Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clamwin results: Trojan.Agent-119428 FOUND


  • This topic is locked This topic is locked
20 replies to this topic

#1 GidgNMoon

GidgNMoon

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 18 July 2009 - 08:02 PM

Hello,

I am new to this forum and web site. I was doing something stupid yesterday downloading freeware I should not have(MP3/WMA decoder) and all of a sudden my Windows firewall notification popped up and said it needed to be turned on. After that AVG went nuts with a window scrolling files that it said were infected.

Something in the data said "brave sentry" so I did a google search for it and found a fix on your site. I followed the instructions and afterward, did a Spybot, Malwarebytes, windows defender, and AVG scan and they all said I was clean. Then, this morning, AVG pops up with more files it says are infected and they all appear to be legitimate .exe files. So my husband and I got suspicious and decided to uninstall AVG. We then installed clamwin and did a full scan. Clamwin found 1 virus and here is where/what it says it is:
c:\windows\softwaredistribution\download\e9500597a78495f397efb821e37bf356\userinit.exe

So far, there doesn't "seem" to be any symptoms, good, bad or otherwise other than that AVG pop-up. And I know that Clamwin sometimes finds false positives, but I wanted to be sure that we don't have some insidious virus lurking in the background somewhere.

Thank you,
Carol & Jim



Here is my dds.txt report (I have attached the attach.txt report):

DDS (Ver_09-06-26.01) - FAT32x86
Run by Rice Jim and Carol at 17:18:38.23 on Sat 07/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.213 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\F5InstallerService.exe
C:\WINDOWS\system32\F5FltSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI .exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009 Deluxe\Planner\PLNRnote.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteui .exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\ClamWin\bin\ClamWin.exe
C:\Program Files\ClamWin\bin\clamscan.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Rice Jim and Carol\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Rice%20Jim%20and%20Carol/My%20Documents/blank.html
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2K0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Status Monitor CLJ1500] c:\program files\hewlett-packard\clj1500\\toolbox\HPPOUMUI.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
StartupFolder: c:\docume~1\riceji~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00627E89-A19D-4A2B-938B-059CB7B1B493} - file://C:/Program Files/F5 VPN/F5_TMP/f5certchk.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - c:\windows\temp\f5tmp\urxvpn.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - file://C:/Program Files/F5 VPN/F5_TMP/f5tunsrv.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - file://C:/Program Files/F5 VPN/F5_TMP/InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134415597281
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://skunk.f5.com/vdesk/terminal/urTermProxy.cab#version=6020,2008,0821,2202
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232431095500
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - file://C:/Program Files/F5 VPN/F5_TMP/urxshost.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - file://C:/Program Files/F5 VPN/F5_TMP/urxhost.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\riceji~1\applic~1\mozilla\firefox\profiles\rt8jg8fy.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-1-19 4064]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2006-8-7 42240]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2009-2-19 242296]
R2 F5FltSrv;F5 Networks DNS Relay Proxy Service;c:\windows\system32\F5FltSrv.exe [2009-2-19 155264]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-8-7 2304]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-7 38160]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [2008-8-21 28280]
S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys --> c:\windows\system32\drivers\exdisk.sys [?]
S3 F5FltDrv;F5 Networks DNS Relay Driver;c:\windows\system32\drivers\F5FltDrv.sys [2009-2-19 21248]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2006-3-21 47488]

=============== Created Last 30 ================

2009-07-18 14:42 <DIR> --d----- c:\windows\pss
2009-07-18 11:48 <DIR> --d----- c:\docume~1\riceji~1\applic~1\.clamwin
2009-07-18 11:48 <DIR> --d----- c:\program files\ClamWin
2009-07-18 11:48 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-07-18 11:43 114,488 a------- c:\windows\hplj1500.hi2
2009-07-18 11:43 10,263 a------- c:\windows\hplj1500.bu2
2009-07-18 11:35 658 a------- c:\windows\hpbvnstp.hi2
2009-07-18 11:35 280 a------- c:\windows\hpbvnstp.bu2
2009-07-17 14:13 658 a------- c:\windows\hpbvnstp.hi1
2009-07-17 14:13 280 a------- c:\windows\hpbvnstp.bu1
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.hi2
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.bu2
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.hi1
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.bu1
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.his
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.ini
2009-07-17 14:05 <DIR> --d----- C:\clj1500
2009-07-17 13:47 36,586 a------- c:\windows\hplj1500.hi1
2009-07-17 13:47 5,228 a------- c:\windows\hplj1500.bu1
2009-07-17 13:18 87 a------- c:\windows\wininit.ini
2009-07-17 11:19 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-17 11:19 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-16 16:33 <DIR> --d----- c:\docume~1\riceji~1\applic~1\LimeWire
2009-07-16 16:33 <DIR> --d----- c:\program files\LimeWire
2009-07-07 16:51 <DIR> --dsh--- C:\FOUND.000
2009-06-29 15:43 <DIR> --d----- c:\program files\Avery Dennison
2009-06-29 14:12 98,304 a------- c:\windows\system32\gapi32.dll
2009-06-29 14:12 90,112 a------- c:\windows\system32\keyex32.exe
2009-06-29 14:12 210 a------- c:\windows\system32\sr2spec.ini
2009-06-29 10:43 423,888 a------- c:\windows\system32\outlcomm.dll
2009-06-29 10:43 20,992 a------- c:\windows\system32\inetAB32.dll
2009-06-29 10:33 <DIR> --d----- C:\e03b1544533a47f1e0
2009-06-25 16:46 23,494 a------- c:\windows\Microsoft Outlook.FAV

==================== Find3M ====================

2009-07-17 13:28 2,874 a------- c:\windows\system32\tmp.reg
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 11:19 268,288 a------- c:\windows\system32\dllcache\httpext.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 21:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 02:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 22:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-24 22:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 17:20:03.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 July 2009 - 11:09 AM

Well, I never got an answer to my original issue so I did some independent research. I read another post by Beach Plum and there seems to be a parallel between our two issues. So I followed the instructions by the person who answered the post and ran a Jotti on my "infected" file.

I didn't see where you could save the results in a file so I'll just tell you that all of the scanners came back no virus found except Clamwin. So I am really convinced now that this is a false positive.

AVG seemed to be the catalyst for the problem, so we uninstalled it as I reported in my original post. But I did a search for anything AVG and there are a ton of files that AVG created that I would like to purge if I could to clean up my computer. Is this ok to do now that AVG has been uninstalled?

Thanks.

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 24 July 2009 - 07:42 PM.


#3 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:08:30 AM

Posted 28 July 2009 - 09:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#4 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 29 July 2009 - 01:50 PM

Hello,

I am new to this forum and web site. I was doing something stupid yesterday downloading freeware I should not have(MP3/WMA decoder) and all of a sudden my Windows firewall notification popped up and said it needed to be turned on. After that AVG went nuts with a window scrolling files that it said were infected.

Something in the data said "brave sentry" so I did a google search for it and found a fix on your site. I followed the instructions and afterward, did a Spybot, Malwarebytes, windows defender, and AVG scan and they all said I was clean. Then, this morning, AVG pops up with more files it says are infected and they all appear to be legitimate .exe files. So my husband and I got suspicious and decided to uninstall AVG. We then installed clamwin and did a full scan. Clamwin found 1 virus and here is where/what it says it is:
c:\windows\softwaredistribution\download\e9500597a78495f397efb821e37bf356\userinit.exe

So far, there doesn't "seem" to be any symptoms, good, bad or otherwise other than that AVG pop-up. And I know that Clamwin sometimes finds false positives, but I wanted to be sure that we don't have some insidious virus lurking in the background somewhere.

Thank you,
Carol & Jim


The above quote was my problem on July 18, but since then we have been infected by a seemingly unknown "virus" named F816iqu4.exe. We can't find anything on it doing searches but it loads itself and starts running then it bogs down our computer. My husband is concerned some idiot out there is recording every keystroke we make. We kill it, delete it, delete anything about it in the registry, but it comes back all on it's own. We think it might be affiliated with Yahoo because it seems to load when we have one or both of our Yahoo mail accounts opened.

Here is the dds and the attch.txt

DDS (Ver_09-06-26.01) - FAT32x86
Run by Rice Jim and Carol at 10:30:37.39 on Wed 07/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.371 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\F5InstallerService.exe
C:\WINDOWS\system32\F5FltSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009 Deluxe\Planner\PLNRnote.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI .exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI .exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI .exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WS_FTP Pro\wsftppro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rice Jim and Carol\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Rice%20Jim%20and%20Carol/My%20Documents/blank.html
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2K0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Status Monitor CLJ1500] c:\program files\hewlett-packard\clj1500\\toolbox\HPPOUMUI.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
StartupFolder: c:\docume~1\riceji~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00627E89-A19D-4A2B-938B-059CB7B1B493} - file://C:/Program Files/F5 VPN/F5_TMP/f5certchk.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - c:\windows\temp\f5tmp\urxvpn.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - file://C:/Program Files/F5 VPN/F5_TMP/f5tunsrv.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - file://C:/Program Files/F5 VPN/F5_TMP/InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134415597281
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://skunk.f5.com/vdesk/terminal/urTermProxy.cab#version=6020,2008,0821,2202
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232431095500
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - file://C:/Program Files/F5 VPN/F5_TMP/urxshost.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - file://C:/Program Files/F5 VPN/F5_TMP/urxhost.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\riceji~1\applic~1\mozilla\firefox\profiles\rt8jg8fy.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-1-19 4064]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2006-8-7 42240]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2009-2-19 242296]
R2 F5FltSrv;F5 Networks DNS Relay Proxy Service;c:\windows\system32\F5FltSrv.exe [2009-2-19 155264]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-8-7 2304]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [2008-8-21 28280]
S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys --> c:\windows\system32\drivers\exdisk.sys [?]
S3 F5FltDrv;F5 Networks DNS Relay Driver;c:\windows\system32\drivers\F5FltDrv.sys [2009-2-19 21248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2006-3-21 47488]

=============== Created Last 30 ================

2009-07-26 09:55 <DIR> --d----- c:\docume~1\riceji~1\applic~1\Wireshark
2009-07-26 07:46 <DIR> --d----- c:\program files\WinPcap
2009-07-26 07:45 <DIR> --d----- c:\program files\Wireshark
2009-07-25 16:42 <DIR> --d----- c:\program files\IrfanView
2009-07-24 18:49 <DIR> --d----- c:\program files\Avery Dennison
2009-07-20 22:00 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-19 06:33 3,597,824 a------- c:\windows\system32\SET94.tmp
2009-07-19 06:32 6,067,200 a------- c:\windows\system32\SET9D.tmp
2009-07-18 14:42 <DIR> --d----- c:\windows\pss
2009-07-18 11:48 <DIR> --d----- c:\docume~1\riceji~1\applic~1\.clamwin
2009-07-18 11:48 <DIR> --d----- c:\program files\ClamWin
2009-07-18 11:48 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-07-18 11:43 114,488 a------- c:\windows\hplj1500.hi2
2009-07-18 11:43 10,263 a------- c:\windows\hplj1500.bu2
2009-07-18 11:35 658 a------- c:\windows\hpbvnstp.hi2
2009-07-18 11:35 280 a------- c:\windows\hpbvnstp.bu2
2009-07-17 14:13 658 a------- c:\windows\hpbvnstp.hi1
2009-07-17 14:13 280 a------- c:\windows\hpbvnstp.bu1
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.hi2
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.bu2
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.hi1
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.bu1
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.his
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.ini
2009-07-17 14:05 <DIR> --d----- C:\clj1500
2009-07-17 13:47 36,586 a------- c:\windows\hplj1500.hi1
2009-07-17 13:47 5,228 a------- c:\windows\hplj1500.bu1
2009-07-17 13:18 87 a------- c:\windows\wininit.ini
2009-07-17 11:19 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-17 11:19 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-16 16:33 <DIR> --d----- c:\docume~1\riceji~1\applic~1\LimeWire
2009-07-16 16:33 <DIR> --d----- c:\program files\LimeWire
2009-07-07 16:51 <DIR> --dsh--- C:\FOUND.000
2009-06-29 14:12 98,304 a------- c:\windows\system32\gapi32.dll
2009-06-29 14:12 90,112 a------- c:\windows\system32\keyex32.exe
2009-06-29 14:12 210 a------- c:\windows\system32\sr2spec.ini
2009-06-29 10:43 423,888 a------- c:\windows\system32\outlcomm.dll
2009-06-29 10:43 20,992 a------- c:\windows\system32\inetAB32.dll
2009-06-29 10:33 <DIR> --d----- C:\e03b1544533a47f1e0

==================== Find3M ====================

2009-07-19 06:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 06:33 6,067,200 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 13:28 2,874 a------- c:\windows\system32\tmp.reg
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 09:12 1,159,680 a------- c:\windows\system32\SET8D.tmp
2009-06-29 04:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 01:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 01:33 2,452,872 a------- c:\windows\system32\SETA0.tmp
2009-06-29 01:33 2,452,872 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 01:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-26 06:47 991,232 a------- c:\windows\system32\SET9C.tmp
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 11:19 268,288 a------- c:\windows\system32\dllcache\httpext.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll

============= FINISH: 10:31:10.75 ===============

To Orange Blossom:
I wasn't trying to "bump" my issue to the top. I have a bit more class and integrity than that. I was simply trying to report that I thought I had found an answer to my question. I thought it was a good thing. I am fully aware and eternally appreciative and impressed by anyone who volunteers his or her time to diagnose the seemingly endless issues that affect us mere mortals. Your message would have been more effective and less humiliating if you had just sent a personal e-mail. Thank you.

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 31 July 2009 - 09:52 AM

Hello.

At a quick look, there does not appear to be any active infection.

Clamwin found 1 virus and here is where/what it says it is:
c:\windows\softwaredistribution\download\e9500597a78495f397efb821e37bf356\userinit.exe

That may be a sign of a file infector.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please take a new DDS.txt log after.

Do you still get those detections?

With Regards,
The Panda

#6 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 31 July 2009 - 12:23 PM

Thank you Panda.

Looks like Kaspersky had some hits. I did the dds, in case you need the attach.txt it is attched.

Here is Kaspersky:
************************************
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 31, 2009 13:02:08
Records in database: 2566297



Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Rice Jim and Carol\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 47237
Threat name 1
Infected objects 9
Suspicious objects 0
Duration of the scan 01:06:38

File name Threat name Threats count
C:\Program Files\Windows Media Player\wmpnscfg.exe Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Spybot - Search & Destroy\teatimer.exe58 Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Carbonite\Carbonite Backup\carboniteui.exe Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe160 Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29 Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe38 Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe39 Infected: Trojan.Win32.Agent.cqpr 1

C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe40 Infected: Trojan.Win32.Agent.cqpr 1

The selected area was scanned.
***************************************

Here is dds:


DDS (Ver_09-07-30.01) - FAT32x86
Run by Rice Jim and Carol at 10:15:34.42 on Fri 07/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.486 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\system32\F5InstallerService.exe
C:\WINDOWS\system32\F5FltSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI .exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009 Deluxe\Planner\PLNRnote.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI .exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui .exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Rice Jim and Carol\Local Settings\Temp\jkos-Rice Jim and Carol\binaries\ScanningProcess.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Documents and Settings\Rice Jim and Carol\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/Rice%20Jim%20and%20Carol/My%20Documents/blank.html
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2K0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Status Monitor CLJ1500] c:\program files\hewlett-packard\clj1500\\toolbox\HPPOUMUI.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
StartupFolder: c:\docume~1\riceji~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00627E89-A19D-4A2B-938B-059CB7B1B493} - file://C:/Program Files/F5 VPN/F5_TMP/f5certchk.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - c:\windows\temp\f5tmp\urxvpn.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - file://C:/Program Files/F5 VPN/F5_TMP/f5tunsrv.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - file://C:/Program Files/F5 VPN/F5_TMP/InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134415597281
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://skunk.f5.com/vdesk/terminal/urTermProxy.cab#version=6020,2008,0821,2202
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232431095500
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - file://C:/Program Files/F5 VPN/F5_TMP/urxshost.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - file://C:/Program Files/F5 VPN/F5_TMP/urxhost.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\riceji~1\applic~1\mozilla\firefox\profiles\rt8jg8fy.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-1-19 4064]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2006-8-7 42240]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2009-2-19 242296]
R2 F5FltSrv;F5 Networks DNS Relay Proxy Service;c:\windows\system32\F5FltSrv.exe [2009-2-19 155264]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2006-8-7 2304]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [2008-8-21 28280]
S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys --> c:\windows\system32\drivers\exdisk.sys [?]
S3 F5FltDrv;F5 Networks DNS Relay Driver;c:\windows\system32\drivers\F5FltDrv.sys [2009-2-19 21248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [2006-3-21 47488]

=============== Created Last 30 ================

2009-07-26 09:55 <DIR> --d----- c:\docume~1\riceji~1\applic~1\Wireshark
2009-07-26 07:46 <DIR> --d----- c:\program files\WinPcap
2009-07-26 07:45 <DIR> --d----- c:\program files\Wireshark
2009-07-25 16:42 <DIR> --d----- c:\program files\IrfanView
2009-07-24 18:49 <DIR> --d----- c:\program files\Avery Dennison
2009-07-20 22:00 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-18 14:42 <DIR> --d----- c:\windows\pss
2009-07-18 11:48 <DIR> --d----- c:\docume~1\riceji~1\applic~1\.clamwin
2009-07-18 11:48 <DIR> --d----- c:\program files\ClamWin
2009-07-18 11:48 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-07-18 11:43 114,488 a------- c:\windows\hplj1500.hi2
2009-07-18 11:43 10,263 a------- c:\windows\hplj1500.bu2
2009-07-18 11:35 658 a------- c:\windows\hpbvnstp.hi2
2009-07-18 11:35 280 a------- c:\windows\hpbvnstp.bu2
2009-07-17 14:13 658 a------- c:\windows\hpbvnstp.hi1
2009-07-17 14:13 280 a------- c:\windows\hpbvnstp.bu1
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.hi2
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.bu2
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.hi1
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.bu1
2009-07-17 14:10 157 a------- c:\windows\hpbvspst.his
2009-07-17 14:10 120 a------- c:\windows\hpbvspst.ini
2009-07-17 14:05 <DIR> --d----- C:\clj1500
2009-07-17 13:47 36,586 a------- c:\windows\hplj1500.hi1
2009-07-17 13:47 5,228 a------- c:\windows\hplj1500.bu1
2009-07-17 13:18 87 a------- c:\windows\wininit.ini
2009-07-17 11:19 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-17 11:19 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-16 16:33 <DIR> --d----- c:\docume~1\riceji~1\applic~1\LimeWire
2009-07-16 16:33 <DIR> --d----- c:\program files\LimeWire
2009-07-07 16:51 <DIR> --dsh--- C:\FOUND.000

==================== Find3M ====================

2009-07-19 06:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 06:33 6,067,200 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 13:28 2,874 a------- c:\windows\system32\tmp.reg
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 09:12 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-06-29 04:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 01:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 01:33 2,452,872 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 01:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 11:19 268,288 a------- c:\windows\system32\dllcache\httpext.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll

============= FINISH: 10:16:04.26 ===============

Attached Files



#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 31 July 2009 - 01:34 PM

Hello.

We need to collect some samples.

Download and Run ComboFix with CFScript
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/242670/clamwin-results-trojanagent-119428-found/
    Suspect::[59]
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\teatimer.exe58
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteui.exe
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29
    
    FileLook::
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\teatimer.exe58
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteui.exe
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe. You will not recieve the prompts below if you are not using Windows XP.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
With Regards,
The Panda

Edited by PropagandaPanda, 31 July 2009 - 01:34 PM.


#8 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 31 July 2009 - 02:12 PM

Thank you again Panda.

I ran combofix and it did not restart my computer. I have the log.txt from the scan. Do you need it?

Carol

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 31 July 2009 - 02:40 PM

Hello.

Yes, please post C:\ComboFix.txt.

With Regards,
The Panda

#10 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 31 July 2009 - 02:42 PM

ComboFix 09-07-31.01 - Rice Jim and Carol 07/31/2009 12:01.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.525 [GMT -7:00]
Running from: c:\documents and settings\Rice Jim and Carol\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rice Jim and Carol\Desktop\cfscript.txt

file zipped: c:\program files\Carbonite\Carbonite Backup\carboniteui.exe
file zipped: c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29
file zipped: c:\program files\Spybot - Search & Destroy\TeaTimer.exe
file zipped: c:\program files\Spybot - Search & Destroy\teatimer.exe58
file zipped: c:\program files\Windows Media Player\wmpnscfg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\Cache
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-26 16:55 . 2009-07-26 16:55 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\Wireshark
2009-07-26 14:46 . 2009-07-26 14:46 -------- d-----w- c:\program files\WinPcap
2009-07-26 14:45 . 2009-07-26 14:45 -------- d-----w- c:\program files\Wireshark
2009-07-25 23:42 . 2009-07-25 23:42 -------- d-----w- c:\program files\IrfanView
2009-07-25 01:49 . 2009-07-25 01:49 -------- d-----w- c:\program files\Avery Dennison
2009-07-21 05:00 . 2009-07-21 05:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-18 18:51 . 2009-07-18 18:51 40960 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{5DB7F50E-0649-4347-B003-8CEFBFB9D9D1}\StatusMonitor98_1.exe
2009-07-18 18:51 . 2009-07-18 18:51 40960 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{5DB7F50E-0649-4347-B003-8CEFBFB9D9D1}\StatusMonitor2K_1.exe
2009-07-18 18:48 . 2009-07-18 18:49 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\.clamwin
2009-07-18 18:48 . 2009-07-18 18:48 -------- d-----w- c:\program files\ClamWin
2009-07-18 18:48 . 2009-07-18 18:48 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-07-17 21:05 . 2009-07-17 21:05 -------- d-----w- C:\clj1500
2009-07-17 19:51 . 2009-07-17 19:51 0 ----a-w- c:\windows\nsreg.dat
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Local Settings\Application Data\Mozilla
2009-07-17 18:20 . 2009-07-17 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Ipswitch
2009-07-17 15:33 . 2009-06-25 16:58 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-17 15:33 . 2009-06-25 16:58 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-16 23:33 . 2009-07-16 23:33 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\LimeWire
2009-07-16 23:33 . 2009-07-16 23:33 -------- d-----w- c:\program files\LimeWire
2009-07-11 15:06 . 2009-06-25 16:58 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-11 15:06 . 2009-07-11 15:05 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-11 15:06 . 2009-06-25 16:58 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-11 15:06 . 2009-06-25 16:58 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-11 15:06 . 2009-06-25 16:58 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-11 15:06 . 2009-06-25 16:58 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-11 15:06 . 2009-06-25 16:58 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-11 15:06 . 2009-06-25 16:58 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-11 15:05 . 2009-06-25 16:54 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-11 15:05 . 2009-06-25 16:54 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-07 23:51 . 2009-07-07 23:51 -------- d-sh--w- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 20:58 . 2009-03-16 22:26 10134 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-17 18:25 . 2009-05-11 00:07 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-17 18:13 . 2009-01-20 04:52 1012312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-13 20:36 . 2009-02-08 01:40 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-02-08 01:40 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 05:17 . 2009-01-19 03:16 230528 ----a-w- c:\documents and settings\Rice Jim and Carol\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:12 . 2004-08-27 22:40 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-05-12 23:44 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-27 22:39 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-27 22:40 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-27 22:40 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-09 20:52 . 2009-06-09 20:52 152576 ----a-w- c:\documents and settings\Rice Jim and Carol\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:27 . 2004-08-27 22:40 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 18:33 . 2009-02-15 23:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:44 . 2004-08-27 22:40 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-17 19:51 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\Carbonite\Carbonite Backup\carboniteui.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 27660
Created time: 2009-07-21 05:02
Modified time: 2009-07-29 19:48
MD5: 646F30D6F080B22ED637BB954C65B59D
SHA1: 06F961EB06E0720CE9DA0EA82026A776F58C5AEB


--- c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29 ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 27660
Created time: 2009-07-17 20:35
Modified time: 2009-07-17 20:35
MD5: 646F30D6F080B22ED637BB954C65B59D
SHA1: 06F961EB06E0720CE9DA0EA82026A776F58C5AEB


--- c:\program files\Spybot - Search & Destroy\TeaTimer.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 27660
Created time: 2009-01-19 03:54
Modified time: 2009-07-24 02:58
MD5: 646F30D6F080B22ED637BB954C65B59D
SHA1: 06F961EB06E0720CE9DA0EA82026A776F58C5AEB


--- c:\program files\Spybot - Search & Destroy\teatimer.exe58 ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 27660
Created time: 2009-01-19 03:54
Modified time: 2009-07-17 18:09
MD5: 646F30D6F080B22ED637BB954C65B59D
SHA1: 06F961EB06E0720CE9DA0EA82026A776F58C5AEB


--- c:\program files\Windows Media Player\wmpnscfg.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 27660
Created time: 2009-07-17 18:09
Modified time: 2009-07-17 18:09
MD5: 646F30D6F080B22ED637BB954C65B59D
SHA1: 06F961EB06E0720CE9DA0EA82026A776F58C5AEB


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 23:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 23:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 23:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-07-24 27660]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-17 27660]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-07-29 27660]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-22 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-12 147456]

c:\documents and settings\Rice Jim and Carol\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-8 221251]
Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2009-1-19 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" VBStart
"farstone"=
"Spare Backup Launcher"=c:\program files\Spare Backup Installer\SpareOEMSYXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Alchemy Mindworks\\GIF Construction Set Professional 3\\alchuddl.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Hewlett-Packard\\CLJ1500\\Toolbox\\hppoumui .exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [1/19/2009 06:36 PM 4064]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [8/7/2006 01:10 PM 42240]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2/19/2009 02:20 PM 242296]
R2 F5FltSrv;F5 Networks DNS Relay Proxy Service;c:\windows\system32\F5FltSrv.exe [2/19/2009 02:20 PM 155264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 07:19 PM 13592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [8/21/2008 03:15 PM 28280]
S3 exdisk;Express Disk Service;c:\windows\system32\DRIVERS\exdisk.sys --> c:\windows\system32\DRIVERS\exdisk.sys [?]
S3 F5FltDrv;F5 Networks DNS Relay Driver;c:\windows\system32\drivers\F5FltDrv.sys [2/19/2009 02:20 PM 21248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 08:35 AM 50704]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 02:37 PM 47488]
.
Contents of the 'Scheduled Tasks' folder

2009-07-31 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-19 22:31]

2009-01-28 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-19 22:31]

2009-07-31 c:\windows\Tasks\User_Feed_Synchronization-{A0007123-855F-479F-AC32-75EE0296D036}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]

2009-06-09 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8236568889.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-07-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Status Monitor CLJ1500 - c:\program files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe


.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/Rice%20Jim%20and%20Carol/My%20Documents/blank.html
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
FF - ProfilePath - c:\documents and settings\Rice Jim and Carol\Application Data\Mozilla\Firefox\Profiles\rt8jg8fy.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 12:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3130296823-1599995642-1411895810-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-31 12:06
ComboFix-quarantined-files.txt 2009-07-31 19:06

Pre-Run: 126,761,041,920 bytes free
Post-Run: 127,657,476,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

300 --- E O F --- 2009-07-29 17:25
Upload was successful

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 31 July 2009 - 05:50 PM

Hello.

Indeed some program files were replaced.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/242670/clamwin-results-trojanagent-119428-found/
    
    Collect::
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\teatimer.exe58
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteui.exe
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe160
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe38
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe39 
    C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe40
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"=-
    "WMPNSCFG"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Carbonite Backup"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    
    SRLook::
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteui.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

With Regards,
The Panda

#12 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 31 July 2009 - 06:14 PM

Thank you, Panda.

Here is the Combofix.txt file:


ComboFix 09-07-31.02 - Rice Jim and Carol 07/31/2009 16:01.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.520 [GMT -7:00]
Running from: c:\documents and settings\Rice Jim and Carol\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rice Jim and Carol\Desktop\cfscript.txt

file zipped: c:\program files\Carbonite\Carbonite Backup\carboniteui.exe
file zipped: c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe160
file zipped: c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29
file zipped: c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe38
file zipped: c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe39
file zipped: c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe40
file zipped: c:\program files\Spybot - Search & Destroy\TeaTimer.exe
file zipped: c:\program files\Spybot - Search & Destroy\teatimer.exe58
file zipped: c:\program files\Windows Media Player\wmpnscfg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Carbonite\Carbonite Backup\carboniteui.exe
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe160
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe29
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe38
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe39
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui.exe40
c:\program files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\Spybot - Search & Destroy\teatimer.exe58
c:\program files\Windows Media Player\wmpnscfg.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-26 16:55 . 2009-07-26 16:55 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\Wireshark
2009-07-26 14:46 . 2009-07-26 14:46 -------- d-----w- c:\program files\WinPcap
2009-07-26 14:45 . 2009-07-26 14:45 -------- d-----w- c:\program files\Wireshark
2009-07-25 23:42 . 2009-07-25 23:42 -------- d-----w- c:\program files\IrfanView
2009-07-25 01:49 . 2009-07-25 01:49 -------- d-----w- c:\program files\Avery Dennison
2009-07-21 05:00 . 2009-07-21 05:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-18 18:51 . 2009-07-18 18:51 40960 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{5DB7F50E-0649-4347-B003-8CEFBFB9D9D1}\StatusMonitor98_1.exe
2009-07-18 18:51 . 2009-07-18 18:51 40960 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{5DB7F50E-0649-4347-B003-8CEFBFB9D9D1}\StatusMonitor2K_1.exe
2009-07-18 18:48 . 2009-07-18 18:49 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\.clamwin
2009-07-18 18:48 . 2009-07-18 18:48 -------- d-----w- c:\program files\ClamWin
2009-07-18 18:48 . 2009-07-18 18:48 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-07-17 21:05 . 2009-07-17 21:05 -------- d-----w- C:\clj1500
2009-07-17 19:51 . 2009-07-17 19:51 0 ----a-w- c:\windows\nsreg.dat
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Local Settings\Application Data\Mozilla
2009-07-17 18:20 . 2009-07-17 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Ipswitch
2009-07-17 15:33 . 2009-06-25 16:58 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-17 15:33 . 2009-06-25 16:58 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-16 23:33 . 2009-07-16 23:33 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\LimeWire
2009-07-16 23:33 . 2009-07-16 23:33 -------- d-----w- c:\program files\LimeWire
2009-07-11 15:06 . 2009-06-25 16:58 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-11 15:06 . 2009-07-11 15:05 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-11 15:06 . 2009-06-25 16:58 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-11 15:06 . 2009-06-25 16:58 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-11 15:06 . 2009-06-25 16:58 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-11 15:06 . 2009-06-25 16:58 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-11 15:06 . 2009-06-25 16:58 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-11 15:06 . 2009-06-25 16:58 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-11 15:05 . 2009-06-25 16:54 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-11 15:05 . 2009-06-25 16:54 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-07 23:51 . 2009-07-07 23:51 -------- d-sh--w- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 20:58 . 2009-03-16 22:26 10134 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-17 18:25 . 2009-05-11 00:07 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-17 18:13 . 2009-01-20 04:52 1012312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-13 20:36 . 2009-02-08 01:40 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-02-08 01:40 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 05:17 . 2009-01-19 03:16 230528 ----a-w- c:\documents and settings\Rice Jim and Carol\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:12 . 2004-08-27 22:40 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-05-12 23:44 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-27 22:39 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-27 22:40 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-27 22:40 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-09 20:52 . 2009-06-09 20:52 152576 ----a-w- c:\documents and settings\Rice Jim and Carol\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:27 . 2004-08-27 22:40 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 18:33 . 2009-02-15 23:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:44 . 2004-08-27 22:40 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-17 19:51 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-31_19.04.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 21:27 . 2009-07-31 21:27 16384 c:\windows\Temp\Perflib_Perfdata_94.dat
+ 2009-07-31 21:27 . 2009-07-31 21:27 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2009-07-31 21:27 . 2009-07-31 21:27 16384 c:\windows\Temp\Perflib_Perfdata_728.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 23:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 23:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 23:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
"HP1500"="c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui .exe" [2003-06-05 692224]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-22 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-12 147456]

c:\documents and settings\Rice Jim and Carol\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-8 221251]
Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2009-1-19 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" VBStart
"farstone"=
"Spare Backup Launcher"=c:\program files\Spare Backup Installer\SpareOEMSYXLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Alchemy Mindworks\\GIF Construction Set Professional 3\\alchuddl.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Hewlett-Packard\\CLJ1500\\Toolbox\\hppoumui .exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [1/19/2009 06:36 PM 4064]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [8/7/2006 01:10 PM 42240]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2/19/2009 02:20 PM 242296]
R2 F5FltSrv;F5 Networks DNS Relay Proxy Service;c:\windows\system32\F5FltSrv.exe [2/19/2009 02:20 PM 155264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 07:19 PM 13592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [8/21/2008 03:15 PM 28280]
S3 exdisk;Express Disk Service;c:\windows\system32\DRIVERS\exdisk.sys --> c:\windows\system32\DRIVERS\exdisk.sys [?]
S3 F5FltDrv;F5 Networks DNS Relay Driver;c:\windows\system32\drivers\F5FltDrv.sys [2/19/2009 02:20 PM 21248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 08:35 AM 50704]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 02:37 PM 47488]
.
Contents of the 'Scheduled Tasks' folder

2009-07-31 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-19 22:31]

2009-01-28 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-19 22:31]

2009-07-31 c:\windows\Tasks\User_Feed_Synchronization-{A0007123-855F-479F-AC32-75EE0296D036}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]

2009-06-09 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8236568889.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-07-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/Rice%20Jim%20and%20Carol/My%20Documents/blank.html
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
FF - ProfilePath - c:\documents and settings\Rice Jim and Carol\Application Data\Mozilla\Firefox\Profiles\rt8jg8fy.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 16:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3130296823-1599995642-1411895810-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-07-31 16:06
ComboFix-quarantined-files.txt 2009-07-31 23:06
ComboFix2.txt 2009-07-31 19:06

Pre-Run: 127,672,320,000 bytes free
Post-Run: 127,634,636,800 bytes free

242 --- E O F --- 2009-07-29 17:25
Upload was successful

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 01 August 2009 - 08:49 AM

Hello.

Some program files were replaced.

Please remove using Add/Remove Programs, then reinstall the following programs:
Carbonite
Spybot - Search & Destroy
hp color LaserJet 1500

Also install Windows Media Player 11.

Run ComboFix again just by clicking it and post back the log.

With Regards,
The Panda

#14 GidgNMoon

GidgNMoon
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 01 August 2009 - 05:46 PM

Ok Panda, all done (I hope), again, thank you very much for your time and effort at finding this nuisance!

ComboFix 09-08-01.02 - Rice Jim and Carol 08/01/2009 15:25.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.525 [GMT -7:00]
Running from: c:\documents and settings\Rice Jim and Carol\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-26 16:55 . 2009-07-26 16:55 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\Wireshark
2009-07-26 14:46 . 2009-07-26 14:46 -------- d-----w- c:\program files\WinPcap
2009-07-26 14:45 . 2009-07-26 14:45 -------- d-----w- c:\program files\Wireshark
2009-07-25 23:42 . 2009-07-25 23:42 -------- d-----w- c:\program files\IrfanView
2009-07-25 01:49 . 2009-07-25 01:49 -------- d-----w- c:\program files\Avery Dennison
2009-07-21 05:00 . 2009-07-21 05:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-18 18:51 . 2009-07-18 18:51 40960 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{5DB7F50E-0649-4347-B003-8CEFBFB9D9D1}\StatusMonitor98_1.exe
2009-07-18 18:51 . 2009-07-18 18:51 40960 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{5DB7F50E-0649-4347-B003-8CEFBFB9D9D1}\StatusMonitor2K_1.exe
2009-07-18 18:48 . 2009-07-18 18:49 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\.clamwin
2009-07-18 18:48 . 2009-07-18 18:48 -------- d-----w- c:\program files\ClamWin
2009-07-18 18:48 . 2009-07-18 18:48 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-07-17 21:05 . 2009-07-17 21:05 -------- d-----w- C:\clj1500
2009-07-17 19:51 . 2009-07-17 19:51 0 ----a-w- c:\windows\nsreg.dat
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Local Settings\Application Data\Mozilla
2009-07-17 18:20 . 2009-07-17 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Ipswitch
2009-07-17 15:33 . 2009-06-25 16:58 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-17 15:33 . 2009-06-25 16:58 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-16 23:33 . 2009-07-16 23:33 -------- d-----w- c:\documents and settings\Rice Jim and Carol\Application Data\LimeWire
2009-07-16 23:33 . 2009-07-16 23:33 -------- d-----w- c:\program files\LimeWire
2009-07-11 15:06 . 2009-06-25 16:58 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-11 15:06 . 2009-07-11 15:05 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-11 15:06 . 2009-06-25 16:58 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-11 15:06 . 2009-06-25 16:58 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-11 15:06 . 2009-06-25 16:58 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-11 15:06 . 2009-06-25 16:58 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-11 15:06 . 2009-06-25 16:58 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-11 15:06 . 2009-06-25 16:58 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-11 15:05 . 2009-06-25 16:54 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-11 15:05 . 2009-06-25 16:54 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-07 23:51 . 2009-07-07 23:51 -------- d-sh--w- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 20:58 . 2009-03-16 22:26 10134 ----a-r- c:\documents and settings\Rice Jim and Carol\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-17 18:25 . 2009-05-11 00:07 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-17 18:13 . 2009-01-20 04:52 1012312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-13 20:36 . 2009-02-08 01:40 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-02-08 01:40 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 05:17 . 2009-01-19 03:16 230528 ----a-w- c:\documents and settings\Rice Jim and Carol\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:12 . 2004-08-27 22:40 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2009-05-12 23:44 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-27 22:39 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-27 22:40 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-27 22:40 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-09 20:52 . 2009-06-09 20:52 152576 ----a-w- c:\documents and settings\Rice Jim and Carol\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:27 . 2004-08-27 22:40 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 18:33 . 2009-02-15 23:17 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:44 . 2004-08-27 22:40 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-17 19:51 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-31_19.04.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 21:49 . 2009-08-01 21:49 16384 c:\windows\Temp\Perflib_Perfdata_7c.dat
+ 2009-08-01 21:49 . 2009-08-01 21:49 16384 c:\windows\Temp\Perflib_Perfdata_79c.dat
+ 2009-08-01 21:49 . 2009-08-01 21:49 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
"HP1500"="c:\program files\Hewlett-Packard\CLJ1500\Toolbox\hppoumui .exe" [2003-06-05 692224]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-04-30 669840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-22 90112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-03-12 147456]

c:\documents and settings\Rice Jim and Carol\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-8 221251]
Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2009-1-19 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Recover Pro"="c:\program files\Phoenix Technologies\Applications\RPro\XP\VBPTASK.EXE" VBStart
"farstone"=
"Spare Backup Launcher"=c:\program files\Spare Backup Installer\SpareOEMSYXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Alchemy Mindworks\\GIF Construction Set Professional 3\\alchuddl.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Hewlett-Packard\\CLJ1500\\Toolbox\\hppoumui .exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [1/19/2009 06:36 PM 4064]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [8/7/2006 01:10 PM 42240]
R2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2/19/2009 02:20 PM 242296]
R2 F5FltSrv;F5 Networks DNS Relay Proxy Service;c:\windows\system32\F5FltSrv.exe [2/19/2009 02:20 PM 155264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 07:19 PM 13592]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [8/21/2008 03:15 PM 28280]
S3 exdisk;Express Disk Service;c:\windows\system32\DRIVERS\exdisk.sys --> c:\windows\system32\DRIVERS\exdisk.sys [?]
S3 F5FltDrv;F5 Networks DNS Relay Driver;c:\windows\system32\drivers\F5FltDrv.sys [2/19/2009 02:20 PM 21248]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 08:35 AM 50704]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 02:37 PM 47488]
.
Contents of the 'Scheduled Tasks' folder

2009-08-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-19 22:31]

2009-01-28 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-19 22:31]

2009-08-01 c:\windows\Tasks\User_Feed_Synchronization-{A0007123-855F-479F-AC32-75EE0296D036}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]

2009-06-09 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8236568889.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-08-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/Rice%20Jim%20and%20Carol/My%20Documents/blank.html
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://C:/Program Files/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://C:/Program Files/F5 VPN/F5_TMP/urvncx.cab
FF - ProfilePath - c:\documents and settings\Rice Jim and Carol\Application Data\Mozilla\Firefox\Profiles\rt8jg8fy.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 15:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3130296823-1599995642-1411895810-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-01 15:30
ComboFix-quarantined-files.txt 2009-08-01 22:30
ComboFix2.txt 2009-07-31 23:11
ComboFix3.txt 2009-07-31 19:06

Pre-Run: 127,389,007,872 bytes free
Post-Run: 127,351,619,584 bytes free

234 --- E O F --- 2009-08-01 21:33

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 01 August 2009 - 09:26 PM

Hello.

Install From Windows Updates
It looks like you do not have Service Pack 3 installed.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (one only) free anti-virus program from one of the trusted venders below (in no particular order):After installing, update the database, run a full system scan and remove any items found.


Please take a new DDS.txt loga after.

Any problems at the moment?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users