Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Rouge Agent Found In Startup List


Trav
 Share

Recommended Posts

Greetings!

I've made several postings here before in regards to my laptop, but currently am discussing a different home computer. While running CCleaner I found an entry for a rouge agent named "WinFixerScannerInstall" that I have documented in the picture attached. This troubles me for, as the wikipedia article listed below indicates it is the name of a well known Rouge Agent.

http://en.wikipedia.org/wiki/WinFixer

Below are a copy of the most recent Malwarebytes Anti-Malware logs, a Hijackthis log, and machine specs. Any and all information you could provide will be helpful.

--Speccy System Summary--

Operating System

MS Windows XP Home 32-bit SP3

CPU

Intel Celeron

Northwood 0.13um Technology

RAM

1.5GB DDR @ 133MHz (2.5-2-2-6)

Motherboard

MICRO-STAR INTERNATIONAL CO., LTD Gamila/Giovani/Neon series (Socket 478) 33

Forboding.bmp

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Good Day Elise! : D!

I have run all of the processes you have requested, but the logs were so large that I could not post them here, instead I have attached the .txt files as instructed in your post when such an issue arose. I have also attached a print screen of the CCleaner entry that alarmed me to this PC's problem initially.

Thank you for your time and please enjoy your day : D!

Extras.Txt

Report.txt

post-21615-1288541162_thumb.jpg

OTL.Txt

Link to post
Share on other sites

Hi, I would really not worry about winfixer. Its ancient and besides that, I see no signs of it.

Lets see if something else is hiding here.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

==ComboFix Log==

ComboFix 10-10-30.09 - Travis 10/31/2010 11:34:11.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.971 [GMT -5:00]

Running from: c:\documents and settings\Travis\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Owner\Application Data\shb.dat

C:\Thumbs.db

c:\windows\jestertb.dll

c:\windows\system32\aycdd.bak2

c:\windows\system32\aycdd.ini

c:\windows\system32\aycdd.ini2

c:\windows\system32\mnnmp.bak1

c:\windows\system32\mnnmp.ini

c:\windows\system32\mnnmp.ini2

c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://buy-download.norton.com

.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-31 )))))))))))))))))))))))))))))))

.

2010-10-29 23:22 . 2010-10-29 23:22 -------- d-----w- c:\program files\AutoTask

2010-10-29 23:21 . 2007-04-30 10:11 4224 ----a-r- c:\windows\system32\drivers\REFILERW.SYS

2010-10-29 22:44 . 2010-10-29 22:44 388096 ----a-r- c:\documents and settings\Travis\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-10-29 22:44 . 2010-10-29 22:44 -------- d-----w- c:\program files\Trend Micro

2010-10-29 22:03 . 2010-10-29 22:06 -------- d-----w- c:\documents and settings\Travis\Local Settings\Application Data\Temp

2010-10-29 21:27 . 2010-10-29 21:27 -------- d-----w- c:\program files\Speccy

2010-10-29 03:19 . 2010-10-29 03:19 -------- d-----w- c:\program files\Geeks Ltd

2010-10-12 22:06 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-12 22:06 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-12 22:06 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 17:23 . 2004-02-23 11:13 974848 ------w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-02-23 11:13 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-02-23 11:13 954368 ------w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-02-23 11:13 953856 ------w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-02-06 23:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-02-23 11:13 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-02-23 11:12 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-02-23 11:12 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2003-10-11 10:06 1852800 ------w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-02-23 10:50 119808 ------w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-02-23 10:49 99840 ------w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2003-10-11 10:06 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-17 00:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-02-23 11:12 617472 ------w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-02-23 10:49 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-04-21 01:32 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2007-08-25 03:52 . 2008-01-12 07:16 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-13 81920]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"Server Application"="c:\windows\system32\ServoApp.exe" [2007-05-21 417792]

"GDI Manager"="c:\program files\MFP Server\App\Common\MFPAgent.exe" [2007-12-06 745472]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-13 8466432]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"AutoTask"="c:\program files\AutoTask\AutoTask.exe" [2009-06-22 335872]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

FriendlyName= :::::WELCOME TO CHRIS TOMLIN ONLINE:::::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RitzPix E-Z Print & Share.lnk]

backup=c:\windows\pss\RitzPix E-Z Print & Share.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Travis^Start Menu^Programs^Startup^Event Minder Reminders.lnk]

backup=c:\windows\pss\Event Minder Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Travis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\Travis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5_0001_N57M2112

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-10-29 22:03 136176 ----atw- c:\documents and settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYMonitor.exe"=

"c:\\Program Files\\LeapFrog\\FlyWorld\\bin\\FLYWorld.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=

"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

"56779:TCP"= 56779:TCP:Pando Media Booster

"56779:UDP"= 56779:UDP:Pando Media Booster

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 9:47 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 9:47 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 9:47 PM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]

R2 ALIWEHCD;MFP Server Enhanced Controller;c:\windows\system32\drivers\mfpec.sys [11/21/2008 9:13 PM 34944]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 9:47 PM 117640]

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/2/2008 11:25 AM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 12:46 PM 102448]

R3 WUSBVBus;MFP Server Detector;c:\windows\system32\drivers\mfpvbus.sys [11/21/2008 9:13 PM 10240]

S2 mrtRate;mrtRate; [x]

S3 adxapie;adxapie;\??\c:\docume~1\Travis\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\Travis\LOCALS~1\Temp\adxapie.sys [?]

S3 AliWGP;Composite Device;c:\windows\system32\drivers\mfpcomp.sys [11/21/2008 9:13 PM 10880]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/25/2009 3:10 PM 18560]

S3 hsffdisk;hsffdisk;\??\c:\docume~1\Orianna\LOCALS~1\Temp\hsffdisk.sys --> c:\docume~1\Orianna\LOCALS~1\Temp\hsffdisk.sys [?]

S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [4/23/2004 11:11 PM 15104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY

*Deregistered* - Normandy

.

Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2010-10-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-05 05:09]

2010-10-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2767661347-1277386359-1002576921-1009Core.job

- c:\documents and settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 22:03]

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2767661347-1277386359-1002576921-1009UA.job

- c:\documents and settings\Travis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 22:03]

2010-10-29 c:\windows\Tasks\Norton Security Scan for Dad.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 09:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://srch-qus10.hpwis.com/

uInternet Settings,ProxyOverride = localhost;*.local

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB

DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - hxxp://www.contentpurity.com/xp/ScanFilexp.CAB

FF - ProfilePath - c:\documents and settings\Travis\Application Data\Mozilla\Firefox\Profiles\nqdubyl8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\documents and settings\Travis\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-BackupSoft - \BackupSoft.exe

SafeBoot-svcWRSSSDK

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-31 11:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-10-31 11:53:13

ComboFix-quarantined-files.txt 2010-10-31 16:52

Pre-Run: 26,483,097,600 bytes free

Post-Run: 27,556,433,920 bytes free

- - End Of File - - 6C3C83D4EB0414EBE364C3F49DD2B928

Link to post
Share on other sites

Hi there, that looks already better. Do you have any problems left at this point?

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.