiles\cujoum8s.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\******\application data\mozilla\firefox\profiles\cujoum8s.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll

FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\******\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPOpf.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-16 28544]

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-11-16 26808]

R1 dfec;dfec;c:\windows\system32\dfec.sys [2010-6-19 80896]

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]

R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]

R2 CSIScanner;CSIScanner;c:\program files\prevxcsi\prevxcsi.exe [2008-11-16 927288]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-10-7 139888]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-1-11 972008]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-17 1251720]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-3 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-6-21 106808]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-14 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070620.016\NAVENG.Sys [2007-6-21 77688]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070620.016\NavEx15.Sys [2007-6-21 852824]

R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2006-3-17 7040]

S0 hlrgpu;hlrgpu;c:\windows\system32\drivers\dctwnnsg.sys --> c:\windows\system32\drivers\dctwnnsg.sys [?]

S1 RapportKELL;RapportKELL;\??\c:\program files\trusteer\rapport\bin\rapportkell.sys --> c:\program files\trusteer\rapport\bin\RapportKELL.sys [?]

S1 RapportPG;RapportPG;\??\c:\program files\trusteer\rapport\bin\rapportpg.sys --> c:\program files\trusteer\rapport\bin\RapportPG.sys [?]

S2 gupdate1c986edd70f689e;Google Update Service (gupdate1c986edd70f689e);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

S3 cpuz130;cpuz130;\??\c:\docume~1\*****~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\*****~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DarkSpy;DarkSpy;\??\c:\windows\system32\darkspykernel.sys --> c:\windows\system32\DarkSpyKernel.sys [?]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-3 17149]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2006-12-28 3968]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-1-3 362944]

=============== Created Last 30 ================

2010-06-19 22:28:58 80896 ----a-w- c:\windows\system32\dfec.sys

2010-06-19 21:16:35 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-19 21:16:35 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-19 21:16:35 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-19 21:06:21 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

2010-06-17 19:48:18 3254 ----a-w- c:\windows\system32\wbem\Outlook_01cb0e5608986ed8.mof

==================== Find3M ====================

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys

2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 15:20:24 668672 ----a-w- c:\windows\system32\wininet.dll

2010-04-16 15:20:18 81920 ----a-w- c:\windows\system32\ieencode.dll

2008-11-16 23:51:39 112 ----a-w- c:\program files\xmeuemr.txt

2008-11-16 23:26:17 118 ----a-w- c:\program files\eldmob.txt

2006-12-28 18:27:20 61 --sh--w- c:\windows\cnerolf.dat

2008-11-15 00:00:19 2 --shatr- c:\windows\winstart.bat

2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

============= FINISH: 12:48:25.23 ===============

Many thanks!

Attach.zip

Link to post
Share on other sites
  • 3 weeks later...
EllssD

EllssD

Posted
  • Author
Posted

Many thanks for getting back to me,

Yeah any help would be very much appreciated, I know it must seem like a trivial request compared to some of the nasty stuff people get on their computes but I just want to be sure my system is clean before I resume all my normal activities

Link to post
Share on other sites
EllssD

EllssD

Posted
  • Author
Posted

Here we go, turned up some stuff and a few registry entries pointing to stuff I seem to have got rid off, blanked out my name with *s :

ComboFix 10-07-29.01 - ******* 29/07/2010 19:19:46.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1412 [GMT 1:00]

Running from: c:\documents and settings\*******\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Install.exe

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))

.

2010-07-14 17:11 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-12 22:14 . 2010-07-12 22:14 -------- d-----w- c:\program files\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-29 19:15 . 2008-05-26 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-07-29 17:56 . 2006-03-17 12:39 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-29 16:57 . 2007-07-13 23:50 -------- d-----w- c:\documents and settings\******\Application Data\Skype

2010-07-29 16:20 . 2008-11-25 22:01 -------- d-----w- c:\documents and settings\******\Application Data\skypePM

2010-07-29 16:19 . 2009-03-16 21:21 -------- d-----w- c:\documents and settings\*******\Application Data\Spotify

2010-07-23 13:53 . 2006-12-26 18:54 -------- d-----w- c:\program files\Google

2010-07-13 00:06 . 2010-06-19 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-13 00:05 . 2007-05-07 00:20 -------- d-----w- c:\program files\DivX

2010-07-12 22:15 . 2007-07-13 23:46 -------- d-----r- c:\program files\Skype

2010-07-12 22:14 . 2007-07-13 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-07-01 20:10 . 2008-11-16 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2010-06-20 21:58 . 2006-01-01 00:19 -------- d-----w- c:\program files\iTunes

2010-06-20 19:27 . 2006-01-01 00:20 -------- d-----w- c:\documents and settings\******\Application Data\Apple Computer

2010-06-20 19:05 . 2010-06-20 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-06-20 19:04 . 2006-01-01 00:06 -------- d-----w- c:\program files\iPod

2010-06-20 19:04 . 2008-10-21 21:46 -------- d-----w- c:\program files\Common Files\Apple

2010-06-20 19:01 . 2008-10-21 21:48 -------- d-----w- c:\program files\QuickTime

2010-06-20 18:54 . 2010-06-20 18:54 -------- d-----w- c:\program files\Bonjour

2010-06-19 22:41 . 2008-11-14 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-19 21:16 . 2010-06-19 21:16 -------- d-----w- c:\documents and settings\******\Application Data\DivX

2010-06-19 21:14 . 2009-12-23 02:00 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-09 23:01 . 2010-06-19 21:16 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-09 23:01 . 2010-06-19 21:16 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-09 23:01 . 2010-06-19 21:16 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-09 23:01 . 2006-03-17 12:08 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-06-09 23:01 . 2006-03-17 12:08 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-06-04 19:19 . 2009-04-02 15:42 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-02 05:56 . 2006-03-17 09:20 1850880 ----a-w- c:\windows\system32\win32k.sys

2008-11-16 23:51 . 2008-11-16 23:51 112 ----a-w- c:\program files\xmeuemr.txt

2008-11-16 23:26 . 2008-11-16 23:26 118 ----a-w- c:\program files\eldmob.txt

2007-05-14 21:50 . 2007-05-14 21:50 135168 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2006-12-28 18:27 . 2006-12-28 18:27 61 --sh--w- c:\windows\cnerolf.dat

2008-11-15 00:00 . 2008-11-15 00:00 2 --shatr- c:\windows\winstart.bat

2006-05-03 10:06 . 2007-01-16 20:43 163328 --sh--r- c:\windows\system32\flvDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856]

"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Google Update"="c:\documents and settings\******\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-27 133104]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CFSServ.exe"="CFSServ.exe -NoClient" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"nwiz"="nwiz.exe" [2009-01-30 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]

"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-03-15 1769472]

"NDSTray.exe"="NDSTray.exe" [bU]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]

"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 1831936]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-21 185896]

"FlipViewer Library"="c:\program files\E-Book Systems\FlipViewer\FlipViewerLibrary.exe" [2007-10-25 386576]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 3251800]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-2 1753088]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-1-14 450560]

NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-1-3 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]

2008-05-11 12:21 3057664 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Call of Duty\\CoDMP.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 1942 Singleplayer Demo\\BF1942.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\E-Book Systems\\FlipViewer\\FlipViewerLibrary.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54295:UDP"= 54295:UDP:brother

"135:TCP"= 135:TCP:DCOM(135)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [16/11/2008 23:25 28544]

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [16/11/2008 21:01 26808]

R2 CSIScanner;CSIScanner;c:\program files\PrevxCSI\prevxcsi.exe [16/11/2008 21:01 927288]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/01/2010 19:05 972008]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [03/07/2009 18:42 24652]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [17/03/2006 13:04 7040]

S0 hlrgpu;hlrgpu;c:\windows\system32\drivers\dctwnnsg.sys --> c:\windows\system32\drivers\dctwnnsg.sys [?]

S1 dfec;dfec;\??\c:\windows\system32\dfec.sys --> c:\windows\system32\dfec.sys [?]

S1 RapportKELL;RapportKELL;\??\c:\program files\Trusteer\Rapport\bin\RapportKELL.sys --> c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [?]

S1 RapportPG;RapportPG;\??\c:\program files\Trusteer\Rapport\bin\RapportPG.sys --> c:\program files\Trusteer\Rapport\bin\RapportPG.sys [?]

S2 gupdate1c986edd70f689e;Google Update Service (gupdate1c986edd70f689e);c:\program files\Google\Update\GoogleUpdate.exe [04/02/2009 18:27 133104]

S3 cpuz130;cpuz130;\??\c:\docume~1\ELLIOT~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ELLIOT~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 DarkSpy;DarkSpy;\??\c:\windows\system32\DarkSpyKernel.sys --> c:\windows\system32\DarkSpyKernel.sys [?]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [03/01/2007 21:54 17149]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [28/12/2006 18:17 3968]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [03/01/2007 21:54 362944]

.

Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 17:27]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 17:27]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4247219848-3744751695-398315518-1005Core.job

- c:\documents and settings\******\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 23:30]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4247219848-3744751695-398315518-1005UA.job

- c:\documents and settings\******\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 23:30]

2010-07-29 c:\windows\Tasks\XoftSpySE 2.job

- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

2010-06-12 c:\windows\Tasks\XoftSpySE.job

- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.co.uk/

mSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Search with Freeserve - c:\progra~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\******\Start Menu\Programs\>IMVU\Run IMVU.lnk

LSP: c:\program files\Ashampoo\Ashampoo FireWall\spi.dll

DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://67.123.251.212/kxhcm10.ocx

FF - ProfilePath - c:\documents and settings\******\Application Data\Mozilla\Firefox\Profiles\cujoum8s.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\*******\Application Data\Mozilla\Firefox\Profiles\cujoum8s.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - plugin: c:\documents and settings\******\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOpf.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

Notify-WgaLogon - (no file)

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe

AddRemove-HijackThis - c:\program files\Hijackthis\HijackThis.exe

AddRemove-Saber Jet Installer_is1 - c:\program files\Microsoft Games\Flight Simulator 9\unins001.exe

AddRemove-UNKL Scenery_is1 - c:\program files\Microsoft Games\Flight Simulator 9\unins000.exe

AddRemove-Handley Page HP52 'Hampden' Mk1 - c:\program files\Microsoft Games\Flight Simulator 9\Aircraft\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-29 20:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ASFWHide]

"ImagePath"="\??\c:\docume~1\ELLIOT~1\LOCALS~1\Temp\ASFWHide"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(932)

c:\program files\Ashampoo\Ashampoo FireWall\spi.dll

- - - - - - - > 'explorer.exe'(2696)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\brss01a.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\progra~1\COMMON~1\X10\Common\x10nets.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\program files\Synaptics\SynTP\Toshiba.exe

c:\windows\eHome\ehmsas.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\TOSHIBA\ConfigFree\CFSServ.exe

c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\Logitech\Video\FxSvr2.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-07-29 20:25:49 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-29 19:25

Pre-Run: 32,652,767,232 bytes free

Post-Run: 34,286,735,360 bytes free

- - End Of File - - 1913BB4952BCFE86B918CAF16BFA6820

And the DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by ******* at 20:34:35.34 on 29/07/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1415 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\E-Book Systems\FlipViewer\FlipViewerLibrary.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Eraser\Eraser.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\*******\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.google.co.uk/

mSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: FlpLauncher Class: {4401fdc3-7996-4774-8d2b-c1ae9cd6cc25} - c:\progra~1\e-book~1\flipvi~1\fvbho140.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll

BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide

uRun: [kdx] c:\program files\kontiki\KHost.exe -all

uRun: [Google Update] "c:\documents and settings\******\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en

mRun: [NDSTray.exe] NDSTray.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [speedTouch USB Diagnostics] "c:\program files\alcatel\speedtouch usb\Dragdiag.exe" /icon

mRun: [CFSServ.exe] CFSServ.exe -NoClient

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe

mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe

mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [FlipViewer Library] "c:\program files\e-book systems\flipviewer\FlipViewerLibrary.exe" /showmode=hide

mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

mRun: [Ashampoo FireWall] "c:\program files\ashampoo\ashampoo firewall\FireWall.exe" -TRAY

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htm

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\******\start menu\programs\>imvu\Run IMVU.lnk

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab

DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://67.123.251.212/kxhcm10.ocx

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\elliot~1\applic~1\mozilla\firefox\profiles\cujoum8s.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\******\application data\mozilla\firefox\profiles\cujoum8s.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll

FF - plugin: c:\documents and settings\*****\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPOpf.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-16 28544]

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-11-16 26808]

R2 CSIScanner;CSIScanner;c:\program files\prevxcsi\prevxcsi.exe [2008-11-16 927288]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-1-11 972008]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-3 24652]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2006-3-17 7040]

S0 hlrgpu;hlrgpu;c:\windows\system32\drivers\dctwnnsg.sys --> c:\windows\system32\drivers\dctwnnsg.sys [?]

S1 dfec;dfec;\??\c:\windows\system32\dfec.sys --> c:\windows\system32\dfec.sys [?]

S1 RapportKELL;RapportKELL;\??\c:\program files\trusteer\rapport\bin\rapportkell.sys --> c:\program files\trusteer\rapport\bin\RapportKELL.sys [?]

S1 RapportPG;RapportPG;\??\c:\program files\trusteer\rapport\bin\rapportpg.sys --> c:\program files\trusteer\rapport\bin\RapportPG.sys [?]

S2 gupdate1c986edd70f689e;Google Update Service (gupdate1c986edd70f689e);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

S3 cpuz130;cpuz130;\??\c:\docume~1\elliot~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\elliot~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DarkSpy;DarkSpy;\??\c:\windows\system32\darkspykernel.sys --> c:\windows\system32\DarkSpyKernel.sys [?]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-3 17149]

S3 rkhdrv40;Rootkit Unhooker Driver; [x]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2006-12-28 3968]

S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-1-3 362944]

UnknownUnknown vkquwexg;vkquwexg; [x]

=============== Created Last 30 ================

2010-07-29 17:03:01 77312 ----a-w- c:\windows\MBR.exe

2010-07-29 17:03:01 256512 ----a-w- c:\windows\PEV.exe

2010-07-29 17:03:00 98816 ----a-w- c:\windows\sed.exe

2010-07-29 17:03:00 161792 ----a-w- c:\windows\SWREG.exe

2010-07-14 17:11:25 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-06-09 23:01:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-09 23:01:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-09 23:01:10 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-09 23:01:10 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-06-09 23:01:10 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-05-18 15:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 15:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2008-11-16 23:51:39 112 ----a-w- c:\program files\xmeuemr.txt

2008-11-16 23:26:17 118 ----a-w- c:\program files\eldmob.txt

2006-12-28 18:27:20 61 --sh--w- c:\windows\cnerolf.dat

2008-11-15 00:00:19 2 --shatr- c:\windows\winstart.bat

2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

============= FINISH: 20:34:42.81 ===============

The "attach" log from DDS is in the attachment

Thanks!

Attach.zip

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

and a few registry entries pointing to stuff I seem to have got rid off
Like what?

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=56517
Collect::
c:\program files\eldmob.txt
c:\program files\xmeuemr.txt
c:\windows\cnerolf.dat
c:\windows\winstart.bat
c:\windows\system32\DarkSpyKernel.sys
c:\windows\system32\dfec.sys
c:\windows\system32\drivers\dctwnnsg.sys
Driver::
dfec
hlrgpu
DarkSpy

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites
EllssD

EllssD

Posted
  • Author
Posted

Yes I am sorry, this computer has taken a turn for the worst and I may have to replace it soon, I'll see how long its going to be before I can get a new one before I start cleaning again,.Thanks for your help so far, just give me a little while to see if its worth finishing, main problem is that it has become difficult to start and these scans usually involve lots of restarts!

Link to post
Share on other sites
  • 3 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.