Jump to content

Recommended Posts

Hi all,

McAfee found some files relating to Fake.Alert something or other. I deleted those files which it didn't clean automatically and also looked through startup services etc. and unchecked those that looked suspicious (randomly named .exe's and .dll's). I don't see any suspicious tasks running in taskmanager at the moment.

Symptoms:

-random (semi-often) redirects from google search results to fake "results" sites

-random opening of tabs in Firefox to suspicious sites

-taskmanager not listing user name for most processes

-occasionally, a svchost.exe taking up 50% CPU cycles. Terminating it seems to make no difference.

-sound sometimes will quit, windows says sthg like "no mixer device installed"

-random error "Generic Host Process for Win32 has encountered an error and needs to close."

Here is the latest Malwarebytes log (nothing found, the first one I ran did have some detections):

=====================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4356

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

8/4/2010 1:10:50 AM

mbam-log-2010-08-04 (01-10-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 199039

Time elapsed: 48 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=====================

And the DDS log:

=====================

DDS (Ver_10-03-17.01) - NTFSx86

Run by John Doe at 6:15:45.23 on Thu 07/29/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1409 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\VirtualCloneDrive\VCDDaemon.exe

C:\WINDOWS\system32\nvraidservice.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\Twain_32\Samsung\SCX4623\Scan2pc.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\John Doe\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s

mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [4623 Scan2PC] "c:\windows\twain_32\samsung\scx4623\Scan2pc.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [opffcibm] c:\documents and settings\networkservice\local settings\application data\fcstfjqbp\vqububmtssd.exe

dRun: [mogxbbne] c:\documents and settings\networkservice\local settings\application data\dfdndlbpi\hwjrrcotssd.exe

StartupFolder: c:\docume~1\johndo~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johndo~1\applic~1\mozilla\firefox\profiles\7opdvj9o.default\

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\john doe\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\john doe\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {5B885B5A-FB05-404F-97D3-A87018DB7148} - c:\documents and settings\john doe\local settings\application data\{5B885B5A-FB05-404F-97D3-A87018DB7148}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-8 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-10-6 144704]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-10-6 54608]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-8-8 72904]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-8-8 34344]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-8-8 177672]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-07-28 16:22:42 0 ----a-w- c:\documents and settings\john doe\defogger_reenable

2010-07-27 08:33:04 0 d-----w- c:\docume~1\johndo~1\applic~1\Malwarebytes

2010-07-27 08:32:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-27 08:32:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-27 08:32:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-27 08:32:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-27 07:54:11 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-27 07:35:14 0 d-----w- c:\windows\pss

2010-07-26 07:01:17 120 ----a-w- c:\windows\Bfoguqejako.dat

2010-07-26 07:01:17 0 ----a-w- c:\windows\Odakafida.bin

2010-07-26 05:29:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-26 04:11:01 0 ----a-w- c:\windows\mtstack16.INI

2010-07-14 18:50:11 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-10 21:11:38 0 d-----w- c:\docume~1\johndo~1\applic~1\ICAClient

2010-07-10 21:06:52 0 d-----w- c:\program files\Citrix

2010-07-10 04:42:44 0 ----a-w- c:\windows\system32\cd.dat

2010-07-03 05:46:39 0 d-----w- c:\windows\Internet Logs

2010-07-03 05:46:15 127376 ----a-w- c:\windows\system32\drivers\dne2000.sys

2010-07-03 05:46:15 101904 ----a-w- c:\windows\system32\dneinobj.dll

2010-07-03 05:46:06 0 d-----w- c:\program files\common files\Deterministic Networks

2010-07-03 05:45:58 0 d-----w- c:\program files\Cisco Systems

2010-07-03 05:45:53 1593 ----a-w- c:\windows\VPNInstall.MIF

==================== Find3M ====================

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 6:16:24.09 ===============

Other logs are attached as per instructions. GMER crashed on the first scan (BSOD, did not see what the error was) but completed on 2nd try.

I've pretty much exhausted what I can do with my limited knowledge. Any expert advice/guidance to get rid of this crap is much appreciated - thanks in advance for your help!

Attach.zip

Link to post
Share on other sites

Hello ,

And :rolleyes: My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I could not get combofix to run - it kept crashing with a BSOD and immediate reboot. It also said that my AV was still running even though I had disabled it.

I decided to try and format the drive (none of my important data is on it), but windows XP setup also would not load.

I ended up downloading ultimate boot CD for win and running the Avira AV included with that. It found 5 detections (see log below) and quarantined them, but that did not fix the redirect issues. After that, I was able to run combofix, and I'll include the log here. It seems to have taken care of the redirect problem. Regardless, I am still going to format the drive using UBCD4win to be sure the infections are gone and clear up other issues. Hopefully this will kill it for good... if it doesn't, I don't know what will.

Thanks again for your help! I appreciate it.

Here are the logs, in case it helps anyone:

=====================================================================

Avira AntiVir Personal

Report file date: Friday, August 06, 2010 12:09

Scanning for 2227595 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : MININT-JVC

Version information:

BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:28

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:26

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:50

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:54

ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 11:04:54

ANTIVIR1.VDF : 7.10.7.224 11894128 Bytes 6/2/2010 13:34:50

ANTIVIR2.VDF : 7.10.8.117 570784 Bytes 6/16/2010 09:46:40

ANTIVIR3.VDF : 7.10.8.127 102912 Bytes 6/18/2010 16:16:50

Engineversion : 8.2.2.6

AEVDF.DLL : 8.1.2.0 106868 Bytes 4/23/2010 13:05:26

AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 6/2/2010 07:43:12

AESCN.DLL : 8.1.6.1 127347 Bytes 5/12/2010 15:40:34

AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 13:05:28

AERDL.DLL : 8.1.4.6 541043 Bytes 4/15/2010 13:26:34

AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 11:35:58

AEOFFICE.DLL : 8.1.1.0 201081 Bytes 5/12/2010 15:40:34

AEHEUR.DLL : 8.1.1.33 2724214 Bytes 6/4/2010 07:19:58

AEHELP.DLL : 8.1.11.5 242038 Bytes 6/2/2010 07:43:12

AEGEN.DLL : 8.1.3.10 377205 Bytes 6/2/2010 07:43:10

AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 13:05:24

AECORE.DLL : 8.1.15.3 192886 Bytes 5/12/2010 15:40:32

AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 13:05:24

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:48:00

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:16

AVREP.DLL : 8.0.0.7 159784 Bytes 6/18/2010 16:16:54

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:10

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:26

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:10

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:50

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:34

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:12

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:46

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:14

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: b:\antivir\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: B:, C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: on

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Friday, August 06, 2010 12:09

Initiating scan of system files:

Starting search for hidden objects.

'55' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'CMD.EXE' - '1' Module(s) have been scanned

Scan process 'ROCKETDOCK.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'GEOSHELL.EXE' - '1' Module(s) have been scanned

Scan process 'nu2menu.exe' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned

Scan process 'LSASS.EXE' - '1' Module(s) have been scanned

Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned

Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned

13 processes with 13 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '21' files ).

Starting the file scan:

Begin scan in 'B:\' <RAMDisk>

Begin scan in 'C:\'

C:\Documents and Settings\John Doe\Local Settings\Temp\jar_cache6269940331285778867.tmp

[0] Archive type: ZIP

--> AppleT.class

[DETECTION] Contains recognition pattern of the JAVA/Agent.N Java virus

C:\Documents and Settings\John Doe\Local Settings\Temp\jar_cache9159614499387097727.tmp

[0] Archive type: ZIP

--> AppleT.class

[DETECTION] Contains recognition pattern of the JAVA/Agent.N Java virus

C:\Documents and Settings\John Doe\Local Settings\Temp\K15X5Ilb.exe.part

[0] Archive type: NSIS

--> [unknownDir]/NPSWF32_FlashUtil.exe

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

C:\System Volume Information\_restore{54AA6433-AE76-4E3C-9BF8-222890ED2A81}\RP187\A0029881.exe

[DETECTION] Is the TR/Drop.Scheduler.H Trojan

C:\UBCD4Win\plugin\!Critical\FixOEM\FixOEM.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\WINDOWS\system32\drivers\cdrom.sys

[DETECTION] Is the TR/Patched.Gen Trojan

Beginning disinfection:

C:\Documents and Settings\John Doe\Local Settings\Temp\jar_cache6269940331285778867.tmp

[NOTE] The file was moved to '4cce0572.qua'!

C:\Documents and Settings\John Doe\Local Settings\Temp\jar_cache9159614499387097727.tmp

[NOTE] The file was moved to '4d4e62f3.qua'!

C:\System Volume Information\_restore{54AA6433-AE76-4E3C-9BF8-222890ED2A81}\RP187\A0029881.exe

[DETECTION] Is the TR/Drop.Scheduler.H Trojan

[NOTE] The file was moved to '4c8c0541.qua'!

C:\UBCD4Win\plugin\!Critical\FixOEM\FixOEM.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to '4cd4057b.qua'!

C:\WINDOWS\system32\drivers\cdrom.sys

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] The file was moved to '4cce0576.qua'!

End of the scan: Friday, August 06, 2010 12:50

Used time: 37:00 Minute(s)

The scan has been done completely.

10151 Scanned directories

381110 Files were scanned

5 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

5 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

381105 Files not concerned

3383 Archives were scanned

2 Warnings

5 Notes

55 Objects were scanned with rootkit scan

0 Hidden objects were found

=====================================================================

ComboFix 10-08-05.02 - John Doe 08/06/2010 13:16:28.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT -4:00]

Running from: c:\documents and settings\John Doe\My Documents\Downloads\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\John Doe\Local Settings\Application Data\{5B885B5A-FB05-404F-97D3-A87018DB7148}

c:\documents and settings\John Doe\Local Settings\Application Data\{5B885B5A-FB05-404F-97D3-A87018DB7148}\chrome.manifest

c:\documents and settings\John Doe\Local Settings\Application Data\{5B885B5A-FB05-404F-97D3-A87018DB7148}\chrome\content\_cfg.js

c:\documents and settings\John Doe\Local Settings\Application Data\{5B885B5A-FB05-404F-97D3-A87018DB7148}\chrome\content\overlay.xul

c:\documents and settings\John Doe\Local Settings\Application Data\{5B885B5A-FB05-404F-97D3-A87018DB7148}\install.rdf

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\windows\system32\dllcache\cdrom.sys

.

((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))

.

2010-08-06 17:21 . 2009-08-23 21:00 62592 -c--a-w- c:\windows\system32\dllcache\cdrom.sys

2010-08-06 17:21 . 2009-08-23 21:00 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys

2010-08-06 15:25 . 2010-08-06 15:33 -------- d-----w- C:\UBCD4Win

2010-08-06 05:59 . 2010-08-06 06:01 -------- d-----w- C:\pebuilder3110a

2010-08-04 22:40 . 2010-08-04 22:40 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-07-30 23:49 . 2010-07-30 23:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-07-28 13:54 . 2010-07-28 13:54 -------- d-s---w- c:\documents and settings\LocalService\UserData

2010-07-27 08:33 . 2010-07-27 08:33 -------- d-----w- c:\documents and settings\John Doe\Application Data\Malwarebytes

2010-07-27 08:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-27 08:32 . 2010-07-27 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-27 08:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-27 08:32 . 2010-07-27 08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-27 07:54 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-26 17:52 . 2010-07-26 17:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-26 07:01 . 2010-07-27 04:37 120 ----a-w- c:\windows\Bfoguqejako.dat

2010-07-26 07:01 . 2010-07-27 04:37 0 ----a-w- c:\windows\Odakafida.bin

2010-07-26 05:29 . 2010-08-06 04:11 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-23 20:34 . 2010-07-23 20:34 -------- d-----w- c:\program files\Common Files\Skype

2010-07-14 18:50 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-10 21:11 . 2010-07-10 21:12 -------- d-----w- c:\documents and settings\John Doe\Application Data\ICAClient

2010-07-10 21:06 . 2010-07-10 21:06 -------- d-----w- c:\program files\Citrix

2010-07-10 04:42 . 2010-07-10 04:42 0 ----a-w- c:\windows\system32\cd.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-06 04:30 . 2009-08-09 03:50 -------- d-----w- c:\documents and settings\John Doe\Application Data\vlc

2010-08-06 00:19 . 2009-11-22 00:04 -------- d-----w- c:\documents and settings\John Doe\Application Data\dvdcss

2010-08-04 20:13 . 2009-08-08 17:18 -------- d-----w- c:\documents and settings\John Doe\Application Data\Skype

2010-08-04 18:03 . 2009-08-08 17:21 -------- d-----w- c:\documents and settings\John Doe\Application Data\skypePM

2010-07-27 07:54 . 2010-03-28 04:48 -------- d-----w- c:\program files\Java

2010-07-26 05:24 . 2009-10-08 17:54 -------- d-----w- c:\program files\QuickTime Alternative

2010-07-25 16:09 . 2009-08-08 06:32 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-23 20:34 . 2009-08-08 17:18 -------- d-----r- c:\program files\Skype

2010-07-23 20:34 . 2009-08-08 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-07-04 18:12 . 2009-09-05 16:01 -------- d-----w- c:\program files\MediaMonkey

2010-07-04 02:30 . 2010-07-04 02:30 503808 ----a-w- c:\documents and settings\John Doe\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2f380319-n\msvcp71.dll

2010-07-04 02:30 . 2010-07-04 02:30 499712 ----a-w- c:\documents and settings\John Doe\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2f380319-n\jmc.dll

2010-07-04 02:30 . 2010-07-04 02:30 348160 ----a-w- c:\documents and settings\John Doe\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2f380319-n\msvcr71.dll

2010-07-04 02:30 . 2010-07-04 02:30 61440 ----a-w- c:\documents and settings\John Doe\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64ad7e82-n\decora-sse.dll

2010-07-04 02:30 . 2010-07-04 02:30 12800 ----a-w- c:\documents and settings\John Doe\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-64ad7e82-n\decora-d3d.dll

2010-07-03 05:46 . 2010-07-03 05:46 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2010-07-03 05:45 . 2010-07-03 05:45 -------- d-----w- c:\program files\Cisco Systems

2010-06-28 18:40 . 2010-06-28 18:40 -------- d-----w- c:\program files\Samsung

2010-06-28 18:14 . 2010-06-28 18:14 -------- d-----w- c:\documents and settings\John Doe\Application Data\MSNInstaller

2010-06-28 18:12 . 2009-09-29 04:59 -------- d-----w- c:\program files\BMW M3 Challenge

2010-06-27 17:25 . 2009-08-30 04:17 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-14 14:31 . 2009-08-08 06:16 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-05-18 04:00 . 2009-08-08 07:47 51552 ----a-w- c:\documents and settings\John Doe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"nwiz"="nwiz.exe" [2009-06-10 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]

"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-10-18 137216]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2010-03-18 421888]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"4623 Scan2PC"="c:\windows\Twain_32\Samsung\SCX4623\Scan2pc.exe" [2009-09-11 1968640]

c:\documents and settings\John Doe\Start Menu\Programs\Startup\

Task Manager.lnk - c:\windows\system32\taskmgr.exe [2004-8-4 135680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\WINDOWS\\twain_32\\Samsung\\ScanMgr.exe"=

"c:\\WINDOWS\\twain_32\\Samsung\\SCX4623\\Scan2Pc.exe"=

"c:\\WINDOWS\\twain_32\\Samsung\\SCX4623\\Sscan2io.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\John Doe\Application Data\Mozilla\Firefox\Profiles\7opdvj9o.default\

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\John Doe\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\John Doe\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-mogxbbne - c:\documents and settings\NetworkService\Local Settings\Application Data\dfdndlbpi\hwjrrcotssd.exe

MSConfigStartUp-NetworkControl - c:\networkcontrol\nc.exe

MSConfigStartUp-opffcibm - c:\documents and settings\NetworkService\Local Settings\Application Data\fcstfjqbp\vqububmtssd.exe

MSConfigStartUp-Oxonegeqelu - c:\windows\iparayapeva.dll

MSConfigStartUp-Plutogaxe - c:\windows\kuscnw.dll

MSConfigStartUp-rnofrwhn - c:\documents and settings\John Doe\Local Settings\Application Data\symfjqixu\qtmsnuetssd.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-06 13:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:2e,81,7d,f5,44,75,7b,d3,94,fd,3b,f6,8f,8d,01,b7,b0,db,20,dc,80,

a6,41,53,31,2a,67,ed,24,a4,84,b2,cd,6e,1a,43,af,ae,09,ed,d1,e8,1f,a3,ee,c0,\

"rkeysecu"=hex:b0,b6,41,3b,2a,b6,37,b5,e7,3f,9f,b4,8c,b0,6f,22

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

Completion time: 2010-08-06 13:23:22

ComboFix-quarantined-files.txt 2010-08-06 17:23

Pre-Run: 254,939,140,096 bytes free

Post-Run: 255,792,525,312 bytes free

- - End Of File - - 9CA73842F32AE5CEC57F11F7693EF6D9

=====================================================================

Link to post
Share on other sites

The safest thing at this point would indeed be a reformat. Even if you would not have mentioned it, with this infection I would have posted the following:

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

However I want to add a word of warning for everyone reading this thread:

C:\WINDOWS\system32\drivers\cdrom.sys

[DETECTION] Is the TR/Patched.Gen Trojan

This was the culprit in this case. This rootkit infects a random, legit file in the Drivers folder.

You were very lucky it was a non-essential file for windows boot, if a more critical file had been infected, you would no longer have been able to boot into Windows at all. This file needed to be replaced, not just deleted.

Concluding: always be very careful what you delete when in a Preinstalled Environment like UBCD4win!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.