Jump to content

Infected with Alureon.H. =(


Recommended Posts

Hey guys,

My computer has been having issues. The symptoms are: constant browser redirecting, occasional sluggishness and my paid Norton Antivirus software is constantly flashing notices that it blocked incoming threats. The threats seem to have different and unrelated names each time.

Malwarebytes didn't detect an infection. Neither did my Norton Internet Security Scan. The Microsoft Safety Scan identified the virus Alureon.H which it couldn't remove. I started the system in safe mode and tried to remove it, which it said I successfully did. The next time I restarted my computer the Safety Scan revealed the Alureon.H virus again. And the symptoms continue...

I followed the directions as best I could (I hope I got everything correct). Below is my DDS file. Attached to this post is my "ATTACH" file and my "ARK" file.

I really appreciate the help, in advance.

-Alex

DDS (Ver_10-03-17.01) - NTFSx86

Run by Alex at 19:44:58.93 on Sun 08/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2476 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\fxutl98d.default\

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\alex\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100719.001\BHDrvx86.sys [2010-7-19 692272]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-9 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100805.004\IDSXpx86.sys [2010-8-5 331640]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100808.003\NAVENG.SYS [2010-8-8 85424]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100808.003\NAVEX15.SYS [2010-8-8 1362608]

S1 bodoaksd;bodoaksd;\??\c:\windows\system32\drivers\bodoaksd.sys --> c:\windows\system32\drivers\bodoaksd.sys [?]

S1 jdjcbbky;jdjcbbky;\??\c:\windows\system32\drivers\jdjcbbky.sys --> c:\windows\system32\drivers\jdjcbbky.sys [?]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-08-09 02:41:48 0 ----a-w- c:\documents and settings\alex\defogger_reenable

2010-08-08 15:45:16 36352 ----a-w- c:\windows\system32\drivers\INTELPPM.SYS

2010-08-08 06:54:16 0 d-----w- c:\windows\system32\MpEngineStore

2010-08-07 23:07:26 0 d-----w- c:\docume~1\alex\applic~1\SafeReturner

2010-08-07 22:24:46 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-07 22:24:46 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-07 22:24:46 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-07 22:24:46 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-07 22:24:46 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-07 22:05:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-07-28 01:58:50 0 d-----w- c:\program files\StarCraft II

2010-07-28 01:58:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment

2010-07-18 04:57:22 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-07-18 04:57:22 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-07-15 04:49:46 0 d-----w- c:\docume~1\alex\applic~1\Malwarebytes

2010-07-15 04:49:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-15 04:49:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-15 04:49:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-15 04:49:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

============= FINISH: 19:45:34.31 ===============

ARK.zip

Attach.zip

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Hey there. I successfully ran ComboFix. Below is the new DDS log and then the ComboFix log.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Alex at 22:16:34.51 on Mon 08/09/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2431 [GMT -7:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe

svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\fxutl98d.default\

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100719.001\BHDrvx86.sys [2010-7-19 692272]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-9 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100805.004\IDSXpx86.sys [2010-8-5 331640]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100809.021\NAVENG.SYS [2010-8-9 85424]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100809.021\NAVEX15.SYS [2010-8-9 1362608]

S1 bodoaksd;bodoaksd;\??\c:\windows\system32\drivers\bodoaksd.sys --> c:\windows\system32\drivers\bodoaksd.sys [?]

S1 jdjcbbky;jdjcbbky;\??\c:\windows\system32\drivers\jdjcbbky.sys --> c:\windows\system32\drivers\jdjcbbky.sys [?]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-08-10 05:06:47 0 d-sha-r- C:\cmdcons

2010-08-10 05:04:37 98816 ----a-w- c:\windows\sed.exe

2010-08-10 05:04:37 77312 ----a-w- c:\windows\MBR.exe

2010-08-10 05:04:37 256512 ----a-w- c:\windows\PEV.exe

2010-08-10 05:04:37 161792 ----a-w- c:\windows\SWREG.exe

2010-08-09 02:41:48 0 ----a-w- c:\documents and settings\alex\defogger_reenable

2010-08-08 15:45:16 36352 ----a-w- c:\windows\system32\drivers\INTELPPM.SYS

2010-08-08 06:54:16 0 d-----w- c:\windows\system32\MpEngineStore

2010-08-07 23:07:26 0 d-----w- c:\docume~1\alex\applic~1\SafeReturner

2010-08-07 22:24:46 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-07 22:24:46 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-07 22:24:46 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-07 22:24:46 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-07 22:24:46 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-07 22:05:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-07-28 01:58:50 0 d-----w- c:\program files\StarCraft II

2010-07-28 01:58:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment

2010-07-18 04:57:22 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-07-18 04:57:22 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-07-15 04:49:46 0 d-----w- c:\docume~1\alex\applic~1\Malwarebytes

2010-07-15 04:49:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-15 04:49:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-15 04:49:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-15 04:49:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

============= FINISH: 22:16:41.62 ===============

Below is the ComboFix Log

ComboFix 10-08-09.02 - Alex 08/09/2010 22:08:36.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2612 [GMT -7:00]

Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))

.

2010-08-08 15:45 . 2010-08-08 15:45 36352 ----a-w- c:\windows\system32\drivers\INTELPPM.SYS

2010-08-08 06:54 . 2010-08-08 16:06 -------- d-----w- c:\windows\system32\MpEngineStore

2010-08-08 05:48 . 2010-08-08 05:48 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

2010-08-07 23:07 . 2010-08-07 23:07 -------- d-----w- c:\documents and settings\Alex\Application Data\SafeReturner

2010-08-07 22:33 . 2010-08-07 23:48 -------- d-----w- c:\program files\Windows Live Safety Center

2010-08-07 22:24 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-08-07 22:24 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-08-07 22:24 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-08-07 22:24 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-08-07 22:24 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-08-07 22:05 . 2010-08-07 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-07-31 21:55 . 2010-07-31 21:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-07-29 00:19 . 2010-07-29 00:20 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Temp

2010-07-29 00:19 . 2010-07-29 00:20 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Google

2010-07-28 01:58 . 2010-08-08 05:48 -------- d-----w- c:\program files\StarCraft II

2010-07-28 01:58 . 2010-07-28 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2010-07-18 04:57 . 2008-04-13 17:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-07-18 04:57 . 2008-04-13 17:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-07-15 04:49 . 2010-07-15 04:49 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes

2010-07-15 04:49 . 2010-07-15 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-15 04:49 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-15 04:49 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-15 04:49 . 2010-07-15 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-08 05:42 . 2010-03-07 03:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2010-08-08 04:20 . 2010-03-07 02:28 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-01 02:08 . 2010-03-07 20:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-01 01:54 . 2010-03-07 20:14 -------- d-----w- c:\program files\Norton Utilities 14

2010-07-11 15:45 . 2010-07-06 04:41 -------- d-----w- c:\documents and settings\Alex\Application Data\DivX

2010-07-06 04:40 . 2010-07-06 04:40 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-07-06 04:40 . 2010-07-06 04:40 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-07-06 04:40 . 2010-07-06 04:40 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-07-06 04:40 . 2010-07-06 04:40 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-07-06 04:40 . 2010-07-06 04:40 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-07-06 04:40 . 2010-07-06 04:40 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

2010-07-06 04:33 . 2010-07-06 04:41 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-07-06 04:33 . 2010-07-06 04:41 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-07-06 03:49 . 2010-07-06 03:49 -------- d-----w- c:\program files\Trend Micro

2010-06-30 06:26 . 2010-06-30 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Turbine

2010-06-30 06:25 . 2010-03-07 03:48 30776 ----a-w- c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-30 06:05 . 2010-06-30 06:05 -------- d-----w- c:\program files\Turbine

2010-06-30 05:42 . 2010-06-30 05:42 -------- d-----w- c:\program files\AVG

2010-06-30 03:50 . 2010-03-07 02:27 1100 ----a-w- c:\windows\system32\d3d8caps.dat

2010-06-30 00:24 . 2010-06-30 00:24 -------- d-----w- c:\program files\Pando Networks

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

2009-05-26 19:16 1468296 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]

2009-05-21 18:25 1501064 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities]

2010-03-07 20:14 4105576 ----a-w- c:\program files\Norton Utilities 14\nu.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/25/2010 7:59 AM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/25/2010 7:59 AM 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100719.001\BHDrvx86.sys [7/19/2010 4:28 PM 692272]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/25/2010 7:59 AM 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/25/2010 7:59 AM 116784]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/25/2010 7:58 AM 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/9/2010 7:13 AM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100805.004\IDSXpx86.sys [8/5/2010 8:42 PM 331640]

S1 bodoaksd;bodoaksd;\??\c:\windows\system32\drivers\bodoaksd.sys --> c:\windows\system32\drivers\bodoaksd.sys [?]

S1 jdjcbbky;jdjcbbky;\??\c:\windows\system32\drivers\jdjcbbky.sys --> c:\windows\system32\drivers\jdjcbbky.sys [?]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-2111687655-725345543-1003Core.job

- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-29 00:19]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-2111687655-725345543-1003UA.job

- c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-29 00:19]

2010-03-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-05-26 19:16]

2010-03-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-05-21 18:25]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\fxutl98d.default\

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\Alex\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-09 22:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2284)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-08-09 22:15:34

ComboFix-quarantined-files.txt 2010-08-10 05:15

Pre-Run: 202,035,359,744 bytes free

Post-Run: 202,562,465,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - A3AADD138AE979E8B8BC3D4EB4D4AB19

Link to post
Share on other sites

I have cleaned this virus twice in the past three days from 2 different machines, and you wont believe how...... Download the Microsoft malicious software removal tool and run a full scan, it will take a couple hours but in the end it will find it and remove it, you will be prompted to reboot afterwards and boom your done!

http://www.microsoft.com/downloads/details...b3-75b8eb148356

Link to post
Share on other sites

I have cleaned this virus twice in the past three days from 2 different machines, and you wont believe how...... Download the Microsoft malicious software removal tool and run a full scan, it will take a couple hours but in the end it will find it and remove it, you will be prompted to reboot afterwards and boom your done!

http://www.microsoft.com/downloads/details...b3-75b8eb148356

I'm downloading the software removal tool now and giving it a try. I'm keeping my fingers crossed! I'll let you know how it turns out!

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

bodoaksd

jdjcbbky

KILALL::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.