Jump to content

Security Tool is undetected by Malwarebytes


nagrap2
 Share

Recommended Posts

Hi,

I have tried to scan using Malwarebytes in safe boot mode and it doesn't detect any trojans. I then start in normal mode and try to scan and Malwarebytes doesn't complete as I get the blue screen of death.

I then tried to follow the guide given here (http://forums.malwarebytes.org/index.php?showtopic=9573) but the Security Tool blocks me from running the DDS.scr file in normal mode, so restarted in Safe Boot mode.

I was unable to run the GMER Rootkit Scanner as I get a windows error saying program has encountered a problem and needs to close...

I then tried to follow the instructions given at the bottom of this (http://forums.malwarebytes.org/index.php?showtopic=67755&hl=Security+Tool) post to run OTL.exe and RookitUnhooker.

Unfortunately RootkitUnhooker did not run as I got an error saying "Error loading/opening driver".

I am running Windows XP.

Please let me know if you require me to run any other tools?

DDS.txt:

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK

Run by Administrator at 0:18:46.51 on 17/11/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.368 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant =

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O5 "LPT1:" /M "Stylus Photo RX420"

mRun: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [EPSON Stylus Photo RX420 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX420"

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [<NO NAME>]

mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup

mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe

mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

mRun: [WinampAgent] c:\program files\winamp\winampa.exe

mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles

mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart

mRun: [EPSON Stylus Photo RX420 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo RX420"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\matcli.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133824864851

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.5428703704

DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab

DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab40641.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-1-11 179984]

S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 133104]

S2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-22 693512]

S2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\virgin broadband\pcguard\safeconnect\bin\SanaAgent.exe [2008-11-14 4937752]

S2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [2004-2-28 195396]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-16 38224]

S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-22 910600]

S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\virgin broadband\pcguard\RpsSecurityAwareR.exe [2009-5-27 170736]

S3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304]

S3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720]

S3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376]

=============== Created Last 30 ================

2010-11-16 23:56:58 69120 ----a-w- c:\windows\system32\iexplore.exe

2010-11-16 21:09:09 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2010-11-16 21:04:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-16 21:04:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-16 21:04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-16 20:45:36 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-11-16 20:45:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-16 20:43:03 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2010-11-15 17:33:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-10-31 16:54:59 -------- d-----w- c:\program files\vShare

2010-10-31 16:48:20 -------- d-----w- c:\program files\Veetle

==================== Find3M ====================

2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 0:20:33.51 ===============

Attach.zip

Link to post
Share on other sites

:)

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Hi,

I ran ATF Cleaner as requested and it cleared approx 500MB.

I ran Goored Fix

I ran TDSSKiller and it said no infections found. When I try to click on the Report button to download the log, Security Tool kicks in and prevents Notepad from starting.

Basically whenever I try to run any executable it is prevented by Security Tool. The way I got around running the above was to rename each executable to "iexplore.exe" as explorer seems to startup fine.

What can we try next?

Link to post
Share on other sites

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hi,

I have run Combofix and have pasted the log below. The trojan doesn't seem to be popping now, however, are you able to check from the below to see if it is completely removed?

ComboFix 10-11-17.04 - Owner 18/11/2010 20:11:29.1.2 - x86

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\2E.tmp

C:\desktop.ini

c:\documents and settings\Owner\Local Settings\Application Data\147491517.exe

c:\documents and settings\Owner\Local Settings\Application Data\24443339.exe

c:\documents and settings\Owner\Local Settings\Application Data\710192911.exe

c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk

C:\kmd.exe

c:\program files\Altnet

c:\program files\Altnet\Download Manager\adm25.dll

c:\program files\Altnet\Download Manager\adm4.dll

c:\program files\Altnet\Download Manager\adm4005.exe

c:\program files\Altnet\Download Manager\admdata.dll

c:\program files\Altnet\Download Manager\admdloader.dll

c:\program files\Altnet\Download Manager\admfdi.dll

c:\program files\Altnet\Download Manager\admprog.dll

c:\program files\Altnet\Download Manager\asmend.exe

c:\program files\Altnet\Download Manager\dminfo3.cab

c:\program files\Altnet\Download Manager\dmsetup.bmp

c:\program files\Altnet\Download Manager\dmsetupbig.bmp

c:\program files\Altnet\Download Manager\jsinstall.cab

c:\program files\Altnet\Download Manager\jslegals.txt

c:\program files\Altnet\Download Manager\selectdir.txt

c:\program files\Altnet\Download Manager\selectdir1st.txt

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cab.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\docfile.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-1)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-2)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-3)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\hqx.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-1)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-2)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab (incomplete)

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab

c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab

c:\program files\Mozilla Firefox\plugins\NPNd2fn.dll

c:\program files\Need2Find

c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR

c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR

c:\program files\Need2Find\bar\1.bin\N2PLUGIN.DLL

c:\program files\Need2Find\bar\1.bin\NPND2FN.DLL

c:\program files\Need2Find\bar\1.bin\PARTNER.DAT

c:\program files\Need2Find\bar\Cache\0091FED1

c:\program files\Need2Find\bar\Cache\files.ini

c:\program files\Need2Find\bar\History\search

c:\program files\Need2Find\bar\Settings\prevcfg.htm

c:\windows\Readme.txt

c:\windows\system\Color

c:\windows\system32\hadl.dll

c:\windows\system32\iexplore.exe

c:\windows\system32\system

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FCI

-------\Legacy_SYSLIBRARY

((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))

.

2010-11-16 22:08 . 2010-11-16 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-11-16 21:09 . 2010-11-16 21:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-11-16 21:04 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-16 21:04 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-16 21:04 . 2010-11-16 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-16 20:43 . 2010-11-16 20:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-11-15 17:33 . 2010-11-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-10-31 16:55 . 2010-10-31 16:56 -------- d-----w- c:\documents and settings\Owner\Application Data\vShare

2010-10-31 16:54 . 2010-10-31 16:55 -------- d-----w- c:\program files\vShare

2010-10-31 16:48 . 2010-10-31 16:48 -------- d-----w- c:\program files\Veetle

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 12:23 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2003-01-02 19:10 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2003-01-02 19:10 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-02-06 17:05 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2003-01-02 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2003-01-02 19:10 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2003-01-01 15:37 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2003-01-02 19:11 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2003-01-02 19:11 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2003-01-02 19:10 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2003-01-01 15:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-14 20:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2003-01-02 19:10 617472 ----a-w- c:\windows\system32\comctl32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIEW"="nview.dll" [2003-03-04 831557]

"kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]

"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]

"Podmailing"="c:\program files\Podmailing\Podmailing.exe" [2008-06-06 173056]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-22 26101032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-02-17 50176]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-22 180269]

"EPSON Stylus Photo RX420 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"nwiz"="nwiz.exe" [2003-03-04 323584]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-04 4595712]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

"4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]

"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2008-12-03 2372840]

"EPSON Stylus Photo RX420 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\matcli.exe [2003-10-19 204800]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 16:58 693512]

R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 18:28 4937752]

R2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [28/02/2004 16:05 195396]

R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 18:28 161304]

R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 18:28 29720]

R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 18:28 27376]

S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2010 19:14 133104]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/11/2010 21:04 38224]

S3 Normandy;Normandy SR2; [x]

S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 16:58 910600]

S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 13:10 170736]

.

Contents of the 'Scheduled Tasks' folder

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13]

2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://vshare.toolbarhome.com/?hp=df&t=1

uDefault_Search_URL = hxxp://srch-qgb8.hpwis.com/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\q7l2yjno.default\

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{F48BDBDD-846B-456D-A78D-F9F6100C7D57} - (no file)

HKLM-Run-Msdmxm - c:\windows\system32\msdmxm.exe

HKLM-Run-EvtHtm - c:\windows\system32\evthtm.exe

HKLM-Run-PS2 - c:\windows\system32\ps2.exe

HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe

AddRemove-EvtHtm - c:\windows\system32\evthtm.exe

AddRemove-Msdmxm - c:\windows\system32\Msdmxm.exe

AddRemove-Yazzle1461Oin - c:\program files\Common Files\Yazzle1461OinUninstaller.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-18 20:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2540)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\windows\system32\ConnAPI.DLL

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Virgin Broadband\PCguard\Fws.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\ALCXMNTR.EXE

c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe

c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

c:\program files\blueyonder IST\bin\mpbtn.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe

c:\program files\Common Files\Teleca Shared\Generic.exe

c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-11-18 20:51:28 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-18 20:51

Pre-Run: 61,329,727,488 bytes free

Post-Run: 66,791,022,592 bytes free

- - End Of File - - 4FA321475AC89BCCF12AFE1852AE3395

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.