Jump to content

A little bit of IP Blocking. Infected?


Recommended Posts

Any help would be really appreciated.

Thanks

____________________________________________

00:22:36 Andy IP-BLOCK 89.28.5.191

00:22:38 Andy IP-BLOCK 89.28.5.191

00:22:42 Andy IP-BLOCK 89.28.5.191

_________________________________________________

DDS (Ver_10-03-17.01) - NTFSx86

Run by Andy at 22:55:42.40 on Fri 08/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1209 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

svchost.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Andy\Desktop\Defogger.exe

C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://shadysprings.homeip.net/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [<NO NAME>]

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280010977812

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280015217312

DPF: {7F245E01-651F-48E5-8A85-4752EC65E4ED} - hxxp://shadysprings.homeip.net:8090/Cisco210Viewer.cab

DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://shadysprings.homeip.net/plugin/h263ctrl.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://teluswebconferencing.webex.com/client/T27L/webex/ieatgpc.cab

DPF: {FB4420AD-16B7-418F-ADF2-10687639B720} - hxxp://shadysprings.homeip.net:8090/adm/Cisco210AlertCfg.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\ztrvzfsi.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-7-24 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-24 20952]

S0 cerc6;cerc6; [x]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

=============== Created Last 30 ================

2010-08-21 05:54:37 0 ----a-w- c:\documents and settings\andy\defogger_reenable

2010-08-20 08:52:45 0 d-----w- c:\windows\system32\XPSViewer

2010-08-20 08:51:25 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-08-20 08:51:25 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-08-20 08:51:25 117760 ------w- c:\windows\system32\prntvpt.dll

2010-08-20 08:51:24 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-08-20 08:51:24 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-08-20 08:51:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-08-20 08:51:24 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-08-20 08:51:23 0 d-----w- C:\afa8c61c3890e7396c79f7a667568a66

2010-08-20 08:43:24 0 d-----w- C:\26071672580520b088d037de64a6df

2010-08-20 07:29:01 0 d-----w- c:\docume~1\andy\applic~1\Blackberry Desktop

2010-08-20 07:26:22 0 d-----w- c:\program files\MiniSafe Desktop

2010-08-20 04:48:39 256 ----a-w- c:\windows\system32\pool.bin

2010-08-20 04:42:35 0 d-----w- c:\docume~1\andy\applic~1\Research In Motion

2010-08-20 04:39:05 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys

2010-08-20 04:38:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion

2010-08-20 04:37:41 0 d-----w- c:\program files\common files\Research In Motion

2010-08-20 04:37:36 0 d-----w- c:\program files\Research In Motion

2010-08-17 20:23:37 0 d-----w- c:\docume~1\andy\applic~1\webex

2010-08-14 21:39:15 0 d-----w- c:\program files\Windows Media Connect 2

2010-08-14 21:35:05 0 d-----w- c:\windows\system32\LogFiles

2010-08-11 14:33:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-08-11 03:00:25 0 d-----r- c:\program files\Skype

2010-08-05 11:02:33 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-08-05 11:02:30 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-08-05 01:09:54 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-04 23:37:24 0 d-----w- c:\windows\pss

2010-08-04 08:10:29 585472 ----a-w- c:\windows\system32\drivers\emjeskvk.sys

2010-07-28 22:45:23 0 d-----w- c:\program files\Novatel Wireless

2010-07-25 20:20:50 0 d--h--w- c:\docume~1\alluse~1\applic~1\CanonIJScan

2010-07-25 20:18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-07-25 20:18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-07-25 20:18:14 98304 ----a-w- c:\windows\system32\CNQ4807I.DLL

2010-07-25 20:18:14 598016 ----a-w- c:\windows\system32\CNQ4807L.DLL

2010-07-25 20:18:14 188416 ----a-w- c:\windows\system32\CNQ4807O.DLL

2010-07-25 20:18:14 1335296 ----a-w- c:\windows\system32\CNQ4807C.DLL

2010-07-25 19:41:53 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM

2010-07-25 18:54:58 2463976 ----a-w- c:\windows\system32\NPSWF32.dll

2010-07-25 18:54:58 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe

2010-07-25 18:31:04 0 d-----w- c:\program files\Bonjour

2010-07-25 18:18:55 0 d-----w- c:\program files\common files\Macrovision Shared

2010-07-25 06:48:41 0 d--h--w- c:\windows\PIF

2010-07-25 06:47:28 0 d-----w- c:\docume~1\andy\applic~1\Windows Search

2010-07-25 06:45:08 0 d-----w- c:\docume~1\andy\applic~1\Windows Desktop Search

2010-07-25 06:44:16 0 d-----w- c:\windows\system32\GroupPolicy

2010-07-25 06:44:16 0 d-----w- c:\program files\Windows Desktop Search

2010-07-25 05:30:49 0 d-----w- c:\windows\Internet Logs

2010-07-25 05:29:24 0 d-----w- c:\program files\common files\Deterministic Networks

2010-07-25 05:29:20 0 d-----w- c:\program files\Cisco Systems

2010-07-25 05:29:01 1594 ----a-w- c:\windows\VPNInstall.MIF

2010-07-25 05:23:38 3249 ----a-w- c:\windows\system32\wbem\Outlook_01cb2bb9891adf98.mof

2010-07-25 04:13:58 0 d-----w- c:\windows\SHELLNEW

2010-07-25 00:20:08 0 d-----w- c:\docume~1\andy\applic~1\Malwarebytes

2010-07-25 00:20:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-25 00:19:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-25 00:19:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-25 00:19:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-25 00:07:30 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-07-25 00:05:34 0 d-----w- c:\program files\Microsoft Security Essentials

2010-07-24 23:59:03 0 d-----w- c:\docume~1\andy\applic~1\Intel

2010-07-24 23:58:38 2756608 ----a-w- c:\windows\system32\NETw5r32.dll

2010-07-24 23:58:37 663552 ----a-w- c:\windows\system32\NETw5c32.dll

2010-07-24 23:58:37 4221952 ----a-w- c:\windows\system32\drivers\NETw5x32.sys

2010-07-24 23:58:16 0 d-----w- c:\program files\common files\Intel

2010-07-24 23:47:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-24 23:47:23 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-07-24 23:24:20 0 d-sh--w- c:\documents and settings\andy\IECompatCache

2010-07-24 23:18:19 0 d-sh--w- c:\documents and settings\andy\PrivacIE

2010-07-24 23:15:10 0 d-sh--w- c:\documents and settings\andy\IETldCache

2010-07-24 23:06:42 0 dc-h--w- c:\windows\ie8

2010-07-24 22:58:00 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-07-24 22:52:26 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-07-24 22:52:26 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-07-24 22:52:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-07-24 22:52:17 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-07-24 22:50:18 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-07-24 22:50:18 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-07-24 22:38:52 0 d-----w- c:\windows\system32\PreInstall

2010-07-24 22:38:50 0 d--h--w- c:\windows\$hf_mig$

2010-07-24 22:37:06 21728 ----a-w- c:\windows\system32\wucltui.dll.mui

2010-07-24 22:37:06 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui

2010-07-24 22:37:05 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2010-07-24 22:37:05 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

2010-07-24 22:37:05 0 d-----w- c:\windows\system32\SoftwareDistribution

2010-07-24 22:36:14 0 d-sh--w- c:\documents and settings\andy\UserData

2010-07-24 16:21:25 0 d-----w- c:\windows\Downloaded Installations

2010-07-24 16:16:39 0 d-----w- c:\windows\system32\Dell

2010-07-24 16:01:06 37376 ----a-w- c:\windows\system32\hpz3l43a.dll

2010-07-24 15:59:31 5 ----a-w- c:\windows\system32\drivers\DELL_LAT_D430.MRK

2010-07-24 15:59:31 5 ----a-w- c:\windows\system32\drivers\1028_DELL_LAT_D430.MRK

2010-07-24 15:59:24 666 ----a-w- c:\windows\speed.reg

2010-07-24 15:59:24 0 d-----w- c:\program files\Dell

2010-07-24 15:54:04 0 d-----w- c:\windows\system32\appmgmt

2010-07-24 15:52:32 0 d-----w- c:\program files\HP

2010-07-24 15:51:54 98304 ----a-w- c:\windows\system32\hpzjsn01.dll

2010-07-24 15:51:54 77824 ----a-w- c:\windows\system32\hpzids01.dll

2010-07-24 15:51:54 282624 ----a-w- c:\windows\system32\HPZc3212.dll

2010-07-24 15:48:05 68696 ----a-w- c:\windows\system32\drivers\oz776.sys

2010-07-24 15:48:02 0 d-----w- c:\program files\O2Micro OZ776 SCR Driver

2010-07-24 15:41:29 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-07-24 15:41:29 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-07-24 15:41:25 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-07-24 15:41:25 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-07-24 15:31:07 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-07-24 15:31:07 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-07-24 15:30:53 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-07-24 15:30:53 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-07-24 15:30:50 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-07-24 15:30:50 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2010-07-24 15:30:41 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-07-24 15:30:41 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-07-24 09:00:23 94208 ----a-w- c:\windows\system32\stacsv.exe

2010-07-24 09:00:09 0 d-----w- c:\program files\SigmaTel

2010-07-24 08:45:38 0 d-----w- c:\program files\DellTPad

2010-07-24 08:33:35 0 d-----w- c:\program files\Broadcom

2010-07-24 08:17:04 0 d-sh--w- c:\documents and settings\all users\DRM

2010-07-24 08:16:35 0 d--h--w- c:\program files\WindowsUpdate

2010-07-24 08:15:41 0 d-----w- c:\program files\common files\MSSoap

2010-07-24 08:13:32 0 d-----w- c:\program files\Online Services

2010-07-24 08:13:23 0 d-----w- c:\program files\Messenger

2010-07-24 08:13:18 0 d-----w- c:\program files\MSN Gaming Zone

2010-07-24 08:12:32 0 d-----w- c:\program files\Windows NT

2010-07-24 01:03:17 0 d-----w- c:\program files\common files\ODBC

2010-07-24 01:03:13 0 d-----w- c:\program files\common files\SpeechEngines

2010-07-24 01:02:35 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-08-01 19:23:00 71276 ----a-w- c:\windows\fonts\WP IconicSymbolsA.ttf

2010-07-24 15:53:16 102859 ----a-w- c:\windows\HPFins09.dat

2010-07-24 08:46:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf

2010-07-24 08:46:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-07-24 08:14:07 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 22:56:28.42 ===============

Attach.zip

ark.zip

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Hello ,

And ;) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Thanks Elise,

Here is the Combofix log below

________________________________________________________

ComboFix 10-08-22.01 - Andy 08/22/2010 14:33:30.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1150 [GMT -7:00]

Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\st325602.dll

.

((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))

.

2010-08-20 08:43 . 2010-08-20 08:47 -------- d-----w- C:\26071672580520b088d037de64a6df

2010-08-20 07:29 . 2010-08-20 07:29 -------- d-----w- c:\documents and settings\Andy\Application Data\Blackberry Desktop

2010-08-20 07:26 . 2010-08-20 07:26 -------- d-----w- c:\program files\MiniSafe Desktop

2010-08-20 05:58 . 2010-08-20 05:58 26694 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{F4F8DB3C-F4A5-4469-9067-37DBD61DF951}\BlackBerry.exe

2010-08-20 04:54 . 2010-08-20 04:54 53248 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{EA50F6E4-8542-4B2B-B344-D080D5DA0EB1}\ARPPRODUCTICON.exe

2010-08-20 04:48 . 2010-08-20 04:53 256 ----a-w- c:\windows\system32\pool.bin

2010-08-20 04:42 . 2010-08-20 04:42 -------- d-----w- c:\documents and settings\Andy\Application Data\Research In Motion

2010-08-20 04:39 . 2009-01-10 00:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys

2010-08-20 04:38 . 2010-08-20 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-08-20 04:37 . 2010-08-20 05:57 -------- d-----w- c:\program files\Common Files\Research In Motion

2010-08-20 04:37 . 2010-08-20 04:37 -------- d-----w- c:\program files\Research In Motion

2010-08-17 20:23 . 2010-08-18 17:56 -------- d-----w- c:\documents and settings\Andy\Application Data\webex

2010-08-15 00:48 . 2008-04-13 23:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-08-14 21:39 . 2010-08-14 21:39 -------- d-----w- c:\program files\Windows Media Connect 2

2010-08-14 21:35 . 2010-08-14 21:37 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-08-14 21:35 . 2010-08-14 21:35 -------- d-----w- c:\windows\system32\LogFiles

2010-08-11 14:33 . 2010-08-11 14:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-08-11 14:33 . 2010-08-22 16:54 -------- d-----w- c:\documents and settings\Andy\Application Data\skypePM

2010-08-11 03:00 . 2010-08-11 03:00 -------- d-----w- c:\program files\Common Files\Skype

2010-07-28 22:45 . 2010-07-28 23:38 -------- d-----w- c:\program files\Novatel Wireless

2010-07-27 04:42 . 2010-07-27 04:42 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-07-27 04:42 . 2010-07-27 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-26 06:20 . 2010-08-12 02:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-07-25 20:20 . 2010-07-25 20:20 -------- d-----w- c:\documents and settings\Andy\Application Data\Canon

2010-07-25 20:20 . 2010-07-25 20:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan

2010-07-25 20:18 . 2008-04-14 07:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-07-25 20:18 . 2008-04-14 07:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-07-25 20:18 . 2010-07-25 20:18 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information

2010-07-25 20:18 . 2010-07-25 20:18 -------- d--h--w- c:\program files\CanonBJ

2010-07-25 20:18 . 2009-06-09 22:25 598016 ----a-w- c:\windows\system32\CNQ4807L.DLL

2010-07-25 20:18 . 2009-04-03 01:11 1335296 ----a-w- c:\windows\system32\CNQ4807C.DLL

2010-07-25 20:18 . 2009-04-03 01:10 98304 ----a-w- c:\windows\system32\CNQ4807I.DLL

2010-07-25 20:18 . 2007-03-15 21:12 188416 ----a-w- c:\windows\system32\CNQ4807O.DLL

2010-07-25 20:02 . 2010-08-06 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2010-07-25 19:41 . 2010-07-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM

2010-07-25 19:09 . 2010-08-09 16:16 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\Adobe

2010-07-25 18:54 . 2007-02-20 23:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe

2010-07-25 18:54 . 2007-02-20 23:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll

2010-07-25 18:31 . 2010-07-25 18:31 -------- d-----w- c:\program files\Bonjour

2010-07-25 18:18 . 2010-07-25 18:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2010-07-25 18:12 . 2010-08-09 16:15 -------- d-----w- c:\program files\Common Files\Adobe

2010-07-25 06:48 . 2010-07-25 06:48 -------- d--h--w- c:\windows\PIF

2010-07-25 06:47 . 2010-07-25 06:47 -------- d-----w- c:\documents and settings\Andy\Application Data\Windows Search

2010-07-25 06:45 . 2010-07-25 06:45 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-07-25 06:45 . 2010-07-25 06:45 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\Identities

2010-07-25 06:45 . 2010-07-25 06:45 -------- d-----w- c:\documents and settings\Andy\Application Data\Windows Desktop Search

2010-07-25 06:44 . 2010-07-26 15:06 -------- d-----w- c:\program files\Windows Desktop Search

2010-07-25 06:44 . 2010-07-25 06:44 -------- d-----w- c:\windows\system32\GroupPolicy

2010-07-25 06:40 . 2010-07-25 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-07-25 05:30 . 2010-07-25 05:37 -------- d-----w- c:\windows\Internet Logs

2010-07-25 05:29 . 2010-07-25 05:29 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2010-07-25 05:29 . 2010-07-25 05:29 -------- d-----w- c:\program files\Cisco Systems

2010-07-25 04:37 . 2010-08-06 13:49 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\Thunderbird

2010-07-25 04:37 . 2010-07-25 04:37 -------- d-----w- c:\documents and settings\Andy\Application Data\Thunderbird

2010-07-25 04:36 . 2010-08-08 00:57 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-07-25 04:30 . 2010-07-25 04:30 0 ----a-w- c:\windows\nsreg.dat

2010-07-25 04:30 . 2010-07-25 04:30 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\Mozilla

2010-07-25 04:21 . 2010-07-25 06:30 -------- d-----w- c:\program files\Microsoft Works

2010-07-25 04:13 . 2010-07-25 04:16 -------- d-----w- c:\windows\SHELLNEW

2010-07-25 04:13 . 2010-07-25 04:13 -------- d-----w- c:\documents and settings\Andy\Local Settings\Application Data\Microsoft Help

2010-07-25 04:12 . 2010-08-16 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-25 04:12 . 2010-07-25 04:12 -------- d-----r- C:\MSOCache

2010-07-25 00:20 . 2010-07-25 00:20 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes

2010-07-25 00:20 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-25 00:19 . 2010-07-25 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-25 00:19 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-25 00:19 . 2010-07-25 00:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-25 00:07 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-07-25 00:06 . 2010-08-20 15:53 46744 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-25 00:05 . 2010-07-25 00:05 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\Andy\Application Data\Intel

2010-07-24 23:58 . 2008-06-20 16:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll

2010-07-24 23:58 . 2009-10-26 12:47 4221952 ----a-w- c:\windows\system32\drivers\NETw5x32.sys

2010-07-24 23:58 . 2008-06-20 16:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll

2010-07-24 23:58 . 2010-07-24 23:58 -------- d-----w- c:\program files\Common Files\Intel

2010-07-24 23:58 . 2010-07-24 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel

2010-07-24 23:47 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-07-24 23:24 . 2010-07-24 23:24 -------- d-sh--w- c:\documents and settings\Andy\IECompatCache

2010-07-24 23:18 . 2010-07-24 23:18 -------- d-sh--w- c:\documents and settings\Andy\PrivacIE

2010-07-24 23:15 . 2010-07-24 23:15 -------- d-sh--w- c:\documents and settings\Andy\IETldCache

2010-07-24 23:08 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-07-24 23:08 . 2010-06-25 00:51 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-07-24 23:08 . 2010-06-24 12:21 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-07-24 23:08 . 2010-06-24 12:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-07-24 23:08 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-07-24 23:08 . 2010-06-24 12:21 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-07-24 23:08 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-24 23:08 . 2010-07-24 23:08 -------- d-----w- c:\windows\ie8updates

2010-07-24 23:08 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-07-24 23:06 . 2010-07-24 23:07 -------- dc-h--w- c:\windows\ie8

2010-07-24 22:58 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-07-24 22:52 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-07-24 22:52 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-07-24 22:52 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-07-24 22:52 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-07-24 22:50 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-07-24 22:50 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-07-24 22:38 . 2010-08-13 06:52 -------- d--h--w- c:\windows\$hf_mig$

2010-07-24 22:37 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll

2010-07-24 22:36 . 2010-07-24 22:36 -------- d-sh--w- c:\documents and settings\Andy\UserData

2010-07-24 16:21 . 2010-08-05 01:09 -------- d-----w- c:\windows\Downloaded Installations

2010-07-24 16:16 . 2010-07-24 16:16 -------- d-----w- c:\windows\system32\Dell

2010-07-24 16:01 . 2005-10-15 05:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll

2010-07-24 16:01 . 2005-10-15 05:42 37376 ----a-w- c:\windows\system32\hpz3l43a.dll

2010-07-24 15:59 . 2010-07-24 17:01 -------- d-----w- c:\program files\Dell

2010-07-24 15:59 . 2005-07-08 21:19 666 ----a-w- c:\windows\speed.reg

2010-07-24 15:59 . 2010-07-24 15:59 -------- d-----w- c:\documents and settings\Andy\Application Data\InstallShield

2010-07-24 15:51 . 2005-10-28 00:51 77824 ----a-w- c:\windows\system32\hpzids01.dll

2010-07-24 15:51 . 2005-10-28 00:51 282624 ----a-w- c:\windows\system32\HPZc3212.dll

2010-07-24 15:51 . 2005-09-09 23:28 98304 ----a-w- c:\windows\system32\hpzjsn01.dll

2010-07-24 15:48 . 2007-12-24 00:18 68696 ----a-w- c:\windows\system32\drivers\oz776.sys

2010-07-24 15:48 . 2010-07-24 15:48 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver

2010-07-24 15:41 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-07-24 15:41 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-07-24 15:41 . 2008-04-14 07:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-07-24 15:41 . 2008-04-14 07:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-07-24 15:31 . 2008-04-14 07:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-07-24 15:31 . 2008-04-14 07:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-07-24 15:30 . 2001-08-17 20:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-07-24 15:30 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-07-24 15:30 . 2008-04-14 07:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2010-07-24 15:30 . 2008-04-14 07:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-22 21:41 . 2010-08-02 07:05 -------- d-----w- c:\documents and settings\Andy\Application Data\Skype

2010-08-20 08:52 . 2010-08-20 08:52 -------- d-----w- c:\program files\MSBuild

2010-08-20 08:52 . 2010-08-20 08:52 -------- d-----w- c:\program files\Reference Assemblies

2010-08-11 03:01 . 2010-08-11 03:00 -------- d-----r- c:\program files\Skype

2010-08-11 03:00 . 2010-08-02 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-08-04 17:46 . 2010-08-04 17:46 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\bawuho.dat

2010-08-04 08:10 . 2010-08-04 08:10 585472 ----a-w- c:\windows\system32\drivers\emjeskvk.sys

2010-08-04 08:09 . 2010-08-04 08:09 16 ----a-w- c:\documents and settings\NetworkService\Application Data\bawuho.dat

2010-07-25 16:10 . 2010-07-24 08:17 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-07-24 23:58 . 2010-07-24 08:34 -------- d-----w- c:\program files\Intel

2010-07-24 17:01 . 2010-07-24 09:00 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-24 16:24 . 2010-07-24 08:33 -------- d-----w- c:\program files\Broadcom

2010-07-24 15:59 . 2010-07-24 15:59 5 ----a-w- c:\windows\system32\drivers\DELL_LAT_D430.MRK

2010-07-24 15:59 . 2010-07-24 15:59 5 ----a-w- c:\windows\system32\drivers\1028_DELL_LAT_D430.MRK

2010-07-24 15:53 . 2010-07-24 15:52 102859 ----a-w- c:\windows\HPFins09.dat

2010-07-24 15:52 . 2010-07-24 15:52 -------- d-----w- c:\program files\HP

2010-07-24 09:00 . 2010-07-24 09:00 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-24 09:00 . 2010-07-24 09:00 -------- d-----w- c:\program files\SigmaTel

2010-07-24 08:46 . 2010-07-24 08:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf

2010-07-24 08:46 . 2010-07-24 08:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-07-24 08:45 . 2010-07-24 08:45 -------- d-----w- c:\program files\DellTPad

2010-07-24 08:28 . 2010-07-24 08:28 45056 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe

2010-07-24 08:18 . 2010-07-24 08:18 -------- d-----w- c:\program files\microsoft frontpage

2010-07-24 08:14 . 2010-07-24 08:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-06-30 12:31 . 2008-04-13 23:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2008-04-13 23:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2008-04-13 23:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2008-04-13 23:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2010-07-24 08:15 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2008-04-13 23:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-06-01 648536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/24/2010 5:20 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/24/2010 5:19 PM 20952]

S0 cerc6;cerc6; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-08-22 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://shadysprings.homeip.net/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: {7F245E01-651F-48E5-8A85-4752EC65E4ED} - hxxp://shadysprings.homeip.net:8090/Cisco210Viewer.cab

DPF: {FB4420AD-16B7-418F-ADF2-10687639B720} - hxxp://shadysprings.homeip.net:8090/adm/Cisco210AlertCfg.cab

FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\ztrvzfsi.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-22 14:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)

c:\windows\System32\BCMLogon.dll

c:\windows\system32\netprovcredman.dll

.

Completion time: 2010-08-22 14:43:54

ComboFix-quarantined-files.txt 2010-08-22 21:43

Pre-Run: 13,613,469,696 bytes free

Post-Run: 13,909,037,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 81E039F703F242C51358953EFCBABF38

Link to post
Share on other sites

That looks pretty clean.

Are you connected through a router, if so, please reset it (it should have a button on the backside).

If you are not connected through a router, you will need to install a third party firewall, since XP's firewall is not sufficient (a router acts as a hardware firewall).

Please let me know if you're interested in good free firewalls and I'll list a few here.

Link to post
Share on other sites

Hi Elise,

Maybe I spoke a little to soon. Here is log from full scan below.

Do you think I'm clean now?

Thanks

________________________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4438

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/23/2010 12:10:17 PM

mbam-log-2010-08-23 (12-10-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 204736

Time elapsed: 1 hour(s), 14 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{46A5D250-0F5B-46BD-963C-5065691AC1A4}\RP70\A0012708.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Just had another IP block.

09:06:46 Andy MESSAGE Protection started successfully

09:06:59 Andy MESSAGE IP Protection started successfully

12:12:24 Andy MESSAGE Protection started successfully

12:12:30 Andy MESSAGE IP Protection started successfully

12:45:55 Andy IP-BLOCK 95.154.240.167

12:45:57 Andy IP-BLOCK 95.154.240.167

12:46:01 Andy IP-BLOCK 95.154.240.167

Link to post
Share on other sites

Router is reset. I did a full scan and it came up clean. However, I still have an IP blocking message. Appears to happen 30 minutes after I startup.

09:06:46 Andy MESSAGE Protection started successfully

09:06:59 Andy MESSAGE IP Protection started successfully

12:12:24 Andy MESSAGE Protection started successfully

12:12:30 Andy MESSAGE IP Protection started successfully

12:45:55 Andy IP-BLOCK 95.154.240.167

12:45:57 Andy IP-BLOCK 95.154.240.167

12:46:01 Andy IP-BLOCK 95.154.240.167

17:20:45 Andy MESSAGE Protection started successfully

17:20:56 Andy MESSAGE IP Protection started successfully

17:22:43 Andy MESSAGE IP Protection stopped

17:22:53 Andy MESSAGE Database updated successfully

17:22:56 Andy MESSAGE IP Protection started successfully

17:53:08 Andy IP-BLOCK 95.154.240.167

17:53:10 Andy IP-BLOCK 95.154.240.167

17:53:14 Andy IP-BLOCK 95.154.240.167

Link to post
Share on other sites

I'm still trying to figure out how to reset a Netgear WNDR3700 wireless router without deleting all the settings that I have for wireless security and port forwarding.
Can you please explain to me how you did the reset? Because, if you saved somehow these settings, it is quite possible the cause of the IP blocks is still there.

The whole idea of a router reset is to reset it to factory default, because that way any hijacking will be undone. For more information about router hijacking, see here

Link to post
Share on other sites

Very interesting article. Wow that's a new one. So I did a warm reset to keep my port forwarding settings. I'll do a hard reset back to factory settings soon. I do run 2 different video codecs for my IP cameras, but change my router password first thing out of the box.

Get back to you after reset. Thanks

Link to post
Share on other sites

Unfortuneltely, another one just popped up. Here's today's log.

00:21:36 Andy IP-BLOCK 77.74.36.87

07:28:57 Andy MESSAGE Protection started successfully

07:29:06 Andy MESSAGE IP Protection started successfully

08:01:15 Andy IP-BLOCK 95.154.240.167

08:01:17 Andy IP-BLOCK 95.154.240.167

08:01:22 Andy IP-BLOCK 95.154.240.167

09:31:16 Andy IP-BLOCK 89.28.72.170

09:31:18 Andy IP-BLOCK 89.28.72.170

09:31:22 Andy IP-BLOCK 89.28.72.170

09:38:19 Andy IP-BLOCK 192.251.226.205

09:38:22 Andy IP-BLOCK 192.251.226.205

09:38:24 Andy IP-BLOCK 192.251.226.205

09:38:27 Andy IP-BLOCK 192.251.226.205

12:33:10 Andy MESSAGE Protection started successfully

12:33:19 Andy MESSAGE IP Protection started successfully

(RESET ROUTER HERE)

13:06:56 Andy IP-BLOCK 95.154.240.167

13:06:58 Andy IP-BLOCK 95.154.240.167

13:07:02 Andy IP-BLOCK 95.154.240.167

Link to post
Share on other sites

Please run the following scan:

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB984A000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5705728 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xB9407000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 4222976 bytes (Intel Corporation, Intel

Link to post
Share on other sites

That looks indeed like Bubnix, but I wonder if MSSE indeed deleted it or only detected it.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

As i was running Combofix, I got a error message PEV.cfxxe. I just cleared it and kept going. It seems like everything is getting cleaned, but then something else appears, or regenerates. Is there anything in these logs that shows what's happening? Thanks.

Here's the log:

ComboFix 10-08-24.0C - Andy 08/25/2010 9:46.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1395 [GMT -7:00]

Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))

.

2010-08-20 08:43 . 2010-08-20 08:47 -------- d-----w- C:\26071672580520b088d037de64a6df

2010-08-20 07:29 . 2010-08-20 07:29 -------- d-----w- c:\documents and settings\Andy\Application Data\Blackberry Desktop

2010-08-20 07:26 . 2010-08-20 07:26 -------- d-----w- c:\program files\MiniSafe Desktop

2010-08-20 04:48 . 2010-08-20 04:53 256 ----a-w- c:\windows\system32\pool.bin

2010-08-20 04:42 . 2010-08-20 04:42 -------- d-----w- c:\documents and settings\Andy\Application Data\Research In Motion

2010-08-20 04:39 . 2009-01-10 00:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys

2010-08-20 04:38 . 2010-08-20 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-08-20 04:37 . 2010-08-20 05:57 -------- d-----w- c:\program files\Common Files\Research In Motion

2010-08-20 04:37 . 2010-08-20 04:37 -------- d-----w- c:\program files\Research In Motion

2010-08-17 20:23 . 2010-08-18 17:56 -------- d-----w- c:\documents and settings\Andy\Application Data\webex

2010-08-14 21:39 . 2010-08-14 21:39 -------- d-----w- c:\program files\Windows Media Connect 2

2010-08-14 21:35 . 2010-08-14 21:37 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-08-14 21:35 . 2010-08-14 21:35 -------- d-----w- c:\windows\system32\LogFiles

2010-08-11 14:33 . 2010-08-11 14:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-08-11 14:33 . 2010-08-25 15:36 -------- d-----w- c:\documents and settings\Andy\Application Data\skypePM

2010-07-28 22:45 . 2010-07-28 23:38 -------- d-----w- c:\program files\Novatel Wireless

2010-07-27 04:42 . 2010-07-27 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-25 16:57 . 2010-08-02 07:05 -------- d-----w- c:\documents and settings\Andy\Application Data\Skype

2010-08-20 15:53 . 2010-07-25 00:06 46744 ----a-w- c:\documents and settings\Andy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-20 08:52 . 2010-08-20 08:52 -------- d-----w- c:\program files\MSBuild

2010-08-20 08:52 . 2010-08-20 08:52 -------- d-----w- c:\program files\Reference Assemblies

2010-08-20 05:58 . 2010-08-20 05:58 26694 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{F4F8DB3C-F4A5-4469-9067-37DBD61DF951}\BlackBerry.exe

2010-08-20 04:54 . 2010-08-20 04:54 53248 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{EA50F6E4-8542-4B2B-B344-D080D5DA0EB1}\ARPPRODUCTICON.exe

2010-08-16 07:21 . 2010-07-25 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-11 03:01 . 2010-08-11 03:00 -------- d-----r- c:\program files\Skype

2010-08-11 03:00 . 2010-08-11 03:00 -------- d-----w- c:\program files\Common Files\Skype

2010-08-11 03:00 . 2010-08-02 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-08-09 16:15 . 2010-07-25 18:12 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-08 00:57 . 2010-07-25 04:36 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-08-06 05:18 . 2010-07-25 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2010-08-04 17:46 . 2010-08-04 17:46 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\bawuho.dat

2010-08-04 08:09 . 2010-08-04 08:09 16 ----a-w- c:\documents and settings\NetworkService\Application Data\bawuho.dat

2010-07-27 04:42 . 2010-07-27 04:42 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-07-26 15:06 . 2010-07-25 06:44 -------- d-----w- c:\program files\Windows Desktop Search

2010-07-25 20:20 . 2010-07-25 20:20 -------- d-----w- c:\documents and settings\Andy\Application Data\Canon

2010-07-25 20:20 . 2010-07-25 20:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan

2010-07-25 20:18 . 2010-07-25 20:18 -------- d--h--w- c:\program files\CanonBJ

2010-07-25 19:41 . 2010-07-25 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM

2010-07-25 18:31 . 2010-07-25 18:31 -------- d-----w- c:\program files\Bonjour

2010-07-25 18:18 . 2010-07-25 18:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2010-07-25 16:10 . 2010-07-24 08:17 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-07-25 06:47 . 2010-07-25 06:47 -------- d-----w- c:\documents and settings\Andy\Application Data\Windows Search

2010-07-25 06:45 . 2010-07-25 06:45 -------- d-----w- c:\documents and settings\Andy\Application Data\Windows Desktop Search

2010-07-25 06:40 . 2010-07-25 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-07-25 06:30 . 2010-07-25 04:21 -------- d-----w- c:\program files\Microsoft Works

2010-07-25 05:29 . 2010-07-25 05:29 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2010-07-25 05:29 . 2010-07-25 05:29 -------- d-----w- c:\program files\Cisco Systems

2010-07-25 04:37 . 2010-07-25 04:37 -------- d-----w- c:\documents and settings\Andy\Application Data\Thunderbird

2010-07-25 04:30 . 2010-07-25 04:30 0 ----a-w- c:\windows\nsreg.dat

2010-07-25 00:20 . 2010-07-25 00:20 -------- d-----w- c:\documents and settings\Andy\Application Data\Malwarebytes

2010-07-25 00:20 . 2010-07-25 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-25 00:19 . 2010-07-25 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-25 00:05 . 2010-07-25 00:05 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel

2010-07-24 23:59 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\Andy\Application Data\Intel

2010-07-24 23:58 . 2010-07-24 23:58 -------- d-----w- c:\program files\Common Files\Intel

2010-07-24 23:58 . 2010-07-24 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel

2010-07-24 23:58 . 2010-07-24 08:34 -------- d-----w- c:\program files\Intel

2010-07-24 17:01 . 2010-07-24 15:59 -------- d-----w- c:\program files\Dell

2010-07-24 17:01 . 2010-07-24 09:00 -------- d-----w- c:\program files\Common Files\InstallShield

2010-07-24 16:24 . 2010-07-24 08:33 -------- d-----w- c:\program files\Broadcom

2010-07-24 15:59 . 2010-07-24 15:59 5 ----a-w- c:\windows\system32\drivers\DELL_LAT_D430.MRK

2010-07-24 15:59 . 2010-07-24 15:59 5 ----a-w- c:\windows\system32\drivers\1028_DELL_LAT_D430.MRK

2010-07-24 15:59 . 2010-07-24 15:59 -------- d-----w- c:\documents and settings\Andy\Application Data\InstallShield

2010-07-24 15:53 . 2010-07-24 15:52 102859 ----a-w- c:\windows\HPFins09.dat

2010-07-24 15:52 . 2010-07-24 15:52 -------- d-----w- c:\program files\HP

2010-07-24 15:48 . 2010-07-24 15:48 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver

2010-07-24 09:00 . 2010-07-24 09:00 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-24 09:00 . 2010-07-24 09:00 -------- d-----w- c:\program files\SigmaTel

2010-07-24 08:46 . 2010-07-24 08:46 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf

2010-07-24 08:46 . 2010-07-24 08:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-07-24 08:45 . 2010-07-24 08:45 -------- d-----w- c:\program files\DellTPad

2010-07-24 08:28 . 2010-07-24 08:28 45056 ----a-r- c:\documents and settings\Andy\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe

2010-07-24 08:18 . 2010-07-24 08:18 -------- d-----w- c:\program files\microsoft frontpage

2010-07-24 08:14 . 2010-07-24 08:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-06-30 12:31 . 2008-04-13 23:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2008-04-13 23:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2008-04-13 23:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2008-04-13 23:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2010-07-24 08:15 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2008-04-13 23:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-01 17:37 . 2010-07-25 00:07 221568 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-06-01 648536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/24/2010 5:20 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/24/2010 5:19 PM 20952]

S0 cerc6;cerc6; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://shadysprings.homeip.net/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

DPF: {7F245E01-651F-48E5-8A85-4752EC65E4ED} - hxxp://shadysprings.homeip.net:8090/Cisco210Viewer.cab

DPF: {FB4420AD-16B7-418F-ADF2-10687639B720} - hxxp://shadysprings.homeip.net:8090/adm/Cisco210AlertCfg.cab

FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\ztrvzfsi.default\

FF - prefs.js: browser.startup.homepage - yahoo.com

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-25 10:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)

c:\windows\System32\BCMLogon.dll

c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3688)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

c:\program files\Intel\WiFi\bin\WLKeeper.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\Apntex.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2010-08-25 10:06:34 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-25 17:06

Pre-Run: 13,780,951,040 bytes free

Post-Run: 13,775,667,200 bytes free

- - End Of File - - 1367664450594ED2D51E8A64FA6C15DC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.