Jump to content

Help completely remove a trojan


Recommended Posts

Hey, I've recently started encountering svchost crashes (which disable internet and audio services) after a few minutes of PC use.

I ran TrojanHunter with these results:

Found trojan file: C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe (Vilsel.488)

Found trojan file: C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (Genome.908)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_clean_ADF.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_insert_card.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_jams.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_ADF.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_envelopes.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_glass.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_small.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_load_standard.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_replace_printcartridge.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_scan_card.exe (Katusha.321)

Found trojan file: C:\Program Files\HP\Digital Imaging\help\player\fscommand\J6400_transfer_scanner.exe (Katusha.321)

Found trojan file: C:\Program Files\VLC\vlc.exe (Bacteraloh.102)

Found trojan file: C:\Program Files\WinRAR\Default.SFX (Agent.6714)

Found trojan file: C:\Program Files\WinRAR\Zip.SFX (QHost.142)

Found trojan file: C:\Stuff\Misc\Picture Resize Genius.exe (TrojanDropper.Binder.130)

Found trojan file: C:\WINDOWS\RunHiddenConsole.exe (RiskTool.Hidec.100)

I spotted the problematic file - the pic resizer, which nod32 (updated 4.0.314) didn't spot as a threat.

I've tried cleaning it with the TrojanHunter, which seem to have done the trick until the next reboot, but it didn't solve the svchost crashing problem after that, so i guess the infection is still here.

Weird but MBAM didn't find anything even before the TrojanHunter run, and nothing after.

Here are the DDS and ark logs (i guess the 77.exe and 37.exe new files in windows folder are part of the infection, but i haven't touched anything yet)

Thanks a lot!

DDS log:

DDS (Ver_10-11-27.01) - NTFSx86

Run by Admin at 11:57:19.34 on Sat 12/04/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2779 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\CRC Check XP\US30Service.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\Documents and Settings\Admin\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [egui] "c:\program files\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm

IE: &???? ??????? ????-?? - c:\program files\flashget\jc_link.htm

IE: &???? ??? ??????? ????-?? - c:\program files\flashget\jc_all.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217592368135

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {9EB720C7-2B88-44EA-94ED-B72CFEA29942} = 109.226.0.82 109.226.4.18

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\

FF - prefs.js: browser.search.selectedEngine - YouTube Video Search

FF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/

FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nppl3260.dll

FF - plugin: c:\program files\haihaisoft universal player\codec\plugins\npqtplugin.dll

FF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nprpjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\Extended@spanglerco.com

FF - Extension: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}

FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}

FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}

FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}

FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}

FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}

FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreen

FF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.de

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}

FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}

FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.hu

FF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}

FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-7-31 150568]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]

R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]

R2 ekrn;ESET Service;c:\program files\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]

R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\edimax\common\RalinkRegistryWriter.exe [2010-2-18 69632]

R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2008-9-4 9216]

S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [2009-3-13 357182]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2008-4-14 3584]

S3 rt2870;Wireless nLite USB Adapter;c:\windows\system32\drivers\rt2870.sys [2010-2-18 580096]

S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [2010-10-2 24960]

S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [2005-9-7 17230]

=============== Created Last 30 ================

2010-12-03 19:52:08 -------- d-----w- c:\docume~1\admin\applic~1\TrojanHunter

2010-12-03 16:11:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter

2010-12-03 16:11:34 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-12-03 15:32:36 121040 ----a-w- c:\windows\system32\37.exe

2010-12-03 15:28:54 121040 ----a-w- c:\windows\system32\77.exe

2010-12-03 12:21:31 -------- d-----w- c:\docume~1\admin\applic~1\wsInspector

2010-12-03 12:20:46 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-12-03 08:47:16 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes

2010-12-03 08:47:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-03 08:47:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-03 08:47:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-03 08:47:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-02 23:21:42 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-10-16 14:11:37 2829 ----a-w- c:\windows\War3Unin.pif

2010-10-16 14:11:36 139264 ----a-w- c:\windows\War3Unin.exe

============= FINISH: 11:57:47.31 ===============

Attach.zip

Link to post
Share on other sites

Hello TrojanHunter! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

TrojanHunter is a real problem. What were detected and removed from your computer are false positives.

http://service1.symantec.com/sarc/sarc.nsf...e.positive.html

I suggest you to uninstall this program.

You use the fix for NOD32, which contains malicious code and damage your antivirus product. If you can not pay the license for NOD32, I recommend you a free antivirus software - Avira AntiVir, Avast Antivirus or Microsoft Security Essentials.

Step 1

Going over your logs I noticed that you have

Link to post
Share on other sites

Hey Borislav!

Thanks for the quick reply.

I had no idea that TrojanHunter is so unreliable, I uninstalled it.

Regarding emule and utorrent, i haven't used them in about a year, i'll probably uninstall them when i get to it.

About those vsjitdebugger processes you can see running, i don't close them because if i do i lose internet access...

Here is an updated mbam log(last run was with 5236 i think) and DDS (i see more files in windows32 folder :/ )

Thanks again!

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5243

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

12/4/2010 21:10:24

mbam-log-2010-12-04 (21-10-24).txt

Scan type: Quick scan

Objects scanned: 157086

Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------

DDS:

DDS (Ver_10-11-27.01) - NTFSx86

Run by Admin at 21:13:42.18 on Sat 12/04/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2618 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\CRC Check XP\US30Service.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\vsjitdebugger.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Admin\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [egui] "c:\program files\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm

IE: &???? ??????? ????-?? - c:\program files\flashget\jc_link.htm

IE: &???? ??? ??????? ????-?? - c:\program files\flashget\jc_all.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217592368135

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {9EB720C7-2B88-44EA-94ED-B72CFEA29942} = 109.226.0.82 109.226.4.18

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\

FF - prefs.js: browser.search.selectedEngine - YouTube Video Search

FF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/

FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nppl3260.dll

FF - plugin: c:\program files\haihaisoft universal player\codec\plugins\npqtplugin.dll

FF - plugin: c:\program files\haihaisoft universal player\codec\plugins\nprpjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\Extended@spanglerco.com

FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}

FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}

FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}

FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}

FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}

FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}

FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreen

FF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.de

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}

FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}

FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.hu

FF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}

FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-7-31 150568]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]

R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]

R2 ekrn;ESET Service;c:\program files\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]

R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\edimax\common\RalinkRegistryWriter.exe [2010-2-18 69632]

R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2008-9-4 9216]

S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [2009-3-13 357182]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2008-4-14 3584]

S3 rt2870;Wireless nLite USB Adapter;c:\windows\system32\drivers\rt2870.sys [2010-2-18 580096]

S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [2010-10-2 24960]

S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [2005-9-7 17230]

=============== Created Last 30 ================

2010-12-04 18:59:06 122880 ----a-w- c:\windows\system32\36.exe

2010-12-04 18:40:12 122192 ----a-w- c:\windows\system32\57.exe

2010-12-04 11:48:41 272384 ----a-w- c:\windows\system32\xkmq47.exe@

2010-12-03 19:52:08 -------- d-----w- c:\docume~1\admin\applic~1\TrojanHunter

2010-12-03 16:11:34 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-12-03 15:32:36 121040 ----a-w- c:\windows\system32\37.exe

2010-12-03 15:28:54 121040 ----a-w- c:\windows\system32\77.exe

2010-12-03 12:21:31 -------- d-----w- c:\docume~1\admin\applic~1\wsInspector

2010-12-03 12:20:46 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-12-03 08:47:16 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes

2010-12-03 08:47:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-03 08:47:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-03 08:47:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-03 08:47:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-02 23:21:42 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-10-16 14:11:37 2829 ----a-w- c:\windows\War3Unin.pif

2010-10-16 14:11:36 139264 ----a-w- c:\windows\War3Unin.exe

============= FINISH: 21:14:04.73 ===============

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hey Broislav,

In your first post you didn't forbid me from scanning via other tools :( , so I ran my NOD32 and found the results below.

I also researched around and already ran ComboFix.

ComboFix seems to have cleaned almost everything, but after a reboot and a few hours of internet usage (much longer than the previous times), i did get the svchost crash again, so i believe there are some small leftovers :)

Thanks for your help! and here are the logs:

Scan Log

Version of virus signature database: 5673 (20101204)

Date: 12/4/2010 Time: 10:32:58 PM

Scanned disks, folders and files: C:\WINDOWS\

C:\WINDOWS\system32\36.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]

C:\WINDOWS\system32\37.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]

C:\WINDOWS\system32\38.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting (after the next restart) [1,2]

C:\WINDOWS\system32\57.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]

C:\WINDOWS\system32\77.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting - quarantined [1]

C:\WINDOWS\system32\88.exe - a variant of Win32/Injector.DLJ trojan - cleaned by deleting (after the next restart) [1,2]

C:\WINDOWS\system32\xkmq47.exe@ - a variant of Win32/Injector.DOV trojan - cleaned by deleting - quarantined [1]

Number of scanned objects: 87724

Number of threats found: 7

Number of cleaned objects: 7

Time of completion: 10:38:49 PM Total scanning time: 351 sec (00:05:51)

-----------------------------------------------------------

ComboFix 10-12-03.03 - Admin 12/05/2010 0:03.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2740 [GMT 2:00]

Running from: c:\documents and settings\Admin\Desktop\orbit.com.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Admin\Application Data\BITS

c:\documents and settings\Admin\Application Data\BITS\BITS.ini

c:\windows\system32\images

c:\windows\system32\images\toolbar\calendar.gif

c:\windows\system32\images\toolbar\crlogo.gif

c:\windows\system32\images\toolbar\export.gif

c:\windows\system32\images\toolbar\export_over.gif

c:\windows\system32\images\toolbar\exportd.gif

c:\windows\system32\images\toolbar\First.gif

c:\windows\system32\images\toolbar\first_over.gif

c:\windows\system32\images\toolbar\Firstd.gif

c:\windows\system32\images\toolbar\gotopage.gif

c:\windows\system32\images\toolbar\gotopage_over.gif

c:\windows\system32\images\toolbar\gotopaged.gif

c:\windows\system32\images\toolbar\grouptree.gif

c:\windows\system32\images\toolbar\grouptree_over.gif

c:\windows\system32\images\toolbar\grouptreed.gif

c:\windows\system32\images\toolbar\grouptreepressed.gif

c:\windows\system32\images\toolbar\Last.gif

c:\windows\system32\images\toolbar\last_over.gif

c:\windows\system32\images\toolbar\Lastd.gif

c:\windows\system32\images\toolbar\Next.gif

c:\windows\system32\images\toolbar\next_over.gif

c:\windows\system32\images\toolbar\Nextd.gif

c:\windows\system32\images\toolbar\Prev.gif

c:\windows\system32\images\toolbar\prev_over.gif

c:\windows\system32\images\toolbar\Prevd.gif

c:\windows\system32\images\toolbar\print.gif

c:\windows\system32\images\toolbar\print_over.gif

c:\windows\system32\images\toolbar\printd.gif

c:\windows\system32\images\toolbar\Refresh.gif

c:\windows\system32\images\toolbar\refresh_over.gif

c:\windows\system32\images\toolbar\refreshd.gif

c:\windows\system32\images\toolbar\Search.gif

c:\windows\system32\images\toolbar\search_over.gif

c:\windows\system32\images\toolbar\searchd.gif

c:\windows\system32\images\toolbar\up.gif

c:\windows\system32\images\toolbar\up_over.gif

c:\windows\system32\images\toolbar\upd.gif

c:\windows\system32\images\tree\begindots.gif

c:\windows\system32\images\tree\beginminus.gif

c:\windows\system32\images\tree\beginplus.gif

c:\windows\system32\images\tree\blank.gif

c:\windows\system32\images\tree\blankdots.gif

c:\windows\system32\images\tree\dots.gif

c:\windows\system32\images\tree\lastdots.gif

c:\windows\system32\images\tree\lastminus.gif

c:\windows\system32\images\tree\lastplus.gif

c:\windows\system32\images\tree\Magnify.gif

c:\windows\system32\images\tree\minus.gif

c:\windows\system32\images\tree\minusbox.gif

c:\windows\system32\images\tree\plus.gif

c:\windows\system32\images\tree\plusbox.gif

c:\windows\system32\images\tree\singleminus.gif

c:\windows\system32\images\tree\singleplus.gif

c:\windows\system32\Temp

c:\windows\winhelp.ini

.

((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))

.

2010-12-04 21:19 . 2010-12-04 21:19 -------- d-----w- C:\HJT

2010-12-03 20:39 . 2010-12-03 20:39 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc

2010-12-03 19:52 . 2010-12-03 19:52 -------- d-----w- c:\documents and settings\Admin\Application Data\TrojanHunter

2010-12-03 16:11 . 2010-12-04 19:06 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-12-03 12:21 . 2010-12-03 12:21 -------- d-----w- c:\documents and settings\Admin\Application Data\wsInspector

2010-12-03 12:20 . 2010-12-03 12:21 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes

2010-12-03 08:47 . 2010-11-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-03 08:47 . 2010-11-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-18 12:43 . 2010-10-18 12:43 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2010-10-16 14:11 . 2010-10-16 14:09 2829 ----a-w- c:\windows\War3Unin.pif

2010-10-16 14:11 . 2010-10-16 14:09 139264 ----a-w- c:\windows\War3Unin.exe

2010-09-11 02:37 . 2010-10-02 09:22 24960 ----a-w- c:\windows\system32\drivers\vpn-x.sys

2010-06-16 15:58 . 2010-06-16 15:58 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

------- Sigcheck -------

[7] 2008-07-12 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-07-12 . A5BC817BB84DCB9E71719FF868144124 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"e:\\Games\\Demigod\\bin\\Demigod.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [7/31/2008 20:05 150568]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336]

R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208]

R2 ekrn;ESET Service;c:\program files\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720]

R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [9/4/2008 18:18 9216]

S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [3/13/2009 16:06 357182]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [4/14/2008 10:00 3584]

S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [10/2/2010 11:22 24960]

S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [9/7/2005 11:09 17230]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 16:13 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: &???? ??????? ????-?? - c:\program files\FlashGet\jc_link.htm

IE: &???? ??? ??????? ????-?? - c:\program files\FlashGet\jc_all.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\

FF - prefs.js: browser.search.selectedEngine - YouTube Video Search

FF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nppl3260.dll

FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\npqtplugin.dll

FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\Extended@spanglerco.com

FF - Extension: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}

FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}

FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}

FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}

FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}

FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}

FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreen

FF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.de

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}

FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}

FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.hu

FF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}

FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-US30Sys.sys

AddRemove-FlashGet - c:\program files\FlashGet\uninst.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

AddRemove-TF2 lan edition patch - e:\games\Team Fortress 2\uninstall.exe

AddRemove-{9FEF4EA5-025F-4D8B-9376-680CA8E77C9C} - c:\documents and settings\Admin\Local Settings\Application Data\{93F12E73-5AED-46C1-AE84-4E311A4255D1}\DeleteFXPFiles2009DemoInstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-05 00:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-261903793-1801674531-1003\Software\SecuROM\License information*]

"datasecu"=hex:ce,e1,6f,af,93,55,0b,4e,6f,0e,7b,83,99,6c,ce,93,cf,c4,7d,ec,ba,

9b,45,9d,db,88,d0,6a,7a,6f,02,e2,8f,a9,2e,c7,3b,c8,1d,32,96,37,5d,5d,ae,bb,\

"rkeysecu"=hex:46,ff,bb,81,33,3d,2c,e7,0f,bd,b1,88,db,8a,f9,e5

.

Completion time: 2010-12-05 00:09:07

ComboFix-quarantined-files.txt 2010-12-04 22:09

Pre-Run: 150,151,061,504 bytes free

Post-Run: 151,459,663,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 58082152EC5AD8B4C5B2F035BB006A0F

Link to post
Share on other sites

Awesome. ;)

Open Notepad and copy and paste the text in the code box below into it:

FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Hey Borislav,

Here's the CF log, thanks again for your help!

I hope that solved it ;)

ComboFix 10-12-04.02 - Admin 12/06/2010 0:25.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3327.2786 [GMT 2:00]

Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))

.

2010-12-04 21:19 . 2010-12-04 21:19 -------- d-----w- C:\HJT

2010-12-03 20:39 . 2010-12-05 00:10 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc

2010-12-03 19:52 . 2010-12-03 19:52 -------- d-----w- c:\documents and settings\Admin\Application Data\TrojanHunter

2010-12-03 16:11 . 2010-12-04 19:06 -------- d-----w- c:\program files\TrojanHunter 5.3

2010-12-03 12:21 . 2010-12-03 12:21 -------- d-----w- c:\documents and settings\Admin\Application Data\wsInspector

2010-12-03 12:20 . 2010-12-03 12:21 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes

2010-12-03 08:47 . 2010-11-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-12-03 08:47 . 2010-12-03 08:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-03 08:47 . 2010-11-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-18 12:43 . 2010-10-18 12:43 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2010-10-16 14:11 . 2010-10-16 14:09 2829 ----a-w- c:\windows\War3Unin.pif

2010-10-16 14:11 . 2010-10-16 14:09 139264 ----a-w- c:\windows\War3Unin.exe

2010-09-11 02:37 . 2010-10-02 09:22 24960 ----a-w- c:\windows\system32\drivers\vpn-x.sys

2010-06-16 15:58 . 2010-06-16 15:58 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Admin\\Desktop\\utorrent.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"e:\\Games\\Demigod\\bin\\Demigod.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [7/31/2008 20:05 150568]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336]

R2 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208]

R2 ekrn;ESET Service;c:\program files\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720]

R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [9/4/2008 18:18 9216]

S2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [3/13/2009 16:06 357182]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [4/14/2008 10:00 3584]

S3 vpn-x;VPN-X Virtual Network Interface Card(NIC);c:\windows\system32\drivers\vpn-x.sys [10/2/2010 11:22 24960]

S3 Wirelecf;Friendly WI-FI Wirelesscfg Util Win2000 XP;c:\windows\system32\drivers\Wirelecf.SYS [9/7/2005 11:09 17230]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2008 16:13 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: &???? ??????? ????-?? - c:\program files\FlashGet\jc_link.htm

IE: &???? ??? ??????? ????-?? - c:\program files\FlashGet\jc_all.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\

FF - prefs.js: browser.search.selectedEngine - YouTube Video Search

FF - prefs.js: browser.startup.homepage - hxxp://www.walla.co.il/

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nppl3260.dll

FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\npqtplugin.dll

FF - plugin: c:\program files\Haihaisoft Universal Player\Codec\Plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - Extension: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

FF - Extension: Extension Manager Extended: Extended@spanglerco.com - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\Extended@spanglerco.com

FF - Extension: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}

FF - Extension: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}

FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Extension: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}

FF - Extension: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}

FF - Extension: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}

FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Extension: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}

FF - Extension: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

FF - Extension: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}

FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\SkipScreen@SkipScreen

FF - Extension: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\youtube2mp3@mondayx.de

FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

FF - Extension: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}

FF - Extension: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}

FF - Extension: Google Reader Watcher: grwatcher@ajnasz.hu - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\grwatcher@ajnasz.hu

FF - Extension: PsicoTSI: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}

FF - Extension: FoxTrick: {9d1f059c-cada-4111-9696-41a62d64e3ba} - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\txdw5lu2.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-06 00:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-261903793-1801674531-1003\Software\SecuROM\License information*]

"datasecu"=hex:ce,e1,6f,af,93,55,0b,4e,6f,0e,7b,83,99,6c,ce,93,cf,c4,7d,ec,ba,

9b,45,9d,db,88,d0,6a,7a,6f,02,e2,8f,a9,2e,c7,3b,c8,1d,32,96,37,5d,5d,ae,bb,\

"rkeysecu"=hex:46,ff,bb,81,33,3d,2c,e7,0f,bd,b1,88,db,8a,f9,e5

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(15804)

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-06 00:33:47

ComboFix-quarantined-files.txt 2010-12-05 22:33

Pre-Run: 149,854,629,888 bytes free

Post-Run: 149,843,521,536 bytes free

- - End Of File - - DBD422F4F1BD4086536DACCC351AB27B

Link to post
Share on other sites

Please uninstall ESET NOD32 Antivirus and NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up . Download and install the latest and clean version of NOD32 or just another free antivirus like:

http://www.avast.com/free-antivirus-download

http://free.avg.com/ww-en/homepage

http://www.free-av.com/

http://www.microsoft.com/security_essentials/

Manually update it and perform a full scan. Let me know about the resaults.

Link to post
Share on other sites

Hey Borislav,

I understand your concerns about the patched NOD32, I can only assure you from my software engineering background that the problem doesn't come from there.

It's fully updated and I've been using it for about a year with zero hiccups until now, with it being the only malware protection I have...

Please try to assume that this isn't the problem, if you don't want to continue supporting this issue, I understand and thank you for your great help.

If you are willing to make that assumption - I ran another full scan and ComboFix, these are the logs:

NOD32:

Scan Log

Version of virus signature database: 5679 (20101206)

Date: 12/6/2010 Time: 9:15:49 PM

Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\cmdcons\;C:\Config.Msi\;C:\Documents and Settings\;C:\Downloads\;C:\GameInstalls\;C:\Games\;C:\HJT\;C:\MSOCache\;C:\NVIDIA\;C:\Program Files\;C:\Qoobox\;C:\SchoolPrograms\;C:\Stuff\;C:\System Volume Information\;C:\WINDOWS\;C:\aaw7boot.log;C:\AUTOEXEC.BAT;C:\bar.emf;C:\Boot.bak;C:\boot.ini;C:\cmldr;C:\ComboFix.txt;C:\CONFIG.SYS;C:\DOSH.sis;C:\IO.SYS;C:\logwmemory.bin;C:\MSDOS.SYS;C:\NTDETECT.COM;C:\ntldr;C:\pagefile.sys;C:\sqmdata00.sqm;C:\sqmnoopt00.sqm

C:\Documents and Settings\Admin\.nbi\tmp\logic,1.jar.7

Link to post
Share on other sites

Sorry but I'm technical support at ESET NOD32 Bulgarian Forums. Also, I'm against it. Thus you do not appreciate my help, do not appreciate the work of my colleagues do not appreciate your information. Quite deliberately, you treat negligent and I'm disappointed. This patch for your antivirus program contains malicious code, he manipulates NOD32 and determine its actions. This is not normal, this is not legally, as you and those people who created it are in violation of several laws. I'll ask you one last time, Rethink this whole situation, otherwise someone would ask my colleagues to take up your case if desired.

Link to post
Share on other sites

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.