Jump to content

Recommended Posts

Hey all,

I"m actually having the same issue as this user: http://forums.malwarebytes.org/index.php?s...rt=#entry235670

Everytime I open up Firefox, ESET NOD32 keeps displaying a notification that it has blocked an address, usually from an ip address of 91.212.226.179, with a url of zl00zxcv1.com.

NOD32 keeps blocking the address, but after a time Firefox will crash on me. Can anyone give me any advice? Thank you!

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

First, update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Hi,

Thank you for the response! I actually found the pinned section and followed their instructions, so I've attached everything for you (DDS is pasted):

DDS (Ver_10-03-17.01) - NTFSx86

Run by sctele at 21:40:11.26 on Sun 07/11/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.518 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Rainmeter\Rainmeter.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\sctele\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Bar =

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070123

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

StartupFolder: c:\docume~1\sctele\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238554124343

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sctele\applic~1\mozilla\firefox\profiles\iyyotdwa.default\

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-4-19 28672]

R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 899980]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-27 136176]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2010-07-12 01:35:10 20 ----a-w- c:\documents and settings\sctele\defogger_reenable

2010-07-11 13:44:32 0 d-----w- c:\program files\Trend Micro

2010-07-11 11:26:04 0 d-----w- c:\docume~1\sctele\applic~1\Malwarebytes

2010-07-11 11:25:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-11 11:25:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-11 11:25:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-11 11:25:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-11 11:20:04 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-07-11 11:20:04 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-07-11 11:20:04 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-07-11 11:20:04 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-07-11 11:20:03 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-07-11 11:19:30 0 d-----w- c:\program files\Trojan Remover

2010-07-11 11:19:30 0 d-----w- c:\docume~1\sctele\applic~1\Simply Super Software

2010-07-11 11:19:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-07-11 05:29:32 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-11 02:07:05 120 ----a-w- c:\windows\Utefijokilomini.dat

2010-07-11 02:07:05 0 ----a-w- c:\windows\Lsaji.bin

2010-07-08 07:31:34 2213 ----a-w- c:\documents and settings\sctele\.recently-used.xbel

2010-06-14 14:44:20 61440 ----a-w- c:\windows\system32\VM302STI.dll

2010-06-14 14:44:20 180300 ----a-w- c:\windows\system32\VM302Prp.Ax

2010-06-14 14:44:19 24576 ----a-w- c:\windows\system32\RunSetup.dll

2010-06-14 14:44:19 0 d-----w- c:\windows\CatRoot

2010-06-14 14:44:18 0 d-----w- c:\program files\VM302

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2001-05-24 16:59:30 162304 -c--a-w- c:\program files\UNWISE.EXE

2008-10-01 06:00:49 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 21:43:21.00 ===============

Attach.zip

Link to post
Share on other sites

And here is the MBAM log that I ran the day before:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4301

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/11/2010 9:14:47 AM

mbam-log-2010-07-11 (09-14-47).txt

Scan type: Full scan (C:\|)

Objects scanned: 254804

Time elapsed: 1 hour(s), 32 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\sctele\Local Settings\Temp\SR9vlzb+.exe.part (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\sctele\Local Settings\Temp\KTqrVwZXqu.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\sctele\Local Settings\Temp\52F2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1027\A0364844.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1028\A0364876.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\sctele\Local Settings\Temp\0.7518097550001838.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Ok, now my computer keeps locking up after I use it for an extended period of time. I just got a popup error that says that "Generic Host Process for Win32 Services has encountered a problem and needs to close", and then I can't use the internet after that. Any help will be appreciated!

Link to post
Share on other sites

ComboFix:

ComboFix 10-07-11.07 - sctele 07/12/2010 16:08:22.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.662 [GMT -4:00]

Running from: c:\documents and settings\sctele\Desktop\malware\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000010_.tmp.dll

c:\windows\system32\scvideo.dll

c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))

.

2010-07-11 17:37 . 2010-07-05 18:30 3687344 ----a-w- c:\documents and settings\sctele\Application Data\Simply Super Software\Trojan Remover\usx88A5.exe

2010-07-11 13:44 . 2010-07-11 13:44 388096 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-11 13:44 . 2010-07-11 13:44 -------- d-----w- c:\program files\Trend Micro

2010-07-11 11:26 . 2010-07-11 11:26 -------- d-----w- c:\documents and settings\sctele\Application Data\Malwarebytes

2010-07-11 11:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-11 11:25 . 2010-07-11 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-11 11:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-11 11:25 . 2010-07-11 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-11 11:20 . 2010-07-12 01:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-11 11:20 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-07-11 11:20 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-07-11 11:20 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-07-11 11:20 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-07-11 11:20 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-07-11 11:19 . 2010-07-11 11:20 -------- d-----w- c:\program files\Trojan Remover

2010-07-11 11:19 . 2010-07-11 11:19 -------- d-----w- c:\documents and settings\sctele\Application Data\Simply Super Software

2010-07-11 11:19 . 2010-07-11 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-07-11 05:29 . 2010-07-11 05:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-11 02:29 . 2010-07-11 02:29 -------- d-----w- c:\documents and settings\Administrator\IETldCache

2010-07-11 02:07 . 2010-07-11 02:07 120 ----a-w- c:\windows\Utefijokilomini.dat

2010-07-11 02:07 . 2010-07-11 02:07 0 ----a-w- c:\windows\Lsaji.bin

2010-07-11 02:07 . 2010-07-11 05:29 -------- d-----w- c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A}

2010-06-25 05:32 . 2010-06-25 05:32 -------- d-----w- c:\documents and settings\sctele\Local Settings\Application Data\Opera

2010-06-25 05:31 . 2010-06-26 00:37 -------- d-----w- c:\program files\Opera

2010-06-22 15:52 . 2010-07-11 00:29 -------- d-----w- c:\documents and settings\sctele\Application Data\vlc

2010-06-15 02:32 . 2010-06-15 02:32 85504 ----a-w- c:\documents and settings\sctele\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-06-14 14:44 . 2003-05-15 21:16 61440 ----a-w- c:\windows\system32\VM302STI.dll

2010-06-14 14:44 . 2010-06-14 14:44 -------- d-----w- c:\windows\CatRoot

2010-06-14 14:44 . 2004-04-12 23:01 24576 ----a-w- c:\windows\system32\RunSetup.dll

2010-06-14 14:44 . 2010-06-14 14:44 -------- d-----w- c:\program files\VM302

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-12 05:18 . 2007-01-30 01:02 -------- d-----w- c:\documents and settings\sctele\Application Data\Skype

2010-07-12 05:06 . 2008-07-20 07:54 -------- d-----w- c:\documents and settings\sctele\Application Data\skypePM

2010-07-05 15:56 . 2007-10-24 04:07 -------- d-----w- c:\documents and settings\sctele\Application Data\.purple

2010-07-03 18:03 . 2010-05-02 15:31 188152 ----a-w- c:\documents and settings\sctele\Application Data\Mozilla\Firefox\Profiles\iyyotdwa.default\FlashGot.exe

2010-07-03 16:40 . 2007-03-17 17:45 -------- d-----w- c:\documents and settings\sctele\Application Data\Azureus

2010-06-28 18:04 . 2007-09-10 12:39 -------- d-----w- c:\documents and settings\sctele\Application Data\FrostWire

2010-06-26 00:38 . 2007-10-07 19:11 -------- d-----w- c:\program files\Common Files\Motive

2010-06-26 00:36 . 2007-01-23 18:57 -------- d-----w- c:\program files\Google

2010-06-15 17:01 . 2007-02-11 14:45 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-15 02:32 . 2007-05-08 14:28 -------- d-----w- c:\documents and settings\sctele\Application Data\SystemRequirementsLab

2010-06-14 14:44 . 2007-01-23 18:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-01 13:22 . 2010-06-01 13:22 40960 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{50E7EF15-18A6-47DD-A79E-E9F9740DAAB8}\NewShortcut11_50E7EF1518A647DDA79EE9F9740DAAB8.exe

2010-06-01 13:22 . 2010-06-01 13:22 40960 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{50E7EF15-18A6-47DD-A79E-E9F9740DAAB8}\NewShortcut1_50E7EF1518A647DDA79EE9F9740DAAB8.exe

2010-06-01 13:22 . 2010-06-01 13:22 40960 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{50E7EF15-18A6-47DD-A79E-E9F9740DAAB8}\ARPPRODUCTICON.exe

2010-06-01 13:22 . 2010-06-01 13:22 -------- d-----w- c:\program files\REA

2010-05-28 11:40 . 2010-05-28 11:40 503808 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-463ff73a-n\msvcp71.dll

2010-05-28 11:40 . 2010-05-28 11:40 348160 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-463ff73a-n\msvcr71.dll

2010-05-28 11:40 . 2010-05-28 11:39 499712 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-463ff73a-n\jmc.dll

2010-05-23 15:46 . 2010-05-23 15:46 -------- d-----w- c:\documents and settings\sctele\Application Data\MusicBrainz

2010-05-23 15:46 . 2010-05-23 15:46 -------- d-----w- c:\program files\MusicBrainz Picard

2010-05-20 12:01 . 2010-05-20 12:01 180224 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\28\6ddb9f1c-1e5176a6-n\HHHooks2.dll

2010-05-20 12:01 . 2010-05-20 12:01 45056 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\7\d42a0c7-45f3a7ff-n\ntps.dll

2010-05-20 01:33 . 2010-05-02 09:02 -------- d-----w- c:\program files\Mozilla Sunbird

2010-05-16 17:39 . 2007-10-24 04:10 -------- d-----w- c:\documents and settings\sctele\Application Data\gtk-2.0

2010-05-16 16:34 . 2010-05-16 16:34 -------- d-----w- c:\program files\Common Files\Skype

2010-05-16 16:34 . 2007-01-30 01:01 -------- d-----r- c:\program files\Skype

2010-05-16 16:34 . 2007-01-30 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-05-06 10:41 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-10 18:51 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2004-08-10 18:50 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-14 13:23 . 2009-11-08 20:07 79488 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2001-05-24 16:59 . 2007-03-09 22:40 162304 -c--a-w- c:\program files\UNWISE.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"Google Update"="c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-01 148888]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-07-05 1167296]

c:\documents and settings\sctele\Start Menu\Programs\Startup\

Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cable and Wireless Support Centre.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cable and Wireless Support Centre.lnk

backup=c:\windows\pss\Cable and Wireless Support Centre.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk

backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sctele^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]

path=c:\documents and settings\sctele\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-11-12 10:48 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2006-08-04 00:51 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-15 17:57 136176 ----atw- c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-03-20 21:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2006-03-20 21:34 213936 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2006-03-20 21:34 86960 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2006-08-22 21:32 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

2008-02-08 03:38 364544 -c--a-w- c:\windows\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\VUE\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [4/19/2009 11:54 AM 28672]

R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [1/26/2004 8:42 PM 899980]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2010 1:52 PM 136176]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2007 9:50 PM 646392]

.

Contents of the 'Scheduled Tasks' folder

2010-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 11:20]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 11:20]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-392061110-3381115794-502298408-1007Core.job

- c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-12 17:57]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-392061110-3381115794-502298408-1007UA.job

- c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-12 17:57]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\sctele\Application Data\Mozilla\Firefox\Profiles\iyyotdwa.default\

FF - plugin: c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

MSConfigStartUp-Motive SmartBridge - c:\progra~1\CW\SMARTB~1\MotiveSB.exe

MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe

MSConfigStartUp-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-12 16:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]

@Denied: (2) (LocalSystem)

"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"

"DataDir"="ESET\\ESET NOD32 Antivirus\\"

"EditionName"=" "

"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"

"LanguageId"=dword:00000409

"PackageTag"=dword:6090e758

"ProductBase"=dword:00000000

"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"

"ProductName"="ESET NOD32 Antivirus"

"ProductType"="eav"

"ProductVersion"="4.0.437.0"

"UniqueId"="00058E4D4A591752"

"ScannerBuild"=dword:00001329

"ScannerVersionId"=dword:00000feb

"ScannerVersion"="Open window for status."

"FixId"=dword:00000006

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

Completion time: 2010-07-12 16:21:24

ComboFix-quarantined-files.txt 2010-07-12 20:21

Pre-Run: 15,243,464,704 bytes free

Post-Run: 17,873,215,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C06F5DF410E48944A349A1770D3B463D

New DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by sctele at 16:27:20.03 on Mon 07/12/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.446 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\sctele\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"

uRun: [Google Update] "c:\documents and settings\sctele\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

StartupFolder: c:\docume~1\sctele\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238554124343

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sctele\applic~1\mozilla\firefox\profiles\iyyotdwa.default\

FF - plugin: c:\documents and settings\sctele\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-4-19 28672]

R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 899980]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-27 136176]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2010-07-12 20:01:26 0 d-sha-r- C:\cmdcons

2010-07-12 19:57:46 98816 ----a-w- c:\windows\sed.exe

2010-07-12 19:57:46 77312 ----a-w- c:\windows\MBR.exe

2010-07-12 19:57:46 256512 ----a-w- c:\windows\PEV.exe

2010-07-12 19:57:46 161792 ----a-w- c:\windows\SWREG.exe

2010-07-12 01:35:10 20 ----a-w- c:\documents and settings\sctele\defogger_reenable

2010-07-11 13:44:32 0 d-----w- c:\program files\Trend Micro

2010-07-11 11:26:04 0 d-----w- c:\docume~1\sctele\applic~1\Malwarebytes

2010-07-11 11:25:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-11 11:25:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-11 11:25:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-11 11:25:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-11 11:20:04 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-07-11 11:20:04 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-07-11 11:20:04 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-07-11 11:20:04 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-07-11 11:20:03 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-07-11 11:19:30 0 d-----w- c:\program files\Trojan Remover

2010-07-11 11:19:30 0 d-----w- c:\docume~1\sctele\applic~1\Simply Super Software

2010-07-11 11:19:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software

2010-07-11 05:29:32 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-11 02:07:05 120 ----a-w- c:\windows\Utefijokilomini.dat

2010-07-11 02:07:05 0 ----a-w- c:\windows\Lsaji.bin

2010-07-08 07:31:34 2213 ----a-w- c:\documents and settings\sctele\.recently-used.xbel

2010-06-14 14:44:20 61440 ----a-w- c:\windows\system32\VM302STI.dll

2010-06-14 14:44:20 180300 ----a-w- c:\windows\system32\VM302Prp.Ax

2010-06-14 14:44:19 24576 ----a-w- c:\windows\system32\RunSetup.dll

2010-06-14 14:44:19 0 d-----w- c:\windows\CatRoot

2010-06-14 14:44:18 0 d-----w- c:\program files\VM302

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2001-05-24 16:59:30 162304 -c--a-w- c:\program files\UNWISE.EXE

2008-10-01 06:00:49 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 16:27:27.93 ===============

Link to post
Share on other sites

  • Staff

Hi,

Things are definitely looking better. :)

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=43234
Collect::
c:\windows\Utefijokilomini.dat
c:\windows\Lsaji.bin
Dirlook::
c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A}

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Ok, here is the ComboFix log from the new scan:

ComboFix 10-07-12.06 - sctele 07/13/2010 18:14:26.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.317 [GMT -4:00]

Running from: c:\documents and settings\sctele\Desktop\malware\ComboFix.exe

Command switches used :: c:\documents and settings\sctele\Desktop\malware\CFScript.txt

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

file zipped: c:\windows\Lsaji.bin

file zipped: c:\windows\Utefijokilomini.dat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Lsaji.bin

c:\windows\Utefijokilomini.dat

.

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))

.

2010-07-13 02:22 . 2010-07-13 02:22 -------- d-----w- c:\windows\Performance

2010-07-13 02:22 . 2010-07-13 02:22 -------- d-----w- c:\documents and settings\sctele\Local Settings\Application Data\Microsoft Corporation

2010-07-13 02:21 . 2010-07-13 02:21 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor

2010-07-11 13:44 . 2010-07-11 13:44 388096 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-11 13:44 . 2010-07-11 13:44 -------- d-----w- c:\program files\Trend Micro

2010-07-11 11:26 . 2010-07-11 11:26 -------- d-----w- c:\documents and settings\sctele\Application Data\Malwarebytes

2010-07-11 11:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-11 11:25 . 2010-07-11 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-11 11:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-11 11:25 . 2010-07-11 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-11 11:20 . 2010-07-12 01:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-11 05:29 . 2010-07-11 05:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-11 02:29 . 2010-07-11 02:29 -------- d-----w- c:\documents and settings\Administrator\IETldCache

2010-07-11 02:07 . 2010-07-11 05:29 -------- d-----w- c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A}

2010-06-25 05:32 . 2010-06-25 05:32 -------- d-----w- c:\documents and settings\sctele\Local Settings\Application Data\Opera

2010-06-25 05:31 . 2010-06-26 00:37 -------- d-----w- c:\program files\Opera

2010-06-22 15:52 . 2010-07-11 00:29 -------- d-----w- c:\documents and settings\sctele\Application Data\vlc

2010-06-15 02:32 . 2010-06-15 02:32 85504 ----a-w- c:\documents and settings\sctele\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll

2010-06-14 14:44 . 2003-05-15 21:16 61440 ----a-w- c:\windows\system32\VM302STI.dll

2010-06-14 14:44 . 2010-06-14 14:44 -------- d-----w- c:\windows\CatRoot

2010-06-14 14:44 . 2004-04-12 23:01 24576 ----a-w- c:\windows\system32\RunSetup.dll

2010-06-14 14:44 . 2010-06-14 14:44 -------- d-----w- c:\program files\VM302

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-13 22:16 . 2007-01-30 01:02 -------- d-----w- c:\documents and settings\sctele\Application Data\Skype

2010-07-13 20:00 . 2008-07-20 07:54 -------- d-----w- c:\documents and settings\sctele\Application Data\skypePM

2010-07-13 19:14 . 2010-05-02 15:31 188152 ----a-w- c:\documents and settings\sctele\Application Data\Mozilla\Firefox\Profiles\iyyotdwa.default\FlashGot.exe

2010-07-05 15:56 . 2007-10-24 04:07 -------- d-----w- c:\documents and settings\sctele\Application Data\.purple

2010-07-03 16:40 . 2007-03-17 17:45 -------- d-----w- c:\documents and settings\sctele\Application Data\Azureus

2010-06-28 18:04 . 2007-09-10 12:39 -------- d-----w- c:\documents and settings\sctele\Application Data\FrostWire

2010-06-26 00:38 . 2007-10-07 19:11 -------- d-----w- c:\program files\Common Files\Motive

2010-06-26 00:36 . 2007-01-23 18:57 -------- d-----w- c:\program files\Google

2010-06-15 17:01 . 2007-02-11 14:45 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-15 02:32 . 2007-05-08 14:28 -------- d-----w- c:\documents and settings\sctele\Application Data\SystemRequirementsLab

2010-06-14 14:44 . 2007-01-23 18:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-01 13:22 . 2010-06-01 13:22 40960 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{50E7EF15-18A6-47DD-A79E-E9F9740DAAB8}\NewShortcut11_50E7EF1518A647DDA79EE9F9740DAAB8.exe

2010-06-01 13:22 . 2010-06-01 13:22 40960 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{50E7EF15-18A6-47DD-A79E-E9F9740DAAB8}\NewShortcut1_50E7EF1518A647DDA79EE9F9740DAAB8.exe

2010-06-01 13:22 . 2010-06-01 13:22 40960 ----a-r- c:\documents and settings\sctele\Application Data\Microsoft\Installer\{50E7EF15-18A6-47DD-A79E-E9F9740DAAB8}\ARPPRODUCTICON.exe

2010-06-01 13:22 . 2010-06-01 13:22 -------- d-----w- c:\program files\REA

2010-05-28 11:40 . 2010-05-28 11:40 503808 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-463ff73a-n\msvcp71.dll

2010-05-28 11:40 . 2010-05-28 11:40 348160 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-463ff73a-n\msvcr71.dll

2010-05-28 11:40 . 2010-05-28 11:39 499712 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-463ff73a-n\jmc.dll

2010-05-23 15:46 . 2010-05-23 15:46 -------- d-----w- c:\documents and settings\sctele\Application Data\MusicBrainz

2010-05-23 15:46 . 2010-05-23 15:46 -------- d-----w- c:\program files\MusicBrainz Picard

2010-05-20 12:01 . 2010-05-20 12:01 180224 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\28\6ddb9f1c-1e5176a6-n\HHHooks2.dll

2010-05-20 12:01 . 2010-05-20 12:01 45056 ----a-w- c:\documents and settings\sctele\Application Data\Sun\Java\Deployment\cache\6.0\7\d42a0c7-45f3a7ff-n\ntps.dll

2010-05-20 01:33 . 2010-05-02 09:02 -------- d-----w- c:\program files\Mozilla Sunbird

2010-05-16 17:39 . 2007-10-24 04:10 -------- d-----w- c:\documents and settings\sctele\Application Data\gtk-2.0

2010-05-16 16:34 . 2010-05-16 16:34 -------- d-----w- c:\program files\Common Files\Skype

2010-05-16 16:34 . 2007-01-30 01:01 -------- d-----r- c:\program files\Skype

2010-05-16 16:34 . 2007-01-30 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-05-06 10:41 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-10 18:51 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2004-08-10 18:50 285696 ----a-w- c:\windows\system32\atmfd.dll

2001-05-24 16:59 . 2007-03-09 22:40 162304 -c--a-w- c:\program files\UNWISE.EXE

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A} ----

2010-07-11 02:07 . 2010-07-11 02:07 6778 ----a-w- c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A}\chrome\content\overlay.xul

2010-07-11 02:07 . 2010-07-11 02:07 2058 ----a-w- c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A}\chrome\content\_cfg.js

2010-07-11 02:07 . 2010-07-11 02:07 764 ----a-w- c:\documents and settings\sctele\Local Settings\Application Data\{D51F2D41-E485-4293-9E05-1CE187DD1B9A}\install.rdf

((((((((((((((((((((((((((((( SnapShot@2010-07-12_20.17.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-13 16:37 . 2010-07-13 16:37 16384 c:\windows\Temp\Perflib_Perfdata_2d0.dat

+ 2010-07-13 16:37 . 2010-07-13 16:37 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat

+ 2010-07-13 02:21 . 2010-07-13 02:21 602624 c:\windows\Installer\377fd6.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"Google Update"="c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-01 148888]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\sctele\Start Menu\Programs\Startup\

Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cable and Wireless Support Centre.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cable and Wireless Support Centre.lnk

backup=c:\windows\pss\Cable and Wireless Support Centre.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk

backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sctele^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]

path=c:\documents and settings\sctele\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2006-11-12 10:48 157592 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2006-08-04 00:51 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-15 17:57 136176 ----atw- c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-03-20 21:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2006-03-20 21:34 213936 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2006-03-20 21:34 86960 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2006-08-22 21:32 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

2008-02-08 03:38 364544 -c--a-w- c:\windows\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\VUE\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=

"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [4/19/2009 11:54 AM 28672]

R3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [1/26/2004 8:42 PM 899980]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2010 1:52 PM 136176]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2007 9:50 PM 646392]

.

Contents of the 'Scheduled Tasks' folder

2010-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 11:20]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 11:20]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-392061110-3381115794-502298408-1007Core.job

- c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-12 17:57]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-392061110-3381115794-502298408-1007UA.job

- c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-12 17:57]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\sctele\Application Data\Mozilla\Firefox\Profiles\iyyotdwa.default\

FF - plugin: c:\documents and settings\sctele\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-13 18:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\sctele\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]

@Denied: (2) (LocalSystem)

"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"

"DataDir"="ESET\\ESET NOD32 Antivirus\\"

"EditionName"=" "

"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"

"LanguageId"=dword:00000409

"PackageTag"=dword:6090e758

"ProductBase"=dword:00000000

"ProductCode"="{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}"

"ProductName"="ESET NOD32 Antivirus"

"ProductType"="eav"

"ProductVersion"="4.0.437.0"

"UniqueId"="00058E4D4A591752"

"ScannerBuild"=dword:00001329

"ScannerVersionId"=dword:00000feb

"ScannerVersion"="Open window for status."

"FixId"=dword:00000006

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

Completion time: 2010-07-13 18:25:01

ComboFix-quarantined-files.txt 2010-07-13 22:24

ComboFix2.txt 2010-07-12 20:21

Pre-Run: 17,971,597,312 bytes free

Post-Run: 17,971,359,744 bytes free

- - End Of File - - AF654807862401BE21F2A1A68917678D

Upload was successful

Link to post
Share on other sites

  • Staff

Hi,

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi screen317,

Here's the F-Secure Scanner log:

14 malware found

TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

TrackingCookie.Adinterax (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Specificclick (spyware)

* System (Disinfected)

TrackingCookie.Adrevolver (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 80110

* System: 4747

* Not scanned: 12

Actions:

* Disinfected: 14

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

* C:\DOCUMENTS AND SETTINGS\SCTELE\LOCAL SETTINGS\TEMP\ETILQS_ISEGPIGADLSPACLATAVZ

* C:\DOCUMENTS AND SETTINGS\SCTELE\LOCAL SETTINGS\TEMP\ETILQS_OXI1P0JZDM5KMDYMRZT7

* C:\DOCUMENTS AND SETTINGS\SCTELE\LOCAL SETTINGS\TEMP\HSPERFDATA_SCTELE\1128

* C:\DOCUMENTS AND SETTINGS\SCTELE\LOCAL SETTINGS\TEMP\HSPERFDATA_SCTELE\3772

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

aaand here is your SecurityCheck log:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET NOD32 Antivirus

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 13

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10.1.53.64

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

Mozilla Thunderbird (1.5.0) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

sctele Desktop malware SecurityCheck.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

It seems as if everything is in working order...I haven't had any sort of problems since you told me to run ComboFix. I'm assuming that this means that my computer is (finally) clean?

Link to post
Share on other sites

  • Staff

Hi,

Things are looking good from here. :angry:

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

  • Staff

Hi,

Yes please enable Defogger. Also keep the Recovery Console; it is a very useful tool in case you run into trouble in the future.

If you are not experiencing any other issues, then now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Sunbelt Personal Firewall

Comodo

Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.