TrojanHunter Posted December 4, 2010 ID:356255 Share Posted December 4, 2010 Hey, I've recently started encountering svchost crashes (which disable internet and audio services) after a few minutes of PC use. I ran TrojanHunter with these results:Found trojan file: C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe (Vilsel.488)Found trojan file: C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (Genome.908)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_clean_ADF.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_insert_card.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_jams.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_ADF.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_envelopes.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_glass.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_small.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_standard.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_replace_printcartridge.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_scan_card.exe (Katusha.321)Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_transfer_scanner.exe (Katusha.321)Found trojan file: C:\Program Files\VLC\vlc.exe (Bacteraloh.102)Found trojan file: C:\Program Files\WinRAR\Default.SFX (Agent.6714)Found trojan file: C:\Program Files\WinRAR\Zip.SFX (QHost.142)Found trojan file: C:\Stuff\Misc\Picture Resize Genius.exe (TrojanDropper.Binder.130)Found trojan file: C:\WINDOWS\RunHiddenConsole.exe (RiskTool.Hidec.100)I spotted the problematic file - the pic resizer, which nod32 (updated 4.0.314) didn't spot as a threat.I've tried cleaning it with the TrojanHunter, which seem to have done the trick until the next reboot, but it didn't solve the svchost crashing problem after that, so i guess the infection is still here.Weird but MBAM didn't find anything even before the TrojanHunter run, and nothing after.Here are the DDS and ark logs (i guess the 77.exe and 37.exe new files in windows folder are part of the infection, but i haven't touched anything yet)Thanks a lot!DDS log:DDS (Ver_10-11-27.01) - NTFSx86 Run by Admin at 11:57:19.34 on Sat 12/04/2010Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2779 [GMT 2:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\CRC Check XP\US30Service.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\Documents and Settings\Admin\Desktop\dds.com============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localmWinlogon: Userinit=userinit.exe,BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLLBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [egui] "c:\program files\eset nod32 antivirus\egui.exe" /hide /waitservicemRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupIE: &Download All with FlashGet - c:\program files\flashget\jc_all.htmIE: &Download with FlashGet - c:\program files\flashget\jc_link.htmIE: &???? ??????? ????-?? - c:\program files\flashget\jc_link.htmIE: &???? ??? ??????? ????-?? - c:\program files\flashget\jc_all.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217592368135DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: {9EB720C7-2B88-44EA-94ED-B72CFEA29942} = 109.226.0.82 109.226.4.18Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLLHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\FF - prefs.js: browser.search.selectedEngine - YouTube Video SearchFF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dllFF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dllFF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nppl3260.dllFF - plugin: c:\program files\haihaisoft universal player\codec\plugins\npqtplugin.dllFF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nprpjplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dllFF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\Extended@spanglerco.comFF - Extension: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreenFF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.deFF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.huFF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff============= SERVICES / DRIVERS ===============R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-7-31 150568]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]R2 ekrn;ESET Service;c:\program files\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\edimax\common\RalinkRegistryWriter.exe [2010-2-18 69632]R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2008-9-4 9216]S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [2009-3-13 357182]S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2008-4-14 3584]S3 rt2870;Wireless nLite USB Adapter;c:\windows\system32\drivers\rt2870.sys [2010-2-18 580096]S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [2010-10-2 24960]S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [2005-9-7 17230]=============== Created Last 30 ================2010-12-03 19:52:08 -------- d-----w- c:\docume~1\admin\applic~1\TrojanHunter2010-12-03 16:11:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter2010-12-03 16:11:34 -------- d-----w- c:\program files\TrojanHunter 5.32010-12-03 15:32:36 121040 ----a-w- c:\windows\system32\37.exe2010-12-03 15:28:54 121040 ----a-w- c:\windows\system32\77.exe2010-12-03 12:21:31 -------- d-----w- c:\docume~1\admin\applic~1\wsInspector2010-12-03 12:20:46 -------- d-----w- c:\program files\Startup Inspector for Windows2010-12-03 08:47:16 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes2010-12-03 08:47:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-03 08:47:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-12-03 08:47:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-03 08:47:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-02 23:21:42 -------- d-----w- c:\windows\pss==================== Find3M ====================2010-10-16 14:11:37 2829 ----a-w- c:\windows\War3Unin.pif2010-10-16 14:11:36 139264 ----a-w- c:\windows\War3Unin.exe============= FINISH: 11:57:47.31 ===============Attach.zip Link to post Share on other sites More sharing options...
Maniac Posted December 4, 2010 ID:356263 Share Posted December 4, 2010 Hello TrojanHunter! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.TrojanHunter is a real problem. What were detected and removed from your computer are false positives. http://service1.symantec.com/sarc/sarc.nsf...e.positive.htmlI suggest you to uninstall this program.You use the fix for NOD32, which contains malicious code and damage your antivirus product. If you can not pay the license for NOD32, I recommend you a free antivirus software - Avira AntiVir, Avast Antivirus or Microsoft Security Essentials.Step 1Going over your logs I noticed that you have Link to post Share on other sites More sharing options...
TrojanHunter Posted December 4, 2010 Author ID:356266 Share Posted December 4, 2010 Hey Borislav!Thanks for the quick reply.I had no idea that TrojanHunter is so unreliable, I uninstalled it.Regarding emule and utorrent, i haven't used them in about a year, i'll probably uninstall them when i get to it.About those vsjitdebugger processes you can see running, i don't close them because if i do i lose internet access...Here is an updated mbam log(last run was with 5236 i think) and DDS (i see more files in windows32 folder :/ )Thanks again!Malwarebytes' Anti-Malware 1.50www.malwarebytes.orgDatabase version: 5243Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.1312/4/2010 21:10:24mbam-log-2010-12-04 (21-10-24).txtScan type: Quick scanObjects scanned: 157086Time elapsed: 5 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)----------DDS:DDS (Ver_10-11-27.01) - NTFSx86 Run by Admin at 21:13:42.18 on Sat 12/04/2010Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2618 [GMT 2:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\System32\svchost.exe -k HPZ12C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\CRC Check XP\US30Service.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\vsjitdebugger.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Admin\Desktop\dds.com============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localmWinlogon: Userinit=userinit.exe,BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLLBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [egui] "c:\program files\eset nod32 antivirus\egui.exe" /hide /waitservicemRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupIE: &Download All with FlashGet - c:\program files\flashget\jc_all.htmIE: &Download with FlashGet - c:\program files\flashget\jc_link.htmIE: &???? ??????? ????-?? - c:\program files\flashget\jc_link.htmIE: &???? ??? ??????? ????-?? - c:\program files\flashget\jc_all.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217592368135DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: {9EB720C7-2B88-44EA-94ED-B72CFEA29942} = 109.226.0.82 109.226.4.18Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLLHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\FF - prefs.js: browser.search.selectedEngine - YouTube Video SearchFF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dllFF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dllFF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nppl3260.dllFF - plugin: c:\program files\haihaisoft universal player\codec\plugins\npqtplugin.dllFF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nprpjplug.dllFF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dllFF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dllFF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\Extended@spanglerco.comFF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreenFF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.deFF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.huFF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff============= SERVICES / DRIVERS ===============R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-7-31 150568]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]R2 ekrn;ESET Service;c:\program files\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\edimax\common\RalinkRegistryWriter.exe [2010-2-18 69632]R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2008-9-4 9216]S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [2009-3-13 357182]S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2008-4-14 3584]S3 rt2870;Wireless nLite USB Adapter;c:\windows\system32\drivers\rt2870.sys [2010-2-18 580096]S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [2010-10-2 24960]S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [2005-9-7 17230]=============== Created Last 30 ================2010-12-04 18:59:06 122880 ----a-w- c:\windows\system32\36.exe2010-12-04 18:40:12 122192 ----a-w- c:\windows\system32\57.exe2010-12-04 11:48:41 272384 ----a-w- c:\windows\system32\xkmq47.exe@2010-12-03 19:52:08 -------- d-----w- c:\docume~1\admin\applic~1\TrojanHunter2010-12-03 16:11:34 -------- d-----w- c:\program files\TrojanHunter 5.32010-12-03 15:32:36 121040 ----a-w- c:\windows\system32\37.exe2010-12-03 15:28:54 121040 ----a-w- c:\windows\system32\77.exe2010-12-03 12:21:31 -------- d-----w- c:\docume~1\admin\applic~1\wsInspector2010-12-03 12:20:46 -------- d-----w- c:\program files\Startup Inspector for Windows2010-12-03 08:47:16 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes2010-12-03 08:47:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-03 08:47:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-12-03 08:47:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-12-03 08:47:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-02 23:21:42 -------- d-----w- c:\windows\pss==================== Find3M ====================2010-10-16 14:11:37 2829 ----a-w- c:\windows\War3Unin.pif2010-10-16 14:11:36 139264 ----a-w- c:\windows\War3Unin.exe============= FINISH: 21:14:04.73 =============== Link to post Share on other sites More sharing options...
Maniac Posted December 5, 2010 ID:356343 Share Posted December 5, 2010 **Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
TrojanHunter Posted December 5, 2010 Author ID:356684 Share Posted December 5, 2010 Hey Broislav,In your first post you didn't forbid me from scanning via other tools , so I ran my NOD32 and found the results below.I also researched around and already ran ComboFix.ComboFix seems to have cleaned almost everything, but after a reboot and a few hours of internet usage (much longer than the previous times), i did get the svchost crash again, so i believe there are some small leftovers Thanks for your help! and here are the logs:Scan LogVersion of virus signature database: 5673 (20101204)Date: 12/4/2010 Time: 10:32:58 PMScanned disks, folders and files: C:\WINDOWS\C:\WINDOWS\system32\36.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]C:\WINDOWS\system32\37.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]C:\WINDOWS\system32\38.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting (after the next restart) [1,2]C:\WINDOWS\system32\57.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]C:\WINDOWS\system32\77.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]C:\WINDOWS\system32\88.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting (after the next restart) [1,2]C:\WINDOWS\system32\xkmq47.exe@ - a variant of Win32/Injector.DOV trojan - cleaned by deleting - quarantined [1]Number of scanned objects: 87724Number of threats found: 7Number of cleaned objects: 7Time of completion: 10:38:49 PM Total scanning time: 351 sec (00:05:51)-----------------------------------------------------------ComboFix 10-12-03.03 - Admin 12/05/2010 0:03.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2740 [GMT 2:00]Running from: c:\documents and settings\Admin\Desktop\orbit.com.exeAV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Admin\Application Data\BITSc:\documents and settings\Admin\Application Data\BITS\BITS.inic:\windows\system32\imagesc:\windows\system32\images\toolbar\calendar.gifc:\windows\system32\images\toolbar\crlogo.gifc:\windows\system32\images\toolbar\export.gifc:\windows\system32\images\toolbar\export_over.gifc:\windows\system32\images\toolbar\exportd.gifc:\windows\system32\images\toolbar\First.gifc:\windows\system32\images\toolbar\first_over.gifc:\windows\system32\images\toolbar\Firstd.gifc:\windows\system32\images\toolbar\gotopage.gifc:\windows\system32\images\toolbar\gotopage_over.gifc:\windows\system32\images\toolbar\gotopaged.gifc:\windows\system32\images\toolbar\grouptree.gifc:\windows\system32\images\toolbar\grouptree_over.gifc:\windows\system32\images\toolbar\grouptreed.gifc:\windows\system32\images\toolbar\grouptreepressed.gifc:\windows\system32\images\toolbar\Last.gifc:\windows\system32\images\toolbar\last_over.gifc:\windows\system32\images\toolbar\Lastd.gifc:\windows\system32\images\toolbar\Next.gifc:\windows\system32\images\toolbar\next_over.gifc:\windows\system32\images\toolbar\Nextd.gifc:\windows\system32\images\toolbar\Prev.gifc:\windows\system32\images\toolbar\prev_over.gifc:\windows\system32\images\toolbar\Prevd.gifc:\windows\system32\images\toolbar\print.gifc:\windows\system32\images\toolbar\print_over.gifc:\windows\system32\images\toolbar\printd.gifc:\windows\system32\images\toolbar\Refresh.gifc:\windows\system32\images\toolbar\refresh_over.gifc:\windows\system32\images\toolbar\refreshd.gifc:\windows\system32\images\toolbar\Search.gifc:\windows\system32\images\toolbar\search_over.gifc:\windows\system32\images\toolbar\searchd.gifc:\windows\system32\images\toolbar\up.gifc:\windows\system32\images\toolbar\up_over.gifc:\windows\system32\images\toolbar\upd.gifc:\windows\system32\images\tree\begindots.gifc:\windows\system32\images\tree\beginminus.gifc:\windows\system32\images\tree\beginplus.gifc:\windows\system32\images\tree\blank.gifc:\windows\system32\images\tree\blankdots.gifc:\windows\system32\images\tree\dots.gifc:\windows\system32\images\tree\lastdots.gifc:\windows\system32\images\tree\lastminus.gifc:\windows\system32\images\tree\lastplus.gifc:\windows\system32\images\tree\Magnify.gifc:\windows\system32\images\tree\minus.gifc:\windows\system32\images\tree\minusbox.gifc:\windows\system32\images\tree\plus.gifc:\windows\system32\images\tree\plusbox.gifc:\windows\system32\images\tree\singleminus.gifc:\windows\system32\images\tree\singleplus.gifc:\windows\system32\Tempc:\windows\winhelp.ini.((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 ))))))))))))))))))))))))))))))).2010-12-04 21:19 . 2010-12-04 21:19 -------- d-----w- C:\HJT2010-12-03 20:39 . 2010-12-03 20:39 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc2010-12-03 19:52 . 2010-12-03 19:52 -------- d-----w- c:\documents and settings\Admin\Application Data\TrojanHunter2010-12-03 16:11 . 2010-12-04 19:06 -------- d-----w- c:\program files\TrojanHunter 5.32010-12-03 12:21 . 2010-12-03 12:21 -------- d-----w- c:\documents and settings\Admin\Application Data\wsInspector2010-12-03 12:20 . 2010-12-03 12:21 -------- d-----w- c:\program files\Startup Inspector for Windows2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes2010-12-03 08:47 . 2010-11-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-03 08:47 . 2010-11-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-10-18 12:43 . 2010-10-18 12:43 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys2010-10-16 14:11 . 2010-10-16 14:09 2829 ----a-w- c:\windows\War3Unin.pif2010-10-16 14:11 . 2010-10-16 14:09 139264 ----a-w- c:\windows\War3Unin.exe2010-09-11 02:37 . 2010-10-02 09:22 24960 ----a-w- c:\windows\system32\drivers\vpn-x.sys2010-06-16 15:58 . 2010-06-16 15:58 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll.------- Sigcheck -------[7] 2008-07-12 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys[-] 2008-07-12 . A5BC817BB84DCB9E71719FF868144124 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"egui"="c:\program files\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"="c:\\Program Files\\FlashGet\\flashget.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"="c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"="c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="e:\\Games\\Demigod\\bin\\Demigod.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [7/31/2008 20:05 150568]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336]R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208]R2 ekrn;ESET Service;c:\program files\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720]R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [9/4/2008 18:18 9216]S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [3/13/2009 16:06 357182]S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [4/14/2008 10:00 3584]S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [10/2/2010 11:22 24960]S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [9/7/2005 11:09 17230]S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 16:13 717296][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htmIE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htmIE: &???? ??????? ????-?? - c:\program files\FlashGet\jc_link.htmIE: &???? ??? ??????? ????-?? - c:\program files\FlashGet\jc_all.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\FF - prefs.js: browser.search.selectedEngine - YouTube Video SearchFF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dllFF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dllFF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nppl3260.dllFF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\npqtplugin.dllFF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nprpjplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dllFF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dllFF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\Extended@spanglerco.comFF - Extension: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreenFF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.deFF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.huFF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff.- - - - ORPHANS REMOVED - - - -SafeBoot-US30Sys.sysAddRemove-FlashGet - c:\program files\FlashGet\uninst.exeAddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exeAddRemove-TF2 lan edition patch - e:\games\Team Fortress 2\uninstall.exeAddRemove-{9FEF4EA5-025F-4D8B-9376-680CA8E77C9C} - c:\documents and settings\Admin\Local Settings\Application Data\{93F12E73-5AED-46C1-AE84-4E311A4255D1}\DeleteFXPFiles2009DemoInstall.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-12-05 00:07Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-839522115-261903793-1801674531-1003\Software\SecuROM\License information*]"datasecu"=hex:ce,e1,6f,af,93,55,0b,4e,6f,0e,7b,83,99,6c,ce,93,cf,c4,7d,ec,ba, 9b,45,9d,db,88,d0,6a,7a,6f,02,e2,8f,a9,2e,c7,3b,c8,1d,32,96,37,5d,5d,ae,bb,\"rkeysecu"=hex:46,ff,bb,81,33,3d,2c,e7,0f,bd,b1,88,db,8a,f9,e5.Completion time: 2010-12-05 00:09:07ComboFix-quarantined-files.txt 2010-12-04 22:09Pre-Run: 150,151,061,504 bytes freePost-Run: 151,459,663,872 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - 58082152EC5AD8B4C5B2F035BB006A0F Link to post Share on other sites More sharing options...
Maniac Posted December 5, 2010 ID:356778 Share Posted December 5, 2010 Please go to www.virustotal.com and upload the following file:c:\windows\system32\sfcfiles.dllPost the resaults in your next reply.P.S.: Please don't run any online scanners or so on. Link to post Share on other sites More sharing options...
TrojanHunter Posted December 5, 2010 Author ID:356804 Share Posted December 5, 2010 Hey Borislav,The site says 100% safe, results:File name:sfcfiles.dllSubmission date:2010-12-05 21:34:51 (UTC)Current status:queued queued analysing finishedResult:0/ 43 (0.0%) Link to post Share on other sites More sharing options...
Maniac Posted December 5, 2010 ID:356823 Share Posted December 5, 2010 Awesome. Open Notepad and copy and paste the text in the code box below into it:FCopy::c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sysSave the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
TrojanHunter Posted December 5, 2010 Author ID:356845 Share Posted December 5, 2010 Hey Borislav,Here's the CF log, thanks again for your help!I hope that solved it ComboFix 10-12-04.02 - Admin 12/06/2010 0:25.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2786 [GMT 2:00]Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exeCommand switches used :: c:\documents and settings\Admin\Desktop\CFScript.txtAV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..--------------- FCopy ---------------c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys.((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 ))))))))))))))))))))))))))))))).2010-12-04 21:19 . 2010-12-04 21:19 -------- d-----w- C:\HJT2010-12-03 20:39 . 2010-12-05 00:10 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc2010-12-03 19:52 . 2010-12-03 19:52 -------- d-----w- c:\documents and settings\Admin\Application Data\TrojanHunter2010-12-03 16:11 . 2010-12-04 19:06 -------- d-----w- c:\program files\TrojanHunter 5.32010-12-03 12:21 . 2010-12-03 12:21 -------- d-----w- c:\documents and settings\Admin\Application Data\wsInspector2010-12-03 12:20 . 2010-12-03 12:21 -------- d-----w- c:\program files\Startup Inspector for Windows2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes2010-12-03 08:47 . 2010-11-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-12-03 08:47 . 2010-11-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-10-18 12:43 . 2010-10-18 12:43 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys2010-10-16 14:11 . 2010-10-16 14:09 2829 ----a-w- c:\windows\War3Unin.pif2010-10-16 14:11 . 2010-10-16 14:09 139264 ----a-w- c:\windows\War3Unin.exe2010-09-11 02:37 . 2010-10-02 09:22 24960 ----a-w- c:\windows\system32\drivers\vpn-x.sys2010-06-16 15:58 . 2010-06-16 15:58 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll.------- Sigcheck -------[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"egui"="c:\program files\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"="c:\\Program Files\\FlashGet\\flashget.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"="c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"="c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="e:\\Games\\Demigod\\bin\\Demigod.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [7/31/2008 20:05 150568]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336]R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208]R2 ekrn;ESET Service;c:\program files\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720]R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [9/4/2008 18:18 9216]S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [3/13/2009 16:06 357182]S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [4/14/2008 10:00 3584]S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [10/2/2010 11:22 24960]S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [9/7/2005 11:09 17230]S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 16:13 717296][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htmIE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htmIE: &???? ??????? ????-?? - c:\program files\FlashGet\jc_link.htmIE: &???? ??? ??????? ????-?? - c:\program files\FlashGet\jc_all.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\FF - prefs.js: browser.search.selectedEngine - YouTube Video SearchFF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dllFF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgoogletalk.dllFF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dllFF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dllFF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nppl3260.dllFF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\npqtplugin.dllFF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nprpjplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dllFF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dllFF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\Extended@spanglerco.comFF - Extension: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreenFF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.deFF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.huFF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-12-06 00:32Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-839522115-261903793-1801674531-1003\Software\SecuROM\License information*]"datasecu"=hex:ce,e1,6f,af,93,55,0b,4e,6f,0e,7b,83,99,6c,ce,93,cf,c4,7d,ec,ba, 9b,45,9d,db,88,d0,6a,7a,6f,02,e2,8f,a9,2e,c7,3b,c8,1d,32,96,37,5d,5d,ae,bb,\"rkeysecu"=hex:46,ff,bb,81,33,3d,2c,e7,0f,bd,b1,88,db,8a,f9,e5.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(15804)c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.Completion time: 2010-12-06 00:33:47ComboFix-quarantined-files.txt 2010-12-05 22:33Pre-Run: 149,854,629,888 bytes freePost-Run: 149,843,521,536 bytes free- - End Of File - - DBD422F4F1BD4086536DACCC351AB27B Link to post Share on other sites More sharing options...
Maniac Posted December 6, 2010 ID:357018 Share Posted December 6, 2010 How are things running now? Link to post Share on other sites More sharing options...
TrojanHunter Posted December 6, 2010 Author ID:357323 Share Posted December 6, 2010 Hey Borislav,The situation stayed the same as after the first ComboFix - Everything looks good, but after a random number of hours there's an svchost crash which is hard to recreate (tho it just happened now).Any ideas? Thanks Link to post Share on other sites More sharing options...
Maniac Posted December 6, 2010 ID:357338 Share Posted December 6, 2010 Please uninstall ESET NOD32 Antivirus and NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up . Download and install the latest and clean version of NOD32 or just another free antivirus like:http://www.avast.com/free-antivirus-downloadhttp://free.avg.com/ww-en/homepagehttp://www.free-av.com/http://www.microsoft.com/security_essentials/Manually update it and perform a full scan. Let me know about the resaults. Link to post Share on other sites More sharing options...
TrojanHunter Posted December 6, 2010 Author ID:357405 Share Posted December 6, 2010 Hey Borislav,I understand your concerns about the patched NOD32, I can only assure you from my software engineering background that the problem doesn't come from there.It's fully updated and I've been using it for about a year with zero hiccups until now, with it being the only malware protection I have...Please try to assume that this isn't the problem, if you don't want to continue supporting this issue, I understand and thank you for your great help.If you are willing to make that assumption - I ran another full scan and ComboFix, these are the logs:NOD32:Scan LogVersion of virus signature database: 5679 (20101206)Date: 12/6/2010 Time: 9:15:49 PMScanned disks, folders and files: Operating memory;C:\Boot sector;C:\cmdcons\;C:\Config.Msi\;C:\Documents and Settings\;C:\Downloads\;C:\GameInstalls\;C:\Games\;C:\HJT\;C:\MSOCache\;C:\NVIDIA\;C:\Program Files\;C:\Qoobox\;C:\SchoolPrograms\;C:\Stuff\;C:\System Volume Information\;C:\WINDOWS\;C:\aaw7boot.log;C:\AUTOEXEC.BAT;C:\bar.emf;C:\Boot.bak;C:\boot.ini;C:\cmldr;C:\ComboFix.txt;C:\CONFIG.SYS;C:\DOSH.sis;C:\IO.SYS;C:\logwmemory.bin;C:\MSDOS.SYS;C:\NTDETECT.COM;C:\ntldr;C:\pagefile.sys;C:\sqmdata00.sqm;C:\sqmnoopt00.sqmC:\Documents and Settings\Admin\.nbi\tmp\logic,1.jar.7 Link to post Share on other sites More sharing options...
Maniac Posted December 6, 2010 ID:357414 Share Posted December 6, 2010 Sorry but I'm technical support at ESET NOD32 Bulgarian Forums. Also, I'm against it. Thus you do not appreciate my help, do not appreciate the work of my colleagues do not appreciate your information. Quite deliberately, you treat negligent and I'm disappointed. This patch for your antivirus program contains malicious code, he manipulates NOD32 and determine its actions. This is not normal, this is not legally, as you and those people who created it are in violation of several laws. I'll ask you one last time, Rethink this whole situation, otherwise someone would ask my colleagues to take up your case if desired. Link to post Share on other sites More sharing options...
TrojanHunter Posted December 6, 2010 Author ID:357417 Share Posted December 6, 2010 Like I said I understand your view, you may close this thread, I'll figure a solution somehow.Thank you for all your kind help! Link to post Share on other sites More sharing options...
Maniac Posted December 6, 2010 ID:357424 Share Posted December 6, 2010 Are you sure? A colleague could help you. Link to post Share on other sites More sharing options...
TrojanHunter Posted December 6, 2010 Author ID:357429 Share Posted December 6, 2010 Yes, it's fine, I like a bit of challenge anyway Link to post Share on other sites More sharing options...
Maniac Posted December 6, 2010 ID:357433 Share Posted December 6, 2010 I wish you a good luck! Link to post Share on other sites More sharing options...
LDTate Posted December 6, 2010 ID:357452 Share Posted December 6, 2010 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts