Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please


  • This topic is locked This topic is locked
2 replies to this topic

#1 hepkat

hepkat

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 05 March 2009 - 10:03 PM

I had the worst infection ever, even into my user32.dll and other windows files, I had to install a floppy drive and 15 hours of work.

I have control of my computer again, yet my browser is still hijacked ( searches in google, etc, if I click on the results send me to different pages) and malwarebytes, spybot, macaffee, symatec none are detecting anything.

Here is a combofix log, hoping someone can help me eradicate the rest of the problem. I didn't see anything suspicous on hijackthis. Thank you so much if you can help.

ComboFix 09-03-04.01 - Jason 2009-03-05 21:49:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1422 [GMT -5:00]
Running from: c:\documents and settings\Jason\My Documents\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 21:47 . 2009-03-05 21:49 <DIR> d-------- C:\32788R22FWJFW
2009-03-05 21:32 . 2007-04-16 15:28 577,536 --a------ c:\windows\soun7b97.rra
2009-03-05 21:27 . 2009-03-05 21:31 <DIR> d-------- c:\windows\LastGood
2009-03-05 21:26 . 2009-03-05 21:27 <DIR> d-------- c:\program files\Realtek AC97
2009-03-05 21:26 . 2007-04-16 15:28 577,536 --a------ c:\windows\SET398.tmp
2009-03-05 19:41 . 2009-03-05 20:22 <DIR> d-------- c:\program files\Norton Security Scan
2009-03-05 19:41 . 2009-03-05 20:22 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-05 03:05 . 2009-03-05 17:04 4,230 --a------ c:\windows\system32\Config.MPF
2009-03-05 03:02 . 2009-03-05 03:02 <DIR> d-------- c:\program files\MSXML 6.0
2009-03-05 02:59 . 2009-03-05 03:16 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-05 02:46 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-05 02:45 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-05 02:45 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-05 02:45 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-05 02:45 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-05 02:44 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-05 02:37 . 2009-03-05 17:02 104 --a------ c:\windows\system32\NvApps.xml
2009-03-04 22:58 . 2004-08-04 07:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-03-04 22:57 . 2004-08-04 07:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-03-04 22:56 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-03-04 22:55 . 2004-08-04 07:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-03-04 22:55 . 2009-03-04 22:55 749 -rah----- c:\windows\WindowsShell.Manifest
2009-03-04 22:55 . 2009-03-04 22:55 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-04 22:55 . 2009-03-04 22:55 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-03-04 22:55 . 2009-03-04 22:55 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-03-04 22:55 . 2009-03-04 22:55 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-03-04 22:55 . 2009-03-04 22:55 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-03-03 04:02 . 2009-03-04 11:15 <DIR> d-------- c:\windows\system32\inf
2009-02-17 16:47 . 2009-02-17 16:47 <DIR> d-------- c:\program files\Aventail Connect

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 22:08 --------- d-----w c:\program files\Canon
2009-03-05 04:04 --------- d-----w c:\program files\MSN Messenger
2009-03-04 18:48 63,488 ----a-w c:\windows\system32\unam4ie.exe
2009-03-04 18:48 28,672 ----a-w c:\windows\system32\verclsid.exe
2009-03-04 18:47 7,680 ----a-w c:\windows\system32\spdwnwxp.exe
2009-03-04 18:47 442,368 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-04 18:47 442,368 ----a-w c:\windows\system32\nvudisp.exe
2009-03-04 18:47 32,768 ----a-w c:\windows\system32\slrundll.exe
2009-03-04 18:47 32,768 ----a-w c:\windows\system32\setupn.exe
2009-03-04 18:47 208,896 ----a-w c:\windows\system32\nvusmb.exe
2009-03-04 18:47 208,896 ----a-w c:\windows\system32\nvunrm.exe
2009-03-04 18:47 20,992 ----a-w c:\windows\system32\spupdwxp.exe
2009-03-04 18:47 193,551 ----a-w c:\windows\system32\napstat.exe
2009-03-04 18:47 14,336 ----a-w c:\windows\system32\svchost(2).exe
2009-03-04 18:46 524,288 ----a-w c:\windows\system32\DivXsm.exe
2009-03-04 18:46 50,706 ----a-w c:\windows\system32\mmcperf.exe
2009-03-04 18:46 305,090 ----a-w c:\windows\system32\ealtest.exe
2009-03-04 18:46 26,629 ----a-w c:\windows\system32\comsdupd.exe
2009-03-04 18:46 20,992 ----a-w c:\windows\system32\faxpatch.exe
2009-03-04 18:46 132,096 ----a-w c:\windows\system32\eaexec.exe
2009-03-04 18:46 13,312 ----a-w c:\windows\system32\lsass(2).exe
2009-03-04 18:46 118,784 ----a-w c:\windows\system32\DivXCodecUpdateChecker.exe
2009-03-04 18:45 454,656 ----a-w c:\windows\system32\CapabilityTable.exe
2009-03-04 18:45 44,544 ----a-w c:\windows\system32\alg(2).exe
2009-03-04 18:37 8,868 ----a-w c:\windows\ngutil.exe
2009-03-04 18:37 60,416 ----a-w c:\windows\ALCFDRTM.EXE
2009-03-04 18:37 107,008 ----a-w c:\windows\UninstallFirefox.exe
2009-03-04 16:33 700,416 ----a-w C:\StubInstaller.exe
2009-03-04 16:30 323,607 ----a-w c:\windows\IsUninst.exe
2009-03-04 16:29 --------- d-----w c:\program files\Mount&Blade
2009-03-04 16:28 77,824 ------w c:\windows\SOUNDMAN.EXE
2009-03-04 16:28 --------- d-----w c:\program files\McAfee
2009-03-04 01:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-17 21:47 --------- d-----w c:\documents and settings\All Users\Application Data\Aventail
2009-02-14 21:54 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-08 02:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 02:50 --------- d-----w c:\program files\Atari
2009-02-08 02:49 --------- d-----w c:\documents and settings\Jason\Application Data\Atari
2009-01-31 20:49 --------- d-----w c:\program files\Ipswitch
2009-01-31 20:49 --------- d-----w c:\documents and settings\Jason\Application Data\Ipswitch
2009-01-31 20:49 --------- d-----w c:\documents and settings\All Users\Application Data\Ipswitch
2009-01-16 11:45 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 11:42 --------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-01-16 09:33 --------- d-----w c:\program files\Neverwinter Nights 2
2009-01-15 12:48 --------- d-----w c:\documents and settings\Jason\Application Data\Canon
2009-01-15 12:40 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-15 11:19 --------- d-----w c:\program files\Firaxis Games
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 16:00 --------- d-----w c:\program files\VirtualFem
2008-06-19 09:16 118,784 ----a-w c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-05_ 4.11.04.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-04 18:37:08 200,704 ----a-w c:\windows\alcrmv.exe
+ 2006-07-31 16:27:30 217,088 ----a-w c:\windows\Alcrmv.exe
- 2009-03-04 18:37:09 294,912 ----a-w c:\windows\alcupd.exe
+ 2006-07-31 16:19:00 315,392 ----a-w c:\windows\alcupd.exe
+ 2009-03-06 00:41:03 29,184 ----a-r c:\windows\Installer\{7E819CE5-2C41-4C8D-BAF0-B49CC65C5562}\Icon3FADAA19.exe
+ 2006-07-31 16:27:30 217,088 ----a-w c:\windows\LastGood\Alcrmv.exe
+ 2009-03-04 16:28:58 77,824 ----a-w c:\windows\LastGood\SOUNDMAN.EXE
+ 2005-04-19 02:40:52 2,317,504 ----a-w c:\windows\LastGood\system32\drivers\ALCXWDM.SYS
+ 2004-08-04 12:00:00 60,288 ----a-w c:\windows\LastGood\system32\drivers\drmk.sys
+ 2004-08-04 04:15:22 140,928 ----a-w c:\windows\LastGood\system32\drivers\ks.sys
+ 2004-08-04 12:00:00 145,792 ----a-w c:\windows\LastGood\system32\drivers\portcls.sys
+ 2004-08-04 04:08:04 48,640 ----a-w c:\windows\LastGood\system32\drivers\stream.sys
+ 2004-08-04 05:56:44 4,096 ----a-w c:\windows\LastGood\system32\ksuser.dll
+ 2004-09-07 06:23:16 156,672 ----a-w c:\windows\LastGood\system32\RTLCPAPI.dll
+ 2009-03-04 18:47:38 9,326,592 ----a-w c:\windows\LastGood\system32\RTLCPL.EXE
+ 2004-08-04 12:00:00 23,552 ----a-w c:\windows\LastGood\system32\wdmaud.drv
- 2009-03-04 18:46:00 44,160 ----a-w c:\windows\system32\ChCfg.exe
+ 2006-08-01 20:02:00 49,152 ----a-w c:\windows\system32\ChCfg.exe
- 2009-03-05 04:02:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-06 01:25:52 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-05 04:02:00 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-06 01:25:52 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-05 04:02:00 163,840 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 01:25:52 163,840 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-04-19 02:40:52 2,317,504 ----a-w c:\windows\system32\drivers\ALCXWDM.SYS
+ 2008-09-24 15:40:22 4,122,368 ----a-r c:\windows\system32\drivers\alcxwdm.sys
- 2004-08-04 12:00:00 60,288 ----a-w c:\windows\system32\drivers\drmk.sys
+ 2004-08-04 04:08:00 60,288 ----a-w c:\windows\system32\drivers\drmk.sys
- 2004-08-04 12:00:00 145,792 ----a-w c:\windows\system32\drivers\portcls.sys
+ 2004-08-04 04:15:50 145,792 ----a-w c:\windows\system32\drivers\portcls.sys
- 2004-09-07 06:23:16 156,672 ----a-w c:\windows\system32\RTLCPAPI.dll
+ 2006-10-18 07:53:26 147,456 ----a-w c:\windows\system32\RtlCPAPI.dll
- 2009-03-04 18:47:38 9,326,592 ----a-w c:\windows\system32\RTLCPL.EXE
+ 2006-12-08 20:20:14 10,528,768 ----a-w c:\windows\system32\RTLCPL.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-04 286720]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2009-03-04 72736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2009-03-04 57344]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2009-03-04 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-03-04 5562368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-10-04 235936]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 21:46 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 21:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 21:46 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NBService"=3 (0x3)
"iPodService"=3 (0x3)
"WZCSVC"=2 (0x2)
"usnjsvc"=3 (0x3)
"TrkWks"=2 (0x2)
"TapiSrv"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"Spooler"=2 (0x2)
"RichVideo"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MSDTC"=3 (0x3)
"hkmsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Sierra\\Empire Earth - The Art of Conquest\\EE-AOC.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-10-06 935808]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-08-28 206096]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-02 24576]
S0 evsduuk;evsduuk;c:\windows\system32\drivers\rtkwx.sys --> c:\windows\system32\drivers\rtkwx.sys [?]
S2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe --> c:\windows\system32\ngvpnmgr.exe [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys --> c:\windows\system32\DRIVERS\ngfilter.sys [?]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys --> c:\windows\system32\DRIVERS\nglog.sys [?]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys --> c:\windows\system32\DRIVERS\ngvpn.sys [?]
S4 pnicml;pnicml;\??\c:\docume~1\Jason\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Jason\LOCALS~1\Temp\pnicml.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EECTRL
*NewlyCreated* - ERASERUTILDRV10910
*Deregistered* - eeCtrl
*Deregistered* - EraserUtilDrv10910
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-03-06 c:\windows\Tasks\Norton Security Scan for Jason.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]

2009-03-05 c:\windows\Tasks\xuedbxni.job
- c:\windows\system32\hgGaAPFw.dll []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\827ak9ru.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 21:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-1935655697-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d8,b7,16,86,48,51,02,52,69,a8,21,54,e2,02,f0,61,48,73,cc,57,0f,
59,7d,be,d9,c4,c7,f7,a4,0a,fd,93,9c,87,e5,27,b1,c4,e5,9a,33,cc,82,bf,f1,73,\
"rkeysecu"=hex:d8,7a,06,7c,76,63,3a,4c,04,ff,d5,70,fc,30,3f,7e
.
Completion time: 2009-03-05 21:53:52
ComboFix-quarantined-files.txt 2009-03-06 02:53:25
ComboFix2.txt 2009-03-05 09:12:10

Pre-Run: 1,365,573,632 bytes free
Post-Run: 1,411,551,232 bytes free

Current=4 Default=4 Failed=0 LastKnownGood=2 Sets=1,2,3,4
313 --- E O F --- 2009-03-05 08:04:00






ALSO_____________________________________________________________________
I noticed this in my internet explorer registry.........not sure if should be there or not..........
A folder called international, with rundll32.exe, msnim.exe and few others with value of 6.0.2600.0-6.0.9999.9999

in the "abouturls" folder name like noadd-on, data res://shdock.dll/navcanl.htm, etc.

in "mozilla" folder, sub "desktop" entries like software/classes/gopher/defaulticonwith date of /%systemroot%system32/url.dll,0

Edited by hepkat, 05 March 2009 - 10:17 PM.


BC AdBot (Login to Remove)

 


#2 hepkat

hepkat
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 05 March 2009 - 11:30 PM

Even combofix and SDfix haven't found anything....

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:12 AM

Posted 05 March 2009 - 11:51 PM

Hello hepkat,

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.

The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users