Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde / Vundo Virus - need help


  • This topic is locked This topic is locked
12 replies to this topic

#1 bf649

bf649

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 December 2008 - 12:46 AM

I am using Symantec Antivirus and WinXP Home firewall and got infected with the Virtumonde / Vundo Virus. I tried using Spybot and combofix to remove it, but I'm not sure if it is completed out of my PC. My Symantec Antivirus still reports the Vundo virus is trying to get back in. Can someone please help?


DDS (Version 1.1.0) - NTFSx86
Run by user at 21:32:21.98 on 2008-12-27
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1023.289 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\Program Files\Outlook Express\msimn.exe
E:\Bill\downloads\ComboFix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = proxy.library.ubc.ca:8000
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {99567d8b-320a-4262-bf6a-12d89eb28989} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [Ptipbmf] "rundll32.exe" ptipbmf.dll,SetWriteCacheMode
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [LogitechVideo[inspector]] "c:\program files\logitech\video\InstallHelper.exe" /inspect
mRun: [LogitechCameraAssistant] "c:\program files\logitech\video\CameraAssistant.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c5 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\user\startm~1\programs\startup\taskmgr.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\3m4y1xwp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\\components\jar50.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
c:\program files\mozilla firefox\\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("accessibility.typeaheadfind.soundURL", "default");
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadInBackground", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.middleclick", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.urlbar", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.windowopen", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.opentabfor.bookmarks", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.link.open_external", 1);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.link.open_newwindow", 2);
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\mozilla firefox\\greprefs\all.js - pref("browser.link.open_newwindow.restriction", 0); // values from GlobalWindow
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.close.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Location.reload.get", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections", 24);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.http.accept.default", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.image.warnAboutImages", false);
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.proxy.autoconfig_url", "");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\\greprefs\all.js - pref("ui.key.generalAccessKey", 18);
c:\program files\mozilla firefox\\greprefs\all.js - pref("dom.max_script_run_time", 5);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.enable_ssl2", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_128", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_ede3_192", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_64", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_40", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_fips_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_rc4_56_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_des_cbc_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc4_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc2_40_md5", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_rsa_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_dss_des_sha", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
c:\program files\mozilla firefox\\greprefs\security-prefs.js - pref("security.ui.enable", true);
c:\program files\mozilla firefox\\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.skin", "chrome://mozapps/content/extensions/extensions.xul?type=themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.chrome", "chrome://mozapps/content/extensions/extensions.xul?type=extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.skin", "Extension:Manager-themes");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager-extensions");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.interval", 86400000); // Check for updates to Firefox every day
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.url", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "update.mozilla.org,addons.mozilla.org");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("keyword.URL", "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage", "resource:/browserconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage_reset", "resource:/browserconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.defaulturl", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.1", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.2", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.search.basic.min_ver", "0.0");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.tabs.opentabfor.urlbar", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.tabs.showSingleWindowModePrefs", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.autoload", 1); // 0 = Always, 1 = After first use, 2 = Never
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.provider", "http://www-rl.netscape.com/wtgn?");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.related.disabledForDomains", "");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.goBrowsing.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("dom.disable_window_open_feature.location", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.trim_user_and_password", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.throbber.url","chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("alerts.height", 50);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("update_notifications.provider.0.datasource", "chrome://browser-region/locale/region.properties");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("signon.SignonFileName", "signons.txt");
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);
c:\program files\mozilla firefox\\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081227.002\naveng.sys [2008-12-27 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081227.002\navex15.sys [2008-12-27 876112]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2003-8-28 189792]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [2005-4-1 176256]
S4 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]

=============== Created Last 30 ================

2008-12-27 13:31 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 12:52 <DIR> a-dshr-- C:\cmdcons
2008-12-27 12:50 161,792 a------- c:\windows\SWREG.exe
2008-12-27 12:50 98,816 a------- c:\windows\sed.exe
2008-12-27 00:50 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-27 00:50 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-25 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2DBoy
2008-12-25 12:04 <DIR> --d----- c:\program files\WorldOfGoo
2008-12-24 06:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-12-23 22:35 327 a------- c:\windows\wininit.ini
2008-12-21 18:27 <DIR> --d----- c:\docume~1\user\applic~1\World-LooM
2008-12-21 17:15 <DIR> --d----- c:\windows\Fix-it-up - Kates Adventure
2008-12-21 17:15 <DIR> --d----- c:\program files\Fix-it-up - Kates Adventure
2008-12-09 21:37 <DIR> --d----- c:\windows\Top Chef
2008-12-09 21:37 <DIR> --d----- c:\program files\Top Chef
2008-12-02 00:20 0 a------- c:\windows\iplayer.INI

==================== Find3M ====================

2008-12-27 20:56 0 a------- c:\windows\system32\drivers\lvuvc.hs
2008-11-24 20:58 18,816 a------- c:\windows\system32\drivers\dvd43llh.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-03-16 12:28 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-11-17 18:36 47,360 a------- c:\docume~1\user\applic~1\pcouffin.sys
2007-07-15 08:47 72 a------- c:\program files\UNWISE.INI
2005-09-26 00:51 32 a----r-- c:\documents and settings\all users\hash.dat
1999-06-25 09:55 149,504 a------- c:\program files\UNWISE.EXE
2008-09-27 11:25 49,152 a--sh--- c:\windows\system32\losamine.dll
2008-09-25 11:53 33,792 a--sh--- c:\windows\system32\zadimeve.dll
2008-07-19 19:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 21:33:04.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:48 AM

Posted 07 January 2009 - 11:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system, please.
Please Hold on it may take us a day or so to get back with you.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 bf649

bf649
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 08 January 2009 - 01:44 AM

I think I've successfully removed the virus by running various scans and ComboFix, but would you mind reviewing my latest DDS scan to confirm. Thanks for you help.


DDS (Ver_09-01-07.01) - NTFSx86
Run by user at 22:33:08.18 on 2009-01-07
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1023.406 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\user\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = proxy.library.ubc.ca:8000
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {99567d8b-320a-4262-bf6a-12d89eb28989} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [Ptipbmf] "rundll32.exe" ptipbmf.dll,SetWriteCacheMode
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [nwiz] nwiz.exe /install
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [LogitechCameraAssistant] "c:\program files\logitech\video\CameraAssistant.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\user\startm~1\programs\startup\taskmgr.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\3m4y1xwp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "update.mozilla.org,addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-1 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\naveng.sys [2009-1-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\navex15.sys [2009-1-7 876112]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-30 33752]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\system32\drivers\yukonx86.sys [2005-4-1 176256]

=============== Created Last 30 ================

2009-01-03 16:55 <DIR> --d----- c:\docume~1\user\applic~1\My Battle for Middle-earth Files
2009-01-03 11:46 <DIR> --d----- C:\Disc Images
2009-01-01 12:18 108,168 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-01 12:18 87,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-01 11:56 <DIR> --d----- c:\program files\2K Games
2009-01-01 10:38 756,736 -----r-- c:\windows\system32\IR41_32.DLL
2008-12-29 23:12 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-29 17:16 389,120 a------- c:\windows\system32\CF19092.exe
2008-12-27 13:31 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 12:52 <DIR> a-dshr-- C:\cmdcons
2008-12-27 00:50 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-25 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2DBoy
2008-12-25 12:04 <DIR> --d----- c:\program files\WorldOfGoo
2008-12-24 06:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-12-23 22:35 327 a------- c:\windows\wininit.ini
2008-12-21 18:27 <DIR> --d----- c:\docume~1\user\applic~1\World-LooM
2008-12-21 17:15 <DIR> --d----- c:\windows\Fix-it-up - Kates Adventure
2008-12-21 17:15 <DIR> --d----- c:\program files\Fix-it-up - Kates Adventure
2008-12-09 21:37 <DIR> --d----- c:\windows\Top Chef
2008-12-09 21:37 <DIR> --d----- c:\program files\Top Chef

==================== Find3M ====================

2009-01-07 18:52 0 a------- c:\windows\system32\drivers\lvuvc.hs
2008-11-24 20:58 18,816 a------- c:\windows\system32\drivers\dvd43llh.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-03-16 12:28 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-11-17 18:36 47,360 a------- c:\docume~1\user\applic~1\pcouffin.sys
2007-07-15 08:47 72 a------- c:\program files\UNWISE.INI
2005-09-26 00:51 32 a----r-- c:\documents and settings\all users\hash.dat
1999-06-25 09:55 149,504 a------- c:\program files\UNWISE.EXE
2008-07-19 19:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071920080720\index.dat

============= FINISH: 22:33:54.56 ===============

Attached Files



#4 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 08 January 2009 - 01:41 PM

Hi bf649,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.
I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

You're looking pretty good. Let's get an online scan.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Posted Image

#5 bf649

bf649
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 09 January 2009 - 01:19 PM

Hi Tomk,

I tried running Kaspersky 4 times and each time it stopped after 2-3 hours without completing the scan. What files it did scan was clean. I stopped my Symantec, Spybot and Windows Defender before the scan, but it did not help.

I did a Kaspersky scan about a week ago and it completed successfully and everything was clean at that time.

Thanks.

#6 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 09 January 2009 - 01:41 PM

bf649,

I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Posted Image

#7 bf649

bf649
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 09 January 2009 - 01:52 PM

Tomk,

Do I need to disable Symantec, Spybot and Windows Defender before starting Eset Online Scanner?

Thanks.

#8 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 09 January 2009 - 03:58 PM

bf649,

Shouldn't have to. This is only a scanner. Because it doesn't make any changes to your system, those programs shouldn't cause any problems.
Posted Image

#9 bf649

bf649
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 10 January 2009 - 02:21 AM

Tomk,

Here is my Eset Online Scanner log. Thanks.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3755 (20090109)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=4ba8059f2192984aa88e13145c5097aa
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2009-01-10 07:14:19
# local_time=2009-01-09 11:14:19 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 3
# scanned=895826
# found=0
# scan_time=8009

#10 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 10 January 2009 - 10:43 AM

bf649,

Log looks good :)


You need to create a new Clean restore point.
Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Remove all previous Restore Points
Click Start Menu > Run > copy and paste

cleanmgr

At top, click on More Options tab. Click Clean up... button in the System Restore box. Click on Yes button. When finished, click on Cancel button to exit.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

You can delete DDS.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Keep Microsoft Windows Updated - This will ensure your computer has always the latest security updates available installed on your computer. The easiest way to do this is to turn on Automatic Updates. Do this by:
  • From your desktop, right-click on My Computer,
  • click on Properties
  • Select the Automatic Updates tab
  • Click on Automatic
  • Click on Apply button
  • Click on OK to exit.
If there are new updates to install, install them immediately, until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Download and install the free version of WinPatrol - This program protects your computer in a variety of ways and will work well with your existing security software.
Winpatrol


Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.


Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbsup:

Edited by Tomk_, 10 January 2009 - 10:45 AM.

Posted Image

#11 bf649

bf649
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 10 January 2009 - 12:07 PM

Tomk,

Thanks again for your help.

#12 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 10 January 2009 - 01:15 PM

bf649,

You are very welcome!

Glad we could help.

Have a Happy New Year.

Good Luck and Be Well. :thumbsup:
Posted Image

#13 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 12 January 2009 - 01:22 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users