Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit: Every 5 minutes: W32/IRCbot detected (log post)


  • This topic is locked This topic is locked
4 replies to this topic

#1 Boudewijn

Boudewijn

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 04 February 2010 - 12:48 AM

(continuation of earlier topic, reply by boopme)
Main symptom: every 5 minute W32/IRCbot detected by McAfee.
ComboFix reports rootkit.

DDS Log as requested:

========================

DDS (Ver_09-12-01.01) - NTFSx86
Run by BRedeker at 5:57:01,31 on do 04-02-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.381 [GMT 1:00]

AV: FortiClient AntiVirus *On-access scanning disabled* (Updated) {C86EC76D-5A4C-40E7-BD94-59358E544D81}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: FortiClient Personal Firewall *enabled* {528CB157-D384-4593-AAAA-E42DFF111CED}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files\Fortinet\FortiClient\fcappdb.exe
C:\Program Files\Fortinet\FortiClient\FortiProxy.exe
C:\Program Files\Fortinet\FortiClient\fortifw.exe
C:\Program Files\Fortinet\FortiClient\fortiwf.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\lotus\notes\nsd.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\NU.nl Nieuwslezer\nunwslzr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BRedeker\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 192.168.1.2:8080
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ThreeShips IE Helper: {17fdb9f8-dcc4-4f6a-ae07-b16018a48469} - c:\program files\common files\threeships shared\dll\ThreeShipsIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: CmjBrowserHelperObject Object: {6fe6a929-59d1-4763-91ad-29b61cffb35b} - c:\program files\mindjet\mindmanager 8\Mm8InternetExplorer.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [RIMDeviceManager] "c:\program files\common files\research in motion\rimdevicemanager\RIMDeviceManager.exe" -RunServer
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\bredeker\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [MMReminderService] c:\program files\mindjet\mindmanager 8\MMReminderService.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\bredeker\startm~1\programs\startup\nunlni~1.lnk - c:\nu.nl nieuwslezer\nunwslzr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2F72393D-2472-4F82-B600-ED77F354B7FF} - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - c:\program files\mindjet\mindmanager 8\Mm8InternetExplorer.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://mail.trueconomy.com/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://brabant.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://telewerk.brabant.nl/vpns/scripts/vista/nsload.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bredeker\applic~1\mozilla\firefox\profiles\2s0amg2g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://portal.trueconomy.com/Pages/Default.aspx
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\documents and settings\bredeker\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPBOARDS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 FAFileMon;FAFileMon;c:\windows\system32\drivers\fortimon2.sys [2009-9-3 42088]
R1 FARegMon;FARegMon;c:\windows\system32\drivers\FortiRmon.sys [2009-9-3 46184]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2009-9-3 13416]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [2009-9-3 118632]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2009-9-3 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [2009-9-3 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2009-9-3 36968]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-7-28 703008]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-7-23 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2009-4-6 22432]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-9-19 36608]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-7-23 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-7-23 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-7-23 170408]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-6-3 73368]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-7-21 36384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-20 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-7-23 16512]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2009-10-28 14496]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-7-25 99200]

=============== Created Last 30 ================

2010-02-03 13:58:15 0 d-s---w- C:\ComboFix
2010-02-02 18:19:28 0 d-----w- c:\docume~1\bredeker\applic~1\Malwarebytes
2010-02-02 18:19:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 18:19:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 18:19:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-02 18:19:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 17:59:06 0 d-sha-r- C:\cmdcons
2010-02-01 17:32:09 0 d-----w- C:\VundoFix Backups
2010-02-01 04:57:47 77312 ----a-w- c:\windows\MBR.exe
2010-02-01 04:57:03 261632 ----a-w- c:\windows\PEV.exe
2010-02-01 04:56:23 161792 ----a-w- c:\windows\SWREG.exe
2010-02-01 04:54:33 98816 ----a-w- c:\windows\sed.exe
2010-02-01 02:33:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-01 02:26:13 2148 ----a-w- c:\windows\system32\wpa.dbl
2010-02-01 02:10:29 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-01 02:10:28 0 d-----w- c:\docume~1\bredeker\applic~1\SUPERAntiSpyware.com
2010-02-01 02:02:55 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-31 12:59:39 0 d-----w- c:\program files\Veetle
2010-01-30 15:12:41 0 d-----w- c:\program files\iPod
2010-01-30 15:12:18 0 d-----w- c:\program files\iTunes
2010-01-30 15:12:18 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-27 02:15:14 0 d-----w- c:\program files\Comical
2010-01-13 11:06:18 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-04 00:37:47 256 ----a-w- c:\documents and settings\bredeker\pool.bin
2010-01-31 17:21:01 277784 ------w- c:\windows\system32\drivers\iaStor.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-19 12:03:29 128610 ----a-w- c:\windows\hpgins30.dat
2008-09-03 22:25:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 6:00:02,46 ===============

attach.txt/ark.txt attached.
Will now run Combofix and add log (seems it got deleted).

Attached Files


Edited by Boudewijn, 04 February 2010 - 01:34 PM.


BC AdBot (Login to Remove)

 


#2 Boudewijn

Boudewijn
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 04 February 2010 - 05:08 AM

ComboFix log:

=============================================

ComboFix 10-02-03.04 - BRedeker 04-02-2010 7:10.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.495 [GMT 1:00]
Running from: c:\documents and settings\BRedeker\My Documents\Downloads\ComboFix.exe
AV: FortiClient AntiVirus *On-access scanning disabled* (Updated) {C86EC76D-5A4C-40E7-BD94-59358E544D81}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: FortiClient Personal Firewall *enabled* {528CB157-D384-4593-AAAA-E42DFF111CED}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
c:\windows\system32\DRIVERS\iaStor.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-02 18:19 . 2010-02-02 18:19 -------- d-----w- c:\documents and settings\BRedeker\Application Data\Malwarebytes
2010-02-02 18:19 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 18:19 . 2010-02-02 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 18:19 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 18:19 . 2010-02-02 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 17:32 . 2010-02-01 17:32 -------- d-----w- C:\VundoFix Backups
2010-02-01 02:33 . 2010-02-01 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-01 02:10 . 2010-02-01 02:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-01 02:10 . 2010-02-01 02:10 -------- d-----w- c:\documents and settings\BRedeker\Application Data\SUPERAntiSpyware.com
2010-02-01 02:02 . 2010-02-01 02:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-31 12:59 . 2010-01-31 13:01 -------- d-----w- c:\program files\Veetle
2010-01-30 15:12 . 2010-01-30 15:12 -------- d-----w- c:\program files\iPod
2010-01-30 15:12 . 2010-01-30 15:13 -------- d-----w- c:\program files\iTunes
2010-01-30 15:12 . 2010-01-30 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-30 15:08 . 2010-01-30 15:08 -------- d-----w- c:\program files\QuickTime
2010-01-27 02:15 . 2010-01-27 02:15 -------- d-----w- c:\program files\Comical
2010-01-21 18:09 . 2010-01-25 04:46 -------- d-----w- c:\documents and settings\BRedeker\Application Data\Notepad++
2010-01-21 18:09 . 2010-01-21 18:19 -------- d-----w- c:\program files\Notepad++
2010-01-20 22:29 . 2010-01-20 22:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-20 22:24 . 2010-01-20 22:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-13 11:06 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 06:05 . 2009-09-21 15:05 -------- d-----w- c:\documents and settings\BRedeker\Application Data\Skype
2010-02-04 06:05 . 2008-03-13 20:05 -------- d-----w- c:\documents and settings\BRedeker\Application Data\DNA
2010-02-04 02:07 . 2010-02-01 02:37 117760 ----a-w- c:\documents and settings\BRedeker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-04 00:37 . 2008-08-15 17:37 256 ----a-w- c:\documents and settings\BRedeker\pool.bin
2010-02-04 00:37 . 2008-03-13 20:05 -------- d-----w- c:\program files\DNA
2010-02-02 21:13 . 2010-01-02 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-02 21:12 . 2009-02-24 00:26 -------- d-----w- c:\program files\Cake Poker
2010-02-02 21:09 . 2009-01-13 23:04 -------- d-----w- c:\program files\PokerStars
2010-02-02 20:00 . 2007-07-23 18:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-02 20:00 . 2007-10-28 20:59 -------- d-----w- c:\program files\TomTom HOME
2010-02-02 19:33 . 2007-10-04 17:44 -------- d-----w- c:\documents and settings\BRedeker\Application Data\BitTorrent
2010-02-02 11:51 . 2007-07-23 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-01 06:52 . 2007-07-23 18:30 -------- d-----w- c:\program files\Google
2010-02-01 02:38 . 2010-02-01 02:37 52224 ----a-w- c:\documents and settings\BRedeker\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-31 17:21 . 2007-05-14 04:42 277784 ------w- c:\windows\system32\drivers\iaStor.sys
2010-01-31 12:43 . 2008-03-21 08:18 -------- d-----w- c:\documents and settings\BRedeker\Application Data\skypePM
2010-01-30 15:12 . 2008-03-25 07:41 -------- d-----w- c:\program files\Common Files\Apple
2010-01-30 14:45 . 2010-01-30 14:45 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-22 12:49 . 2009-03-24 14:37 -------- d-----w- c:\documents and settings\BRedeker\Application Data\U3
2010-01-20 17:27 . 2009-11-20 10:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 12:30 . 2007-07-23 20:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 05:42 . 2009-03-14 09:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-15 04:01 . 2009-12-25 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Hema Album Software Advanced
2010-01-15 04:01 . 2009-12-25 16:12 -------- d-----w- c:\program files\Hema Album Software Advanced
2010-01-13 14:37 . 2007-07-23 18:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-12 19:24 . 2008-03-07 09:53 -------- d-----w- c:\documents and settings\BRedeker\Application Data\webex
2010-01-02 01:29 . 2007-07-23 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-02 01:29 . 2010-01-02 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-21 19:14 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 18:47 . 2009-12-17 18:47 -------- d-----w- c:\program files\Common Files\Skype
2009-12-17 18:47 . 2009-05-27 21:06 -------- d-----r- c:\program files\Skype
2009-12-17 18:47 . 2007-10-15 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-21 15:51 . 2004-08-04 08:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 13:14 . 2007-12-19 19:15 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-11-20 13:14 . 2007-12-19 19:14 1955456 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2009-11-19 12:03 . 2009-11-19 11:47 128610 ----a-w- c:\windows\hpgins30.dat
2010-01-12 05:07 . 2008-03-07 09:53 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-12 05:07 . 2008-03-07 09:53 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-12 05:09 . 2008-03-07 09:53 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-08-16 15:42 . 2008-08-16 15:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 15:42 . 2008-08-16 15:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 15:42 . 2008-08-16 15:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 15:42 . 2008-08-16 15:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 15:43 . 2008-08-16 15:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 15:42 . 2008-08-16 15:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 15:42 . 2008-08-16 15:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-03-07 09:53 . 2008-03-07 09:53 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-05-21 06:41 . 2008-05-21 06:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 06:41 . 2008-05-21 06:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 06:41 . 2008-05-21 06:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-06-05 11:58 . 2008-06-05 11:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 15:42 . 2008-08-16 15:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2007-04-13 1320472]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Google Update"="c:\documents and settings\BRedeker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-29 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-28 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-05 159744]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-01-02 40960]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-22 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 151552]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-12-11 37656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-11 198160]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\BRedeker\Start Menu\Programs\Startup\
NU.nl nieuwslezer.lnk - c:\nu.nl nieuwslezer\nunwslzr.exe [2006-11-10 1178624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry JDE 4.5.0\\simulator\\fledge.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\lotus\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.200811140851\\win32\\x86\\notes2.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_07\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 FAFileMon;FAFileMon;c:\windows\system32\drivers\fortimon2.sys [3-9-2009 19:17 42088]
R1 FARegMon;FARegMon;c:\windows\system32\drivers\FortiRmon.sys [3-9-2009 19:17 46184]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [3-9-2009 19:17 13416]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [3-9-2009 19:17 118632]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [3-9-2009 19:17 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [3-9-2009 19:17 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [3-9-2009 19:17 36968]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [14-8-2002 14:11 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5-1-2010 7:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5-1-2010 7:56 74480]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [4-8-2004 9:00 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [4-8-2004 9:00 14336]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [28-7-2009 17:11 703008]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\lotus\notes\nsd.exe [6-12-2008 7:36 3315080]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [28-3-2009 13:45 31896]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [6-4-2009 14:20 22432]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19-9-2006 17:58 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3-6-2009 14:21 73368]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [21-7-2009 17:53 36384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20-1-2010 23:24 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [23-7-2007 22:03 16512]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [28-10-2009 16:33 14496]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [25-7-2007 12:25 99200]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5-1-2010 7:56 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-20 22:24]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-20 22:24]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2934564010-1295937157-4130286823-1006Core.job
- c:\documents and settings\BRedeker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-29 10:07]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2934564010-1295937157-4130286823-1006UA.job
- c:\documents and settings\BRedeker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-29 10:07]

2010-02-04 c:\windows\Tasks\User_Feed_Synchronization-{918EAE8D-8C14-4EF5-98E9-7D2881889CAA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 192.168.1.2:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://telewerk.brabant.nl/vpns/scripts/vista/nsload.ocx
FF - ProfilePath - c:\documents and settings\BRedeker\Application Data\Mozilla\Firefox\Profiles\2s0amg2g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://portal.trueconomy.com/Pages/Default.aspx
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\documents and settings\BRedeker\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Fortinet\SslvpnClient\npccplugin.dll
FF - plugin: c:\program files\Fortinet\SslvpnClient\nptcplugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBOARDS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 07:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe??????????????@? ????e????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x86E37856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf756cf28
\Driver\ACPI -> ACPI.sys @ 0xf73dfcb8
\Driver\atapi -> atapi.sys @ 0xf7353852
\Driver\iaStor -> iaStor.sys @ 0xf7298c1a
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\561ad301-8580-f5a9-8032-b648c64ea2d]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1x6up7e2tm9h2"=hex:39,61,64,37,38,32,62,61,2d,38,65,61,33,2d,34,30,65,32,2d,
38,34,33,63,2d,63,64,64,34,35,64,36,30,66,66,32,62
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(288)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll

- - - - - - - > 'lsass.exe'(360)
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-04 07:42:25
ComboFix-quarantined-files.txt 2010-02-04 06:42
ComboFix2.txt 2010-02-01 20:03

Pre-Run: 32.336.658.432 bytes free
Post-Run: 32.322.768.896 bytes free

- - End Of File - - 8DC5D9AF25BA1AEF7527422B2082AA72

thx again!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:42 AM

Posted 10 February 2010 - 07:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 Boudewijn

Boudewijn
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 11 February 2010 - 01:31 AM

Hi m0le,

thanks, but by now the problem has been fixed in a different way; the drive was formatted and the OS reinstalled. So you can close this topic.

Thanks again,

B.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:42 AM

Posted 11 February 2010 - 07:25 AM

Thanks for letting me know. thumbup2.gif

-------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed.
If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users