Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijacks and Update/System Restore Disabled


  • This topic is locked This topic is locked
17 replies to this topic

#1 Vollmond

Vollmond

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 03 July 2009 - 01:12 PM

Hey guys. I have Firefox 3.5 and have had my Google searches hijacked. Every two times I click on a search result it gets redirected. I am also unable to do a system restore or set a new restore point. This all started when my Comodo recognized a program "244.exe" attempting to install, which I blocked because I did not know what it was at the time. Unfortunately it must have somehow still gotten installed as problems started immediately after that.

After reading several posts on this website I installed MalwareBytes, HJT, Avira, DDS, and Kaspersky. I know I probably should have consulted you guys first, so I apologize if this will make things tougher. I have run all four and have had the following happen:

1.) MalwareBytes found 3 trojans and was able to remove 2 (Backdoor.bot & Trojan.FakeAlert) of the 3. The third (Trojan.Agent) was supposed to be quarantined and deleted upon reboot, but each time it is not removed after the reboot. MalwareBytes is also unable to connect and update.

2.) Kaspersky found one file (Trojan-Spy.Win32.Small.ccy) in my Settings\Temp folder and was able to remove it from what the program shows.

3.) SpyBot S&D 1.6.2 is unable to connect and install. EDIT: I found out that my LAN settings had been changed to use a proxy. Once I unchecked this option SpyBot, MalwareBytes, and iTunes were all able to connect again. Please let me know if this is part of the issue or if you need any additional info.

4.) Avira found 5 files, three of which were "TR/Dropper.Gen". The other two were "TR/Patched.GE" and a "HEUR/Malware suspicious code". I deleted all files from quarantine after reviewing them.

5.) I ran HJT and DDS. I have pasted my logs below.


After running a few of these programs, my Comodo Anti-Virus/Firewall is now able to connect and update again. However, MalwareBytes and SpyBot are still unable to connect and update.

I've never posted to your forums before, so if there is anything that you need or anything that I can do to make the process easier for you, please let me know. Thank you in advance for you help and advice!

Vollmond
-----------------------------------------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jay at 10:37:51.90 on Fri 07/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3198.2335 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\COMODO\COMODO Internet Security\cfp.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\HP Multimedia Keyboard\KMaestro.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Microsoft Office\Office12\WINWORD.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
E:\My Programs\Setup Files\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5757
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BtcMaestro] "e:\program files\hp multimedia keyboard\KMaestro.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] e:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: e:\docume~1\jay\startm~1\programs\startup\is-e47o5.lnk - e:\my programs\setup files\virus removal tool\is-e47o5\startup.exe
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\jay\applic~1\mozilla\firefox\profiles\v36y1g1r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2009-7-2 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdguard.sys [2009-2-5 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2009-2-5 31504]
R1 is-E47O5drv;is-E47O5drv;e:\windows\system32\drivers\68187028.sys [2009-7-1 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2009-7-2 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2009-7-2 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-7-2 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;e:\program files\comodo\comodo internet security\cmdagent.exe [2009-2-5 618232]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;e:\windows\system32\drivers\nvhda32.sys [2009-2-5 39456]
R3 SynasUSB;SynasUSB;e:\windows\system32\drivers\synasUSB.sys [2009-2-7 23288]
S0 mrrcci;mrrcci;e:\windows\system32\drivers\kvobh.sys --> e:\windows\system32\drivers\kvobh.sys [?]
S3 pae_1394;pae_1394;e:\windows\system32\drivers\pae_1394.sys [2009-2-6 123440]
S3 pae_avs;pae_avs;e:\windows\system32\drivers\pae_avs.sys [2009-2-6 51248]

=============== Created Last 30 ================

2009-07-02 16:42 55,640 a------- e:\windows\system32\drivers\avgntflt.sys
2009-07-02 16:42 <DIR> --d----- e:\program files\Avira
2009-07-02 16:42 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Avira
2009-07-01 18:52 61,440 a------- e:\windows\system32\drivers\hgzk.sys
2009-07-01 18:40 148,496 a------- e:\windows\system32\drivers\68187028.sys
2009-07-01 18:07 335 a------- E:\spyhunter.fix
2009-07-01 18:07 <DIR> --d----- e:\program files\Enigma Software Group
2009-07-01 16:26 <DIR> --d----- e:\docume~1\jay\applic~1\Malwarebytes
2009-06-30 20:52 38,160 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 20:52 19,096 a------- e:\windows\system32\drivers\mbam.sys
2009-06-30 20:52 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-06-30 20:52 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-30 20:50 <DIR> --d----- e:\program files\Trend Micro
2009-06-30 20:46 <DIR> --d----- e:\docume~1\alluse~1\applic~1\PrevxCSI
2009-06-30 20:46 62 a------- e:\windows\wininit.ini
2009-06-28 20:44 <DIR> --d----- e:\program files\IDM Computer Solutions
2009-06-28 20:25 <DIR> --d----- e:\program files\UltraEdit
2009-06-27 16:41 106,496 a------- e:\windows\system32\DrvTrNTl.dll
2009-06-27 16:41 54,272 a------- e:\windows\system32\DrvTrNTm.dll
2009-06-27 16:41 <DIR> --d----- e:\program files\TotalRecorder
2009-06-26 21:58 <DIR> --d----- e:\program files\WinSCP
2009-06-26 18:56 <DIR> --d----- e:\program files\iPhoneBrowser
2009-06-25 16:28 5,632 a------- e:\windows\system32\ptpusb.dll
2009-06-25 16:28 15,104 ac------ e:\windows\system32\dllcache\usbscan.sys
2009-06-25 16:28 15,104 a------- e:\windows\system32\drivers\usbscan.sys
2009-06-25 16:28 159,232 a------- e:\windows\system32\ptpusd.dll
2009-06-24 16:53 <DIR> --d----- e:\program files\iPod
2009-06-24 16:53 <DIR> --d----- e:\program files\iTunes
2009-06-24 16:53 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 16:49 2,060,288 a------- e:\windows\system32\usbaaplrc.dll
2009-06-14 17:11 90,112 a------- e:\windows\unvise32.exe
2009-06-14 17:11 <DIR> --d----- e:\program files\SWiSHmax
2009-06-05 19:31 <DIR> --d----- e:\program files\YouTube Downloader

==================== Find3M ====================

2009-06-05 11:42 39,424 a------- e:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:32 345,600 a------- e:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- e:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- e:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- e:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- e:\windows\system32\rpcrt4.dll
2009-03-17 20:03 87,608 a------- e:\docume~1\jay\applic~1\inst.exe
2009-03-17 20:03 47,360 a------- e:\docume~1\jay\applic~1\pcouffin.sys
2009-03-17 16:42 87,608 a------- e:\docume~1\jay\applic~1\ezpinst.exe

============= FINISH: 10:38:13.57 ===============





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:37 AM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\COMODO\COMODO Internet Security\cfp.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\HP Multimedia Keyboard\KMaestro.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Microsoft Office\Office12\WINWORD.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HiThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [COMODO Internet Security] "E:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BtcMaestro] "E:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: is-E47O5.lnk = E:\My Programs\Setup Files\Virus Removal Tool\is-E47O5\startup.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8123 bytes

Edited by Vollmond, 03 July 2009 - 06:39 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:46 PM

Posted 09 July 2009 - 05:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 09 July 2009 - 07:04 PM

Thanks for the response. I've pasted my DDS log and HijackThis log below for your review.

To summarize, I originally received a virus(es) that started with a file labeled "244.exe". After this infection I started to receive other miscellaneous trojans and malware, including the elusive "Trojan.Agent" that MalwareBytes seems to find but cannot remove even after a reboot.

I have used MalwareBytes, Avira Antivir, Kaspersky, and my default anti-virus and firewall are Comodo 3.5.57. My browser is Firefox 3.5.

Originally after the virus infection I was unable to update my anti-virus or Windows Update. This was due to my network settings (LAN) getting changed to "use a proxy". After I changed this back to no proxy, I was able to connect and update most of my programs and files.

My system restore was unable to proceed and would freeze when trying to get past the "Next" screen, whether I tried to either restore to an earlier point or to create a new restore point.

Even still, when I attempt to create a restore point, I get a prompt box that states "System restore is not able to create a restore point. Please restart the computer, and then run System Restore again."

The main issue that I am still having is that my Google searches get hijacked every two or three times that I click on a result. I've somewhat gotten around it by double or triple-clicking the result, but obviously do not want to continue doing this. Also, Avira seems to find a file or two every few days, so I know the infection is still there prompting other trojans and such.

Thank you in advance for your help, I really appreciate you taking the time to help out. I'm not a noobie by any means, but I know you guys are the best. Thanks again. Please find my logs below...


-- Vollmond



DDS (Ver_09-06-26.01) - NTFSx86
Run by Jay at 16:47:26.23 on Thu 07/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3198.2413 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
E:\WINDOWS\system32\svchost -k rpcss
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k NetworkService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\HP Multimedia Keyboard\KMaestro.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Jay\Desktop\dds.scr
E:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page =
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5757
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BtcMaestro] "e:\program files\hp multimedia keyboard\KMaestro.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] e:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: e:\docume~1\jay\startm~1\programs\startup\is-e47o5.lnk - e:\my programs\setup files\virus removal tool\is-e47o5\startup.exe
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\jay\applic~1\mozilla\firefox\profiles\v36y1g1r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2009-7-2 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdguard.sys [2009-2-5 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2009-2-5 31504]
R1 is-E47O5drv;is-E47O5drv;e:\windows\system32\drivers\68187028.sys [2009-7-1 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2009-7-2 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2009-7-2 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-7-2 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;e:\program files\comodo\comodo internet security\cmdagent.exe [2009-2-5 618232]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;e:\windows\system32\drivers\nvhda32.sys [2009-2-5 39456]
R3 SynasUSB;SynasUSB;e:\windows\system32\drivers\synasUSB.sys [2009-2-7 23288]
R4 MBAMSwissArmy;MBAMSwissArmy;e:\windows\system32\drivers\mbamswissarmy.sys [2009-6-30 38160]
S0 mrrcci;mrrcci;e:\windows\system32\drivers\kvobh.sys --> e:\windows\system32\drivers\kvobh.sys [?]
S3 pae_1394;pae_1394;e:\windows\system32\drivers\pae_1394.sys [2009-2-6 123440]
S3 pae_avs;pae_avs;e:\windows\system32\drivers\pae_avs.sys [2009-2-6 51248]

=============== Created Last 30 ================

2009-07-03 17:08 <DIR> --d----- e:\program files\Spy__Bot
2009-07-02 16:42 55,640 a------- e:\windows\system32\drivers\avgntflt.sys
2009-07-02 16:42 <DIR> --d----- e:\program files\Avira
2009-07-02 16:42 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Avira
2009-07-01 18:52 61,440 a------- e:\windows\system32\drivers\hgzk.sys
2009-07-01 18:40 148,496 a------- e:\windows\system32\drivers\68187028.sys
2009-07-01 18:07 335 a------- E:\spyhunter.fix
2009-07-01 18:07 <DIR> --d----- e:\program files\Enigma Software Group
2009-07-01 16:26 <DIR> --d----- e:\docume~1\jay\applic~1\Malwarebytes
2009-06-30 20:52 38,160 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 20:52 19,096 a------- e:\windows\system32\drivers\mbam.sys
2009-06-30 20:52 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-06-30 20:52 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-30 20:50 <DIR> --d----- e:\program files\Trend Micro
2009-06-30 20:46 <DIR> --d----- e:\docume~1\alluse~1\applic~1\PrevxCSI
2009-06-30 20:46 62 a------- e:\windows\wininit.ini
2009-06-28 20:44 <DIR> --d----- e:\program files\IDM Computer Solutions
2009-06-28 20:25 <DIR> --d----- e:\program files\UltraEdit
2009-06-27 16:41 106,496 a------- e:\windows\system32\DrvTrNTl.dll
2009-06-27 16:41 54,272 a------- e:\windows\system32\DrvTrNTm.dll
2009-06-27 16:41 <DIR> --d----- e:\program files\TotalRecorder
2009-06-26 21:58 <DIR> --d----- e:\program files\WinSCP
2009-06-26 18:56 <DIR> --d----- e:\program files\iPhoneBrowser
2009-06-25 16:28 5,632 a------- e:\windows\system32\ptpusb.dll
2009-06-25 16:28 15,104 ac------ e:\windows\system32\dllcache\usbscan.sys
2009-06-25 16:28 15,104 a------- e:\windows\system32\drivers\usbscan.sys
2009-06-25 16:28 159,232 a------- e:\windows\system32\ptpusd.dll
2009-06-24 16:53 <DIR> --d----- e:\program files\iPod
2009-06-24 16:53 <DIR> --d----- e:\program files\iTunes
2009-06-24 16:53 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 16:49 2,060,288 a------- e:\windows\system32\usbaaplrc.dll
2009-06-14 17:11 90,112 a------- e:\windows\unvise32.exe
2009-06-14 17:11 <DIR> --d----- e:\program files\SWiSHmax

==================== Find3M ====================

2009-06-05 11:42 39,424 a------- e:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:32 345,600 a------- e:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- e:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- e:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- e:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- e:\windows\system32\rpcrt4.dll
2009-03-17 20:03 87,608 a------- e:\docume~1\jay\applic~1\inst.exe
2009-03-17 20:03 47,360 a------- e:\docume~1\jay\applic~1\pcouffin.sys
2009-03-17 16:42 87,608 a------- e:\docume~1\jay\applic~1\ezpinst.exe

============= FINISH: 16:47:46.95 ===============



------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:15 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\HP Multimedia Keyboard\KMaestro.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\HiThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5757
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [COMODO Internet Security] "E:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BtcMaestro] "E:\Program Files\HP Multimedia Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: is-E47O5.lnk = E:\My Programs\Setup Files\Virus Removal Tool\is-E47O5\startup.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8394 bytes

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 11 July 2009 - 08:15 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 12 July 2009 - 04:53 PM

Panda, thanks for the help. I ran both ComboFix and GMER and have included their logs below. ComboFix was unable to install the Recovery Console even though it had Internet connectivity, so I'm not sure what happened there. Despite this, however, it did find several rootkit activities. It restarted the system and then went through the phases upon startup, which eventually completed and created the log.

GMER took a while to complete its process after that but also finished successfully.

After restarting my system and reactivating my firewall/antivirus, I tested my Google searches through Firefox and have had no hijacks so far. All of my results links end up at the correct page. Also, my system restore function seems to be working again. I was able to create a new restore point. I have not attempted to restore it to an earlier point obviously since it is not necessary to do so, but all seems to be in working order.

You asked that I inform you of any modifications that I've made. I don't know if it will make any difference, but I changed the option in Firefox to not accept cookies at all, and have simply been adding sites that I will allow as I come across them for repeated use. Everything else I've tried to secure more effectively than I did before.

Please let me know if you need me to run any other programs or list any other logs. Thank you again for your help. If after reading the logs you believe that my system may be clean, please let me know.

Thanks.

-- Vollmond

---------------------------------------------------------------------------------------------------------------------------------------

ComboFix 09-07-11.02 - Jay 07/12/2009 10:26.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3198.2753 [GMT -7:00]
Running from: e:\documents and settings\Jay\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\Jay\Application Data\inst.exe
e:\recycler\S-1-5-21-2795006916-0603022225-343483271-0064
e:\windows\system32\Drivers\hgzk.sys
e:\windows\system32\drivers\MSIVXaecccjqswfxgrsxpyixkndquhkcvvbtw.sys
e:\windows\system32\MSIVXcount
e:\windows\system32\MSIVXwkikvlobatvbdvfvjbvdiafmphrjxusl.dll
e:\windows\system32\MSIVXytmmwiqhvqkohjmroirjptuuiotglill.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-12 17:26 . 2009-07-12 17:32 1191968 --sha-w- e:\windows\system32\drivers\fidbox.dat
2009-07-11 19:15 . 2009-07-11 19:15 -------- d-----w- e:\documents and settings\Jay\Application Data\Antares
2009-07-11 19:15 . 2009-07-11 19:15 -------- d-----w- e:\program files\Antares Audio Technologies
2009-07-11 19:14 . 2003-06-20 19:28 1777664 ----a-w- e:\windows\system32\gdiplus.dll
2009-07-04 00:08 . 2009-07-04 01:02 -------- d-----w- e:\program files\Spy__Bot
2009-07-02 23:42 . 2009-03-30 17:33 96104 ----a-w- e:\windows\system32\drivers\avipbb.sys
2009-07-02 23:42 . 2009-03-24 23:08 55640 ----a-w- e:\windows\system32\drivers\avgntflt.sys
2009-07-02 23:42 . 2009-02-13 19:29 22360 ----a-w- e:\windows\system32\drivers\avgntmgr.sys
2009-07-02 23:42 . 2009-02-13 19:17 45416 ----a-w- e:\windows\system32\drivers\avgntdd.sys
2009-07-02 23:42 . 2009-07-02 23:42 -------- d-----w- e:\program files\Avira
2009-07-02 23:42 . 2009-07-02 23:42 -------- d-----w- e:\documents and settings\All Users\Application Data\Avira
2009-07-02 01:52 . 2009-07-02 01:52 -------- d-----w- e:\documents and settings\Administrator\Application Data\IDMComp
2009-07-02 01:48 . 2009-07-02 01:48 -------- d-----w- e:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 01:40 . 2008-07-08 21:54 148496 ----a-w- e:\windows\system32\drivers\68187028.sys
2009-07-02 01:07 . 2009-07-02 01:07 -------- d-----w- e:\program files\Enigma Software Group
2009-07-01 23:26 . 2009-07-01 23:26 -------- d-----w- e:\documents and settings\Jay\Application Data\Malwarebytes
2009-07-01 04:10 . 2009-07-01 04:10 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-01 03:52 . 2009-06-17 18:27 38160 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 03:52 . 2009-07-01 23:26 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-01 03:52 . 2009-07-01 03:52 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 03:52 . 2009-06-17 18:27 19096 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- e:\program files\Trend Micro
2009-07-01 03:46 . 2009-07-01 03:46 -------- d-----w- e:\documents and settings\All Users\Application Data\PrevxCSI
2009-06-29 03:44 . 2009-06-29 03:44 -------- d-----w- e:\program files\IDM Computer Solutions
2009-06-29 03:44 . 2009-06-29 03:44 -------- d-----w- e:\documents and settings\Jay\Application Data\IDMComp
2009-06-29 03:25 . 2009-06-29 03:38 -------- d-----w- e:\program files\UltraEdit
2009-06-27 23:41 . 2009-06-27 23:41 -------- d-----w- e:\program files\TotalRecorder
2009-06-27 23:41 . 2006-05-18 04:53 54272 ----a-w- e:\windows\system32\DrvTrNTm.dll
2009-06-27 23:41 . 2006-05-11 17:48 106496 ----a-w- e:\windows\system32\DrvTrNTl.dll
2009-06-27 04:58 . 2009-06-27 04:58 -------- d-----w- e:\program files\WinSCP
2009-06-27 02:09 . 2009-06-27 02:09 -------- d-----w- e:\documents and settings\Jay\Local Settings\Application Data\Cranium
2009-06-27 01:56 . 2009-06-27 01:56 -------- d-----w- e:\documents and settings\Jay\Local Settings\Application Data\Cranium_Consulting_and_Cu
2009-06-27 01:56 . 2009-06-27 01:56 25214 ----a-r- e:\documents and settings\Jay\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_29D232B856F0A1CBA486B8.exe
2009-06-27 01:56 . 2009-06-27 01:56 10398 ----a-r- e:\documents and settings\Jay\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_3324690356DD71877A1B6A.exe
2009-06-27 01:56 . 2009-06-27 01:56 -------- d-----w- e:\program files\iPhoneBrowser
2009-06-25 23:28 . 2001-08-18 05:36 5632 ----a-w- e:\windows\system32\ptpusb.dll
2009-06-25 23:28 . 2008-04-13 17:45 15104 -c--a-w- e:\windows\system32\dllcache\usbscan.sys
2009-06-25 23:28 . 2008-04-13 17:45 15104 ----a-w- e:\windows\system32\drivers\usbscan.sys
2009-06-25 23:28 . 2008-04-13 23:12 159232 ----a-w- e:\windows\system32\ptpusd.dll
2009-06-24 23:53 . 2009-06-24 23:53 -------- d-----w- e:\program files\iPod
2009-06-24 23:53 . 2009-06-24 23:53 -------- d-----w- e:\program files\iTunes
2009-06-24 23:53 . 2009-06-24 23:53 -------- d-----w- e:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 23:49 . 2009-06-05 18:42 2060288 ----a-w- e:\windows\system32\usbaaplrc.dll
2009-06-15 00:11 . 2004-03-29 22:23 90112 ----a-w- e:\windows\unvise32.exe
2009-06-15 00:11 . 2009-06-15 00:11 -------- d-----w- e:\program files\SWiSHmax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 17:31 . 2009-02-06 00:43 -------- d-----w- e:\documents and settings\All Users\Application Data\_comodo_
2009-07-12 17:26 . 2009-07-12 17:26 32 --sha-w- e:\windows\system32\drivers\fidbox.idx
2009-07-04 00:58 . 2009-03-28 20:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 00:05 . 2009-03-28 20:00 -------- d-----w- e:\program files\Spybot - Search & Destroy
2009-07-03 15:34 . 2009-02-06 01:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-02 23:57 . 2009-03-01 16:40 -------- d-----w- e:\program files\dBpowerAMP
2009-06-29 23:52 . 2009-02-06 00:37 71448 ----a-w- e:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 16:07 . 2009-02-07 03:06 -------- d-----w- e:\program files\QuickTime
2009-06-28 16:00 . 2009-02-07 03:06 -------- d-----w- e:\documents and settings\All Users\Application Data\Apple Computer
2009-06-27 05:49 . 2009-02-28 02:03 8 ----a-w- e:\windows\system32\nvModes.dat
2009-06-24 23:53 . 2009-02-07 03:06 -------- d-----w- e:\program files\Common Files\Apple
2009-06-24 23:52 . 2009-02-07 03:07 -------- d-----w- e:\program files\Bonjour
2009-06-24 23:50 . 2009-02-07 03:06 -------- d-----w- e:\documents and settings\All Users\Application Data\Apple
2009-06-24 23:42 . 2009-02-07 03:07 -------- d-----w- e:\documents and settings\Jay\Application Data\Apple Computer
2009-06-18 00:54 . 2009-02-08 15:08 -------- d-----w- e:\program files\BitTornado
2009-06-06 02:31 . 2009-06-06 02:31 -------- d-----w- e:\program files\YouTube Downloader
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 18:42 . 2009-02-07 03:06 39424 ----a-w- e:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- e:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- e:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- e:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- e:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="e:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-06 1797880]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BtcMaestro"="e:\program files\HP Multimedia Keyboard\KMaestro.exe" [2005-02-21 245760]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.exe [2008-07-31 16806912]

e:\documents and settings\Jay\Start Menu\Programs\Startup\
is-E47O5.lnk - e:\my programs\Setup Files\Antivirus_Spyware\Virus Removal Tool\is-E47O5\startup.exe [2009-7-1 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^FirePod Control Panel.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\FirePod Control Panel.lnk
backup=e:\windows\pss\FirePod Control Panel.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdguard.sys [2/5/2009 5:42 PM 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2/5/2009 5:42 PM 31504]
R1 is-E47O5drv;is-E47O5drv;e:\windows\system32\drivers\68187028.sys [7/1/2009 6:40 PM 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [7/2/2009 4:42 PM 108289]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;e:\windows\system32\drivers\nvhda32.sys [2/5/2009 5:34 PM 39456]
R3 SynasUSB;SynasUSB;e:\windows\system32\drivers\synasUSB.sys [2/7/2009 4:29 PM 23288]
S0 mrrcci;mrrcci;e:\windows\system32\drivers\kvobh.sys --> e:\windows\system32\drivers\kvobh.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5757
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\v36y1g1r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com

---- FIREFOX POLICIES ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 10:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-789336058-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-12 10:33
ComboFix-quarantined-files.txt 2009-07-12 17:33

Pre-Run: 262,443,646,976 bytes free
Post-Run: 262,620,520,448 bytes free

233 --- E O F --- 2009-06-29 10:00

---------------------------------------------------------------------------------------------------------------------------------------------------------------


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-12 14:18:26
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB656F906]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB656EE66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB656F4C2]
SSDT BAF3CD5E ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB656EBC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB6570DC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB656FAEC]
SSDT BAF3CD54 ZwCreateThread
SSDT BAF3CD63 ZwDeleteKey
SSDT BAF3CD6D ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB656E4F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB6570A42]
SSDT BAF3CD72 ZwLoadKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB656F0AC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB656F6FA]
SSDT BAF3CD40 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB656F33C]
SSDT BAF3CD45 ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB6570496]
SSDT BAF3CD7C ZwReplaceKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB656ECDE]
SSDT BAF3CD77 ZwRestoreKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB65707FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB6570BF0]
SSDT BAF3CD68 ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB656F046]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB656F230]
SSDT BAF3CD4F ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB656E958]

Code \??\E:\DOCUME~1\Jay\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? E:\DOCUME~1\Jay\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? E:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA64A950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA64A990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA64A710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA64A770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 12 July 2009 - 08:47 PM

Hello.

ComboFix had removed a nasty infection.

Do you know what this folder is?
e:\my programs\Setup Files\Antivirus_Spyware\Virus Removal Tool\

You had installed spybot here?
e:\program files\Spy__Bot\

Posted ImageBackdoor Threat
I'm sorry to say that your computer was infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case BitTornado/b]). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Install Recovery Console and Run ComboFix with CFScript
We need to remove some leftovers.

Before continueing, we need to install the recovery console.
  • Go to Microsoft's Website and select the download that's appropriate for your Operating System.
    Posted Image
  • Download and save the file as it is named on your desktop where ComboFix should be located.
  • Refering to the animation below, drag the Recovery Console setup file over ComboFix.exe.
    Posted Image
  • At the prompt below, select No. ComboFix will close.
    Posted Image
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/238583/google-hijacks-and-updatesystem-restore-disabled/
    
    Suspect::[59]
    e:\my programs\Setup Files\Antivirus_Spyware\Virus Removal Tool\is-E47O5\startup.exe
    
    File::
    e:\windows\system32\drivers\68187028.sys
    
    Registry::
    
    Driver::
    mrrcci
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

[b]Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#7 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 12 July 2009 - 10:16 PM

Panda, thanks again for your help. The "Virus Removal Tool" directory was simply where I put the Kaspersky setup files after I used the program in case I needed it again in the future.

I had issues installing/running SpyBot while the virus was still active so I changed the directory name before installing to see if that helped. I never ended up getting it to work so I removed it completely from my system.

That stinks about the backdoor trojan. I appreciate the research links and info on everything. I will most likely do a reformat and reinstall after we get this cleaned. It'll be good to clean up my hard drive and start from "scratch" again. However, I do have a question.

Is there much threat in backing up files (setup files, Word .doc's, .pdf's, pictures, audio files, etc.) on DVD or flash drive before doing a reformat/reinstall? I read the link that you provided but I wanted to be sure. Can the virus infect individual files that will carry the virus back onto the drive if I back them up and reinstall them from the DVD or flash drive later?

I was able to get the recovery console installed using the steps that you provided. Also, the CFScript.txt file worked and the program created another log for me. I've pasted it below for your review. Thanks again!

-- Vollmond

-------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 09-07-12.03 - Jay 07/12/2009 19:55.2.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3198.2486 [GMT -7:00]
Running from: e:\documents and settings\Jay\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Jay\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"e:\windows\system32\drivers\68187028.sys"

file zipped: e:\my programs\Setup Files\Antivirus_Spyware\Virus Removal Tool\is-E47O5\startup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\drivers\68187028.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mrrcci
-------\Legacy_is-E47O5drv
-------\Service_is-E47O5drv


((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-12 17:26 . 2009-07-13 02:59 4616224 --sha-w- e:\windows\system32\drivers\fidbox.dat
2009-07-12 17:18 . 2009-07-12 17:33 -------- d-s---w- E:\Combo-Fix
2009-07-11 19:15 . 2009-07-11 19:15 -------- d-----w- e:\documents and settings\Jay\Application Data\Antares
2009-07-11 19:15 . 2009-07-11 19:15 -------- d-----w- e:\program files\Antares Audio Technologies
2009-07-11 19:14 . 2003-06-20 19:28 1777664 ----a-w- e:\windows\system32\gdiplus.dll
2009-07-02 23:42 . 2009-03-30 17:33 96104 ----a-w- e:\windows\system32\drivers\avipbb.sys
2009-07-02 23:42 . 2009-03-24 23:08 55640 ----a-w- e:\windows\system32\drivers\avgntflt.sys
2009-07-02 23:42 . 2009-02-13 19:29 22360 ----a-w- e:\windows\system32\drivers\avgntmgr.sys
2009-07-02 23:42 . 2009-02-13 19:17 45416 ----a-w- e:\windows\system32\drivers\avgntdd.sys
2009-07-02 23:42 . 2009-07-02 23:42 -------- d-----w- e:\program files\Avira
2009-07-02 23:42 . 2009-07-02 23:42 -------- d-----w- e:\documents and settings\All Users\Application Data\Avira
2009-07-02 01:52 . 2009-07-02 01:52 -------- d-----w- e:\documents and settings\Administrator\Application Data\IDMComp
2009-07-02 01:48 . 2009-07-02 01:48 -------- d-----w- e:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 01:07 . 2009-07-02 01:07 -------- d-----w- e:\program files\Enigma Software Group
2009-07-01 23:26 . 2009-07-01 23:26 -------- d-----w- e:\documents and settings\Jay\Application Data\Malwarebytes
2009-07-01 04:10 . 2009-07-01 04:10 -------- d-----w- e:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-01 03:52 . 2009-06-17 18:27 38160 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 03:52 . 2009-07-01 23:26 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-01 03:52 . 2009-07-01 03:52 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 03:52 . 2009-06-17 18:27 19096 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-07-01 03:50 . 2009-07-01 03:50 -------- d-----w- e:\program files\Trend Micro
2009-07-01 03:46 . 2009-07-01 03:46 -------- d-----w- e:\documents and settings\All Users\Application Data\PrevxCSI
2009-06-29 03:44 . 2009-06-29 03:44 -------- d-----w- e:\program files\IDM Computer Solutions
2009-06-29 03:44 . 2009-06-29 03:44 -------- d-----w- e:\documents and settings\Jay\Application Data\IDMComp
2009-06-29 03:25 . 2009-06-29 03:38 -------- d-----w- e:\program files\UltraEdit
2009-06-27 23:41 . 2009-06-27 23:41 -------- d-----w- e:\program files\TotalRecorder
2009-06-27 23:41 . 2006-05-18 04:53 54272 ----a-w- e:\windows\system32\DrvTrNTm.dll
2009-06-27 23:41 . 2006-05-11 17:48 106496 ----a-w- e:\windows\system32\DrvTrNTl.dll
2009-06-27 04:58 . 2009-06-27 04:58 -------- d-----w- e:\program files\WinSCP
2009-06-27 02:09 . 2009-06-27 02:09 -------- d-----w- e:\documents and settings\Jay\Local Settings\Application Data\Cranium
2009-06-27 01:56 . 2009-06-27 01:56 -------- d-----w- e:\documents and settings\Jay\Local Settings\Application Data\Cranium_Consulting_and_Cu
2009-06-27 01:56 . 2009-06-27 01:56 25214 ----a-r- e:\documents and settings\Jay\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_29D232B856F0A1CBA486B8.exe
2009-06-27 01:56 . 2009-06-27 01:56 10398 ----a-r- e:\documents and settings\Jay\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_3324690356DD71877A1B6A.exe
2009-06-27 01:56 . 2009-06-27 01:56 -------- d-----w- e:\program files\iPhoneBrowser
2009-06-25 23:28 . 2001-08-18 05:36 5632 ----a-w- e:\windows\system32\ptpusb.dll
2009-06-25 23:28 . 2008-04-13 17:45 15104 -c--a-w- e:\windows\system32\dllcache\usbscan.sys
2009-06-25 23:28 . 2008-04-13 17:45 15104 ----a-w- e:\windows\system32\drivers\usbscan.sys
2009-06-25 23:28 . 2008-04-13 23:12 159232 ----a-w- e:\windows\system32\ptpusd.dll
2009-06-24 23:53 . 2009-06-24 23:53 -------- d-----w- e:\program files\iPod
2009-06-24 23:53 . 2009-06-24 23:53 -------- d-----w- e:\program files\iTunes
2009-06-24 23:53 . 2009-06-24 23:53 -------- d-----w- e:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 23:49 . 2009-06-05 18:42 2060288 ----a-w- e:\windows\system32\usbaaplrc.dll
2009-06-15 00:11 . 2004-03-29 22:23 90112 ----a-w- e:\windows\unvise32.exe
2009-06-15 00:11 . 2009-06-15 00:11 -------- d-----w- e:\program files\SWiSHmax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 02:59 . 2009-07-12 17:26 59348 --sha-w- e:\windows\system32\drivers\fidbox.idx
2009-07-12 21:46 . 2009-02-06 00:43 -------- d-----w- e:\documents and settings\All Users\Application Data\_comodo_
2009-07-04 00:58 . 2009-03-28 20:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 00:05 . 2009-03-28 20:00 -------- d-----w- e:\program files\Spybot - Search & Destroy
2009-07-03 15:34 . 2009-02-06 01:25 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-02 23:57 . 2009-03-01 16:40 -------- d-----w- e:\program files\dBpowerAMP
2009-06-29 23:52 . 2009-02-06 00:37 71448 ----a-w- e:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 16:07 . 2009-02-07 03:06 -------- d-----w- e:\program files\QuickTime
2009-06-28 16:00 . 2009-02-07 03:06 -------- d-----w- e:\documents and settings\All Users\Application Data\Apple Computer
2009-06-27 05:49 . 2009-02-28 02:03 8 ----a-w- e:\windows\system32\nvModes.dat
2009-06-24 23:53 . 2009-02-07 03:06 -------- d-----w- e:\program files\Common Files\Apple
2009-06-24 23:52 . 2009-02-07 03:07 -------- d-----w- e:\program files\Bonjour
2009-06-24 23:50 . 2009-02-07 03:06 -------- d-----w- e:\documents and settings\All Users\Application Data\Apple
2009-06-24 23:42 . 2009-02-07 03:07 -------- d-----w- e:\documents and settings\Jay\Application Data\Apple Computer
2009-06-18 00:54 . 2009-02-08 15:08 -------- d-----w- e:\program files\BitTornado
2009-06-06 02:31 . 2009-06-06 02:31 -------- d-----w- e:\program files\YouTube Downloader
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 18:42 . 2009-02-07 03:06 39424 ----a-w- e:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- e:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-02-28 12:00 827392 ----a-w- e:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- e:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- e:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-12_17.32.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-02-28 12:00 . 2009-07-12 17:30 68404 e:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-07-12 21:45 68404 e:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-07-12 21:45 435760 e:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-07-12 17:30 435760 e:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="e:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-06 1797880]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BtcMaestro"="e:\program files\HP Multimedia Keyboard\KMaestro.exe" [2005-02-21 245760]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.exe [2008-07-31 16806912]

e:\documents and settings\Jay\Start Menu\Programs\Startup\
is-E47O5.lnk - e:\my programs\Setup Files\Antivirus_Spyware\Virus Removal Tool\is-E47O5\startup.exe [2009-7-1 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^FirePod Control Panel.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\FirePod Control Panel.lnk
backup=e:\windows\pss\FirePod Control Panel.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdguard.sys [2/5/2009 5:42 PM 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2/5/2009 5:42 PM 31504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [7/2/2009 4:42 PM 108289]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;e:\windows\system32\drivers\nvhda32.sys [2/5/2009 5:34 PM 39456]
R3 SynasUSB;SynasUSB;e:\windows\system32\drivers\synasUSB.sys [2/7/2009 4:29 PM 23288]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5757
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\v36y1g1r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com

---- FIREFOX POLICIES ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-789336058-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2556)
e:\progra~1\WINDOW~2\wmpband.dll
e:\windows\system32\WPDShServiceObj.dll
e:\program files\WinSCP\DragExt.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Avira\AntiVir Desktop\avguard.exe
e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\COMODO\COMODO Internet Security\cmdagent.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\rundll32.exe
e:\program files\Microsoft IntelliPoint\dpupdchk.exe
e:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
e:\program files\iPod\bin\iPodService.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-13 20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 03:04
ComboFix2.txt 2009-07-12 17:33

Pre-Run: 265,902,030,848 bytes free
Post-Run: 265,764,319,232 bytes free

260 --- E O F --- 2009-06-29 10:00

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 13 July 2009 - 08:10 AM

Hello.

Data files can be backuped safely. The worst that can happen is that they don't open. Do not backup any program files though, as they can potentially be infected with malicious code.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please take a new DDS log after. Include the Attach.txt.

Any problems at the moment?

With Regards,
The Panda

#9 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 13 July 2009 - 08:59 PM

Panda, I attempted several times to run the Kaspersky tool, but it would not install. It kept prompting me to download Java, despite the fact that I updated both the JRE and Java plugins... I even attempted it through IE7 instead of Firefox, but to no avail. I restarted the computer, restarted Firefox, and nothing seemed to work to allow Kaspersky to download.

I checked my Firefox settings and it allows Java, so I'm not sure where the issue is. Any suggestions or alternatives? Thanks.

-- Vollmond

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 14 July 2009 - 08:07 AM

Hello.

Let's try installing the newest Java.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

With Regards,
The Panda

#11 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 14 July 2009 - 08:00 PM

Panda, thanks for the suggestion. I was able to get it to install Java correctly after uninstalling it. I've attached the Kaspersky Online log and the new DDS log. I've also attached the DDS log as instructed. Please let me know if there's anything else that you need or what our next step is. Thank you!

-- Vollmond

-------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, July 14, 2009 22:51:05
Records in database: 2468838
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Program Files
E:\Documents and Settings\All Users\Start Menu\Programs\Startup
E:\Documents and Settings\Jay\Start Menu\Programs\Startup
E:\Program Files
E:\WINDOWS

Scan statistics:
Files scanned: 129346
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:14:11

No malware has been detected. The scan area is clean.

The selected area was scanned.



----------------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jay at 17:55:26.81 on Tue 07/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3198.2326 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\COMODO\COMODO Internet Security\cfp.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\HP Multimedia Keyboard\KMaestro.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Java\jre6\bin\java.exe
E:\Program Files\iTunes\iTunes.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Jay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5757
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BtcMaestro] "e:\program files\hp multimedia keyboard\KMaestro.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] e:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
StartupFolder: e:\docume~1\jay\startm~1\programs\startup\is-e47o5.lnk - e:\my programs\setup files\antivirus_spyware\virus removal tool\is-e47o5\startup.exe
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\jay\applic~1\mozilla\firefox\profiles\v36y1g1r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2009-7-2 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdguard.sys [2009-2-5 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2009-2-5 31504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2009-7-2 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2009-7-2 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-7-2 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;e:\program files\comodo\comodo internet security\cmdagent.exe [2009-2-5 618232]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;e:\windows\system32\drivers\nvhda32.sys [2009-2-5 39456]
R3 SynasUSB;SynasUSB;e:\windows\system32\drivers\synasUSB.sys [2009-2-7 23288]
S3 pae_1394;pae_1394;e:\windows\system32\drivers\pae_1394.sys [2009-2-6 123440]
S3 pae_avs;pae_avs;e:\windows\system32\drivers\pae_avs.sys [2009-2-6 51248]

=============== Created Last 30 ================

2009-07-14 15:51 73,728 a------- e:\windows\system32\javacpl.cpl
2009-07-13 19:08 664 a------- e:\windows\system32\d3d9caps.dat
2009-07-13 16:08 410,984 a------- e:\windows\system32\deploytk.dll
2009-07-12 10:32 <DIR> -cd----- e:\windows\system32\dllcache\cache
2009-07-12 10:26 4,616,224 a--sh--- e:\windows\system32\drivers\fidbox.dat
2009-07-12 10:26 59,348 a--sh--- e:\windows\system32\drivers\fidbox.idx
2009-07-12 10:18 161,792 a------- e:\windows\SWREG.exe
2009-07-12 10:18 155,136 a------- e:\windows\PEV.exe
2009-07-12 10:18 98,816 a------- e:\windows\sed.exe
2009-07-12 10:18 <DIR> --ds---- E:\Combo-Fix
2009-07-11 12:15 <DIR> --d----- e:\docume~1\jay\applic~1\Antares
2009-07-11 12:15 <DIR> --d----- e:\program files\Antares Audio Technologies
2009-07-11 12:14 1,777,664 a------- e:\windows\system32\gdiplus.dll
2009-07-02 16:42 55,640 a------- e:\windows\system32\drivers\avgntflt.sys
2009-07-02 16:42 <DIR> --d----- e:\program files\Avira
2009-07-02 16:42 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Avira
2009-07-01 18:07 335 a------- E:\spyhunter.fix
2009-07-01 18:07 <DIR> --d----- e:\program files\Enigma Software Group
2009-07-01 16:26 <DIR> --d----- e:\docume~1\jay\applic~1\Malwarebytes
2009-06-30 20:52 38,160 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 20:52 19,096 a------- e:\windows\system32\drivers\mbam.sys
2009-06-30 20:52 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-06-30 20:52 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-30 20:50 <DIR> --d----- e:\program files\Trend Micro
2009-06-30 20:46 <DIR> --d----- e:\docume~1\alluse~1\applic~1\PrevxCSI
2009-06-30 20:46 62 a------- e:\windows\wininit.ini
2009-06-28 20:44 <DIR> --d----- e:\program files\IDM Computer Solutions
2009-06-28 20:25 <DIR> --d----- e:\program files\UltraEdit
2009-06-27 16:41 106,496 a------- e:\windows\system32\DrvTrNTl.dll
2009-06-27 16:41 54,272 a------- e:\windows\system32\DrvTrNTm.dll
2009-06-27 16:41 <DIR> --d----- e:\program files\TotalRecorder
2009-06-26 21:58 <DIR> --d----- e:\program files\WinSCP
2009-06-26 18:56 <DIR> --d----- e:\program files\iPhoneBrowser
2009-06-25 16:28 5,632 a------- e:\windows\system32\ptpusb.dll
2009-06-25 16:28 15,104 ac------ e:\windows\system32\dllcache\usbscan.sys
2009-06-25 16:28 15,104 a------- e:\windows\system32\drivers\usbscan.sys
2009-06-25 16:28 159,232 a------- e:\windows\system32\ptpusd.dll
2009-06-24 16:53 <DIR> --d----- e:\program files\iPod
2009-06-24 16:53 <DIR> --d----- e:\program files\iTunes
2009-06-24 16:53 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 16:49 2,060,288 a------- e:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-06-05 11:42 39,424 a------- e:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:32 345,600 a------- e:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- e:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- e:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- e:\windows\system32\win32k.sys
2009-03-17 20:03 47,360 a------- e:\docume~1\jay\applic~1\pcouffin.sys
2009-03-17 16:42 87,608 a------- e:\docume~1\jay\applic~1\ezpinst.exe

============= FINISH: 17:55:52.06 ===============

Attached Files



#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 14 July 2009 - 08:10 PM

Hello Vollmond

That looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 15 July 2009 - 07:02 PM

Panda, things have been working well since we've been going through these steps. I attempted to uninstall ComboFix, however I got the following errors:

<32788R22FWJFW\hidec.exe>
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I get several instances of this error and then an alert box:

"!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'"


Any thoughts on this? Is it possible that I still have an infection that's causing an issue? Or could it be that it can't find the files because I had already deleted the ComboFix.exe file as instructed a few days ago? I had to download a new copy from your website to get the "ComboFix /u" command to run. I've run it several times with new copies and it continues the same error messages.

Thanks.

-- Vollmond

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:46 PM

Posted 16 July 2009 - 09:03 AM

Hello.

I'm almost certain that you are not infected with Virut. Kaspersky would have found that.

Let's use OTCleanIt instead.

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTC.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Let's have one last DDS log just to make sure.

With Regards,
The Panda

#15 Vollmond

Vollmond
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 16 July 2009 - 06:19 PM

Panda, thanks again for your help with this. It appears that everything ran smoothly with Old Timer's program. I did have to find the program from the Geeks To Go website, however. The hyperlink that you provided did not work, and gave me the 404 error.

Anyways, everything appears to be working well. Below is my DDS log as instructed. Please let me know if you need anything else. Thanks!

-- Vollmond

-----------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jay at 16:15:03.42 on Thu 07/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3198.2592 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\HP Multimedia Keyboard\KMaestro.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Documents and Settings\Jay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = http=127.0.0.1:5757
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: This BHO has been enabled by BHODemon. - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BtcMaestro] "e:\program files\hp multimedia keyboard\KMaestro.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] e:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "e:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
StartupFolder: e:\docume~1\jay\startm~1\programs\startup\is-e47o5.lnk - e:\my programs\setup files\antivirus_spyware\virus removal tool\is-e47o5\startup.exe
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\jay\applic~1\mozilla\firefox\profiles\v36y1g1r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;e:\program files\avira\antivir desktop\avgio.sys [2009-7-2 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdguard.sys [2009-2-5 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2009-2-5 31504]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\avira\antivir desktop\sched.exe [2009-7-2 108289]
R2 AntiVirService;Avira AntiVir Guard;e:\program files\avira\antivir desktop\avguard.exe [2009-7-2 185089]
R2 avgntflt;avgntflt;e:\windows\system32\drivers\avgntflt.sys [2009-7-2 55640]
R2 cmdAgent;COMODO Internet Security Helper Service;e:\program files\comodo\comodo internet security\cmdagent.exe [2009-2-5 618232]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;e:\windows\system32\drivers\nvhda32.sys [2009-2-5 39456]
R3 SynasUSB;SynasUSB;e:\windows\system32\drivers\synasUSB.sys [2009-2-7 23288]
S3 pae_1394;pae_1394;e:\windows\system32\drivers\pae_1394.sys [2009-2-6 123440]
S3 pae_avs;pae_avs;e:\windows\system32\drivers\pae_avs.sys [2009-2-6 51248]

=============== Created Last 30 ================

2009-07-15 16:43 <DIR> --d----- E:\32788R22FWJFW.1.tmp
2009-07-15 16:41 <DIR> --d----- E:\32788R22FWJFW.0.tmp
2009-07-14 15:51 73,728 a------- e:\windows\system32\javacpl.cpl
2009-07-13 19:08 664 a------- e:\windows\system32\d3d9caps.dat
2009-07-13 16:08 410,984 a------- e:\windows\system32\deploytk.dll
2009-07-12 10:32 <DIR> -cd----- e:\windows\system32\dllcache\cache
2009-07-12 10:26 4,616,224 a--sh--- e:\windows\system32\drivers\fidbox.dat
2009-07-12 10:26 59,348 a--sh--- e:\windows\system32\drivers\fidbox.idx
2009-07-12 10:18 155,136 a------- e:\windows\PEV.exe
2009-07-12 10:18 <DIR> --ds---- E:\Combo-Fix
2009-07-11 12:15 <DIR> --d----- e:\docume~1\jay\applic~1\Antares
2009-07-11 12:15 <DIR> --d----- e:\program files\Antares Audio Technologies
2009-07-11 12:14 1,777,664 a------- e:\windows\system32\gdiplus.dll
2009-07-02 16:42 55,640 a------- e:\windows\system32\drivers\avgntflt.sys
2009-07-02 16:42 <DIR> --d----- e:\program files\Avira
2009-07-02 16:42 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Avira
2009-07-01 18:07 335 a------- E:\spyhunter.fix
2009-07-01 18:07 <DIR> --d----- e:\program files\Enigma Software Group
2009-07-01 16:26 <DIR> --d----- e:\docume~1\jay\applic~1\Malwarebytes
2009-06-30 20:52 38,160 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 20:52 19,096 a------- e:\windows\system32\drivers\mbam.sys
2009-06-30 20:52 <DIR> --d----- e:\program files\Malwarebytes' Anti-Malware
2009-06-30 20:52 <DIR> --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-30 20:50 <DIR> --d----- e:\program files\Trend Micro
2009-06-30 20:46 <DIR> --d----- e:\docume~1\alluse~1\applic~1\PrevxCSI
2009-06-30 20:46 62 a------- e:\windows\wininit.ini
2009-06-28 20:44 <DIR> --d----- e:\program files\IDM Computer Solutions
2009-06-28 20:25 <DIR> --d----- e:\program files\UltraEdit
2009-06-27 16:41 106,496 a------- e:\windows\system32\DrvTrNTl.dll
2009-06-27 16:41 54,272 a------- e:\windows\system32\DrvTrNTm.dll
2009-06-27 16:41 <DIR> --d----- e:\program files\TotalRecorder
2009-06-26 21:58 <DIR> --d----- e:\program files\WinSCP
2009-06-26 18:56 <DIR> --d----- e:\program files\iPhoneBrowser
2009-06-25 16:28 5,632 a------- e:\windows\system32\ptpusb.dll
2009-06-25 16:28 15,104 ac------ e:\windows\system32\dllcache\usbscan.sys
2009-06-25 16:28 15,104 a------- e:\windows\system32\drivers\usbscan.sys
2009-06-25 16:28 159,232 a------- e:\windows\system32\ptpusd.dll
2009-06-24 16:53 <DIR> --d----- e:\program files\iPod
2009-06-24 16:53 <DIR> --d----- e:\program files\iTunes
2009-06-24 16:53 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-24 16:49 2,060,288 a------- e:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-06-05 11:42 39,424 a------- e:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:32 345,600 a------- e:\windows\system32\localspl.dll
2009-04-28 21:56 827,392 a------- e:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- e:\windows\system32\ieencode.dll
2009-03-17 20:03 47,360 a------- e:\docume~1\jay\applic~1\pcouffin.sys
2009-03-17 16:42 87,608 a------- e:\docume~1\jay\applic~1\ezpinst.exe

============= FINISH: 16:15:24.57 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users