Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security 2010 - refuses to leave.


  • This topic is locked This topic is locked
50 replies to this topic

#1 J2FcM

J2FcM

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 19 March 2010 - 02:08 PM

This is what I get when I run Rkill.com

F:\PROGRA~1\SSI\SYSENF~1.EXE
F:\Documents and Settings\Jeffrey\Application Data\Desktop Security 2010\securitycenter.exe
F:\Program Files\SSI\ssi.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
F:\docume~1\jeffrey\locals~1\temp\jqwu.exe
F:\Documents and Settings\Jeffrey\Desktop\rkill.com
F:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe
F:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe

I also shut down Daemon Tools Lite. Once Rkill has been run, the computer SEEMS to run ok, but upon booting up in the morning, I get the lovely Win Security 2010 firewall/protection screen, and a million warnings about infection, until I run Rkill. Malware removed 1 infection my first scan (BEFORE I used Rkill), and after using Rkill, found 21 infections, which I removed last night.

NOW - I can re-open Rkill every few minutes, and it will continue to find these freshly opened processes.

locals~1\temp\iuph.exe
naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe (Infected my dragon naturally speaking?)
locals~1\temp\jqwu.exe
openoffice.org 3\program\toolssoffice2.6.1.exe (not my Open office!!!)


FINALLY-I've attempted to run GMER.exe 2x. Both times took about roughly an hour+ before my computer crashes, and automatically reboots...

My DDS log;


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeffrey at 9:13:15.85 on Fri 03/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2529 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
svchost.exe
F:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
F:\WINDOWS\system32\svchost.exe -k hpdevmgmt
F:\WINDOWS\system32\svchost.exe -k HPService
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\System32\svchost.exe -k HPZ12
F:\WINDOWS\System32\svchost.exe -k HPZ12
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\program files\quicktime\qtsystem\quicktimempeg.resources\ko.lproj\quicktimequicktimeresources.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\games\steam\steam.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\firefox.exe
f:\Program Files\Microsoft Security Essentials\MsMpEng.exe
F:\Program Files\Microsoft Security Essentials\msseces.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\WINDOWS\explorer.exe
f:\docume~1\jeffrey\locals~1\temp\jqwu.exe
f:\docume~1\jeffrey\locals~1\temp\iuph.exe
f:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe
f:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\Jeffrey\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWinlogon: Shell=f:\documents and settings\jeffrey\application data\desktop security 2010\Desktop Security 2010.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - f:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - f:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "f:\games\steam\steam.exe" -silent
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "f:\documents and settings\jeffrey\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "f:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [cvljrrure68l] f:\documents and settings\jeffrey\local settings\temp\m.253.tmp.exe
uRun: [SecurityCenter] f:\documents and settings\jeffrey\application data\desktop security 2010\securitycenter.exe
uRun: [Desktop Security 2010] f:\documents and settings\jeffrey\application data\desktop security 2010\Desktop Security 2010.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [JMB36X IDE Setup] f:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] f:\windows\system32\xRaidSetup.exe boot
mRun: [StartCCC] "f:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SSI] f:\program files\ssi\ssi /s
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] f:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [SSBkgdUpdate] "f:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] f:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "f:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "f:\program files\naturallyspeaking10\ereg\ereg.exe" -r "f:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [JQwU] f:\docume~1\jeffrey\locals~1\temp\jqwu.exe
mRun: [UpgrdModDragon] f:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe
mRun: [WindowsRnpsoplugin] f:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe
mRun: [QuickTimeQuickTimeResources] f:\program files\quicktime\qtsystem\quicktimempeg.resources\ko.lproj\quicktimequicktimeresources.exe
mRun: [iuph] f:\docume~1\jeffrey\locals~1\temp\iuph.exe
mRun: [MSSE] "f:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunServices: [JQwU] f:\docume~1\jeffrey\locals~1\temp\jqwu.exe
mRunServices: [iuph] f:\docume~1\jeffrey\locals~1\temp\iuph.exe
mRunServices: [QuickTimeQuickTimeResources] f:\program files\quicktime\qtsystem\quicktimempeg.resources\ko.lproj\quicktimequicktimeresources.exe
StartupFolder: f:\docume~1\jeffrey\startm~1\programs\startup\openof~1.lnk - f:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - f:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - f:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\jeffrey\applic~1\mozilla\firefox\profiles\kszwx1ee.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coolminiornot.com/
FF - plugin: c:\program files\plugins\npmozax.dll
FF - plugin: c:\program files\plugins\npsnapfish.dll
FF - plugin: c:\program files\plugins\npunagi2.dll
FF - plugin: c:\program files\plugins\npwachk.dll
FF - plugin: f:\documents and settings\jeffrey\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: f:\documents and settings\jeffrey\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\greprefs\all.js - pref("html5.enable", false);
c:\program files\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;f:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 GEST Service;GEST Service for program management.;f:\program files\gigabyte\energysaver\GSvr.exe [2008-12-25 68136]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;f:\games\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-17 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2009-5-9 38224]

=============== Created Last 30 ================

2010-03-19 15:54:27 0 d-----w- f:\program files\Microsoft Security Essentials
2010-03-19 15:53:31 0 d-----w- F:\6a34e14e9cef1b6c275ac9
2010-03-19 09:07:54 0 d-----w- f:\documents and settings\jeffrey\DoctorWeb
2010-03-19 08:23:12 0 d-----w- f:\docume~1\jeffrey\applic~1\Desktop Security 2010
2010-03-18 23:40:54 0 d--h--w- f:\windows\PIF
2010-03-11 17:35:15 0 d-----w- f:\program files\common files\xing shared
2010-03-11 10:05:35 0 d-----w- f:\program files\MSXML 4.0
2010-03-11 02:07:52 3558912 -c----w- f:\windows\system32\dllcache\moviemk.exe
2010-03-10 08:19:55 1715 ----a-w- f:\docume~1\jeffrey\applic~1\SAS7_000.DAT
2010-03-06 19:21:14 0 d-----w- f:\docume~1\jeffrey\applic~1\Nuance
2010-03-06 19:19:37 0 d-----w- f:\program files\common files\ScanSoft Shared
2010-03-06 19:19:37 0 d-----w- f:\program files\common files\Nuance
2010-03-06 19:19:10 0 d-----w- f:\program files\NaturallySpeaking10
2010-03-06 19:19:10 0 d-----w- f:\docume~1\alluse~1\applic~1\Nuance
2010-03-06 19:19:03 0 d-----w- f:\windows\speech
2010-03-06 00:15:26 0 d-----w- f:\program files\DAEMON Tools Lite
2010-03-05 18:57:44 767952 ----a-w- f:\windows\BDTSupport.dll.old
2010-03-05 18:57:44 1640400 ----a-w- f:\windows\PCTBDCore.dll.old
2010-03-05 18:55:50 0 d-----w- f:\program files\Spyware Doctor
2010-02-19 23:47:50 3604480 ----a-w- f:\windows\system32\GPhotos.scr

==================== Find3M ====================

2010-03-19 15:45:09 16608 ----a-w- f:\windows\gdrv.sys
2010-03-11 17:34:43 499712 ----a-w- f:\windows\system32\msvcp71.dll
2010-03-11 17:34:43 348160 ----a-w- f:\windows\system32\msvcr71.dll
2010-03-06 00:15:33 691696 ----a-w- f:\windows\system32\drivers\sptd.sys
2009-12-22 18:39:20 922112 ------w- f:\windows\system32\imapi2fs.dll
2009-12-22 18:39:20 426496 ------w- f:\windows\system32\imapi2.dll
2009-12-21 19:14:05 916480 ----a-w- f:\windows\system32\wininet.dll
2009-01-11 23:57:40 32768 --sha-w- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920090105\index.dat
2009-01-11 23:57:40 32768 --sha-w- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011120090112\index.dat

============= FINISH: 9:13:35.92 ===============







Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 19 March 2010 - 03:34 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 19 March 2010 - 06:52 PM

I don't mean to bump this post;
but am I being a little TOO patient... its been 2-3 hours for this part.

ComboFix is preparing the log report



This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.




#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 19 March 2010 - 07:46 PM

Reboot your PC and then look for the log in the root of your hard drive.

So long, and thanks for all the fish.

 

 


#5 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 19 March 2010 - 07:59 PM

I re-booted.

Went into

F:\Combofix

Found Combofix.txt...

ComboFix 10-03-19.04 - Jeffrey 03/19/2010 14:02:40.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2887 [GMT -7:00]
Running from: F:\Documents and Settings\Jeffrey\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\0LlK7.jpg
F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\5k00JJ.jpg
F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\b081XN.jpg
F:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\mB6KY1nYa.jpg

.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))


One other thing I would like to note, is; When scanning with Malware, I can successfully scan my F drive (my main drive), and my D drive (old storage). But my C drive (slightly old storage) always freezes up on old STEAM files. So I haven't yet scanned my C drive (which is where I open Firefox from). - might that also screw with Combofix?
.

Edited by J2FcM, 19 March 2010 - 08:01 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 20 March 2010 - 02:54 PM

Good evening. smile.gif

Did you disable your anti-virus before you ran ComboFix?

So long, and thanks for all the fish.

 

 


#7 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 March 2010 - 12:43 PM

As far as I remember, I disabled everything. Ran Malware AV again and caught 22 infections. But its still there this morning (I was away). I will attempt to run combo fix again...

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 22 March 2010 - 03:27 PM

Good evening. smile.gif

Just to be on the safe side I suggest you download another copy of ComboFix BUT rename the file BEFORE you save it to your PC. Any name will do as long as you keep the .exe file extension.

So long, and thanks for all the fish.

 

 


#9 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 March 2010 - 12:03 PM

YAY - I think it worked! attached is the ComboFix log..

ComboFix 10-03-24.02 - Jeffrey 03/25/2010 2:11.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2912 [GMT -7:00]
Running from: f:\documents and settings\Jeffrey\Desktop\Cphix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\Jeffrey\Local Settings\Application Data\ave.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-22 17:40 . 2010-03-20 15:49 3939328 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\securityhelper.exe
2010-03-22 17:40 . 2010-03-22 17:40 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010
2010-03-22 17:40 . 2010-03-18 09:51 3230720 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\Desktop Security 2010.exe
2010-03-22 17:40 . 2010-03-18 09:50 223744 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\securitycenter.exe
2010-03-22 17:40 . 2010-01-21 18:29 86070 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\pthreadVC2.dll
2010-03-22 17:40 . 2010-01-21 18:29 499712 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\msvcp71.dll
2010-03-22 17:40 . 2010-01-21 18:29 348160 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\msvcr71.dll
2010-03-22 17:40 . 2010-01-21 18:29 1060864 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\mfc71.dll
2010-03-22 17:40 . 2010-01-21 18:29 57344 ----a-w- f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\MFC71ENU.DLL
2010-03-20 15:39 . 2009-08-07 02:23 274288 ----a-w- f:\windows\system32\mucltui.dll
2010-03-20 15:39 . 2009-08-07 02:23 215920 ----a-w- f:\windows\system32\muweb.dll
2010-03-19 21:00 . 2010-03-19 21:00 -------- d-----w- f:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-03-19 15:53 . 2010-03-19 15:54 -------- d-----w- F:\6a34e14e9cef1b6c275ac9
2010-03-19 09:07 . 2010-03-19 09:07 -------- d-----w- f:\documents and settings\Jeffrey\DoctorWeb
2010-03-18 23:40 . 2010-03-18 23:40 -------- d--h--w- f:\windows\PIF
2010-03-11 17:35 . 2010-03-11 17:35 -------- d-----w- f:\documents and settings\Jeffrey\Local Settings\Application Data\Real
2010-03-11 17:35 . 2010-03-11 17:35 300616 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-11 17:35 . 2010-03-11 17:35 329312 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-11 17:35 . 2010-03-11 17:35 -------- d-----w- f:\program files\Common Files\xing shared
2010-03-11 10:05 . 2010-03-11 10:05 -------- d-----w- f:\program files\MSXML 4.0
2010-03-11 02:07 . 2009-10-23 15:28 3558912 -c----w- f:\windows\system32\dllcache\moviemk.exe
2010-03-06 19:42 . 2010-03-06 19:42 -------- d-----w- f:\documents and settings\Jeffrey\Local Settings\Application Data\Scansoft
2010-03-06 19:21 . 2010-03-06 19:21 -------- d-----w- f:\documents and settings\All Users\Application Data\InstallShield
2010-03-06 19:21 . 2010-03-06 19:21 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Nuance
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\documents and settings\All Users\Application Data\ScanSoft
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\program files\Common Files\ScanSoft Shared
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\program files\Common Files\Nuance
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\program files\NaturallySpeaking10
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\documents and settings\All Users\Application Data\Nuance
2010-03-06 19:19 . 2010-03-06 19:21 -------- d-----w- f:\windows\speech
2010-03-06 00:15 . 2010-03-06 00:26 -------- d-----w- f:\program files\DAEMON Tools Lite
2010-03-05 20:19 . 2010-03-05 20:19 -------- d-----w- f:\documents and settings\Jeffrey\Local Settings\Application Data\Threat Expert
2010-03-05 18:55 . 2010-03-06 19:42 -------- d-----w- f:\program files\Spyware Doctor
2010-02-24 22:40 . 2010-03-14 01:06 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\FileZilla
2010-02-24 22:40 . 2010-02-24 22:40 -------- d-----w- f:\program files\FileZilla FTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 09:10 . 2008-12-26 05:00 16608 ----a-w- f:\windows\gdrv.sys
2010-03-24 22:34 . 2009-10-18 22:21 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\HPAppData
2010-03-24 22:24 . 2010-03-10 08:19 1715 ----a-w- f:\documents and settings\Jeffrey\Application Data\SAS7_000.DAT
2010-03-24 22:23 . 2009-04-19 09:15 -------- d---a-w- f:\documents and settings\All Users\Application Data\Temp
2010-03-24 18:43 . 2009-02-06 02:09 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Azureus
2010-03-21 09:17 . 2009-05-10 05:37 -------- d-----w- f:\program files\Microsoft Silverlight
2010-03-21 06:42 . 2010-02-06 21:38 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Bioshock
2010-03-19 01:06 . 2009-05-09 17:25 -------- d-----w- f:\program files\Anti-Malware
2010-03-19 01:06 . 2009-05-09 17:44 5115824 ----a-w- f:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-15 12:12 . 2009-09-23 16:49 1 ----a-w- f:\documents and settings\Jeffrey\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-12 23:54 . 2008-12-26 05:01 -------- d--h--w- f:\program files\InstallShield Installation Information
2010-03-11 17:35 . 2009-09-22 03:22 -------- d-----w- f:\program files\Common Files\Real
2010-03-11 17:35 . 2009-09-22 03:22 -------- d-----w- f:\program files\Real
2010-03-11 17:34 . 2009-03-05 07:00 499712 ----a-w- f:\windows\system32\msvcp71.dll
2010-03-11 17:34 . 2009-03-05 07:00 348160 ----a-w- f:\windows\system32\msvcr71.dll
2010-03-11 04:17 . 2009-01-14 02:31 -------- d-----w- f:\program files\Common Files\Adobe
2010-03-06 19:19 . 2008-12-26 05:01 -------- d-----w- f:\program files\Common Files\InstallShield
2010-03-06 00:26 . 2009-01-04 07:41 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\DAEMON Tools Lite
2010-03-06 00:15 . 2009-01-04 07:41 691696 ----a-w- f:\windows\system32\drivers\sptd.sys
2010-03-06 00:15 . 2009-01-04 07:44 -------- d-----w- f:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-06 00:11 . 2009-01-04 07:45 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\DAEMON Tools Pro
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- f:\windows\system32\GPhotos.scr
2010-02-06 21:36 . 2010-02-06 21:36 -------- d--h--r- f:\documents and settings\Jeffrey\Application Data\SecuROM
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- f:\documents and settings\Jeffrey\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-21 10:19 . 2010-01-21 10:19 152576 ----a-w- f:\documents and settings\Jeffrey\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-21 10:19 . 2010-01-21 10:19 79488 ----a-w- f:\documents and settings\Jeffrey\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-19 03:16 . 2008-12-26 05:27 1324 ----a-w- f:\windows\system32\d3d9caps.dat
2010-01-07 23:07 . 2009-05-09 17:25 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-05-09 17:25 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- f:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-13_13.21.36 )))))))))))))))))))))))))))))))))))))))))

Deleted to cut down on log size.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="f:\games\steam\steam.exe" [2010-02-23 1217872]
"Google Update"="f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-09 135664]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Desktop Security 2010"="f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\Desktop Security 2010.exe" [2010-03-18 3230720]
"SecurityCenter"="f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\securitycenter.exe" [2010-03-18 223744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSI"="f:\program files\SSI\ssi" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"JMB36X IDE Setup"="f:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="f:\windows\System32\xRaidSetup.exe" [2007-11-19 1966080]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-09-23 149280]
"HP Software Update"="f:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SSBkgdUpdate"="f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="f:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="f:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="f:\program files\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-11 202256]
"UpgrdModDragon"="f:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe" [2010-03-18 163840]
"WindowsRnpsoplugin"="f:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe" [2010-03-18 163840]
"QuickTimeQuickTimeResources"="f:\program files\quicktime\qtsystem\quicktimempeg.resources\ko.lproj\quicktimequicktimeresources.exe" [2010-03-18 163840]
"WindowsRDBGHELP"="f:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe" [2010-03-18 163840]
"SAPISVR5System"="f:\program files\common files\microsoft shared\speech\sapi5sapisvr5.exe" [2010-03-18 163840]
"setup7InstallShield"="f:\program files\installshield installation information\{3a1b5d40-41e9-43fa-8c7b-a8667f5586ef}\setupinstallshield.exe" [2010-03-18 163840]
"setup7Setup"="f:\program files\installshield installation information\{3a1b5d40-41e9-43fa-8c7b-a8667f5586ef}\setupinstallshield.exe" [2010-03-18 163840]
"SystemOperating"="f:\program files\common files\microsoft shared\speech\sapi5sapisvr5.exe" [2010-03-18 163840]
"DAO360Microsoft"="f:\program files\common files\microsoft shared\dao\microsoftdao360.exe" [2010-03-18 163840]
"mrecMREC"="f:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe" [2010-03-18 163840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="f:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

f:\documents and settings\Jeffrey\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - f:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - f:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Games\\Steam\\steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"f:\\Program Files\\SopCast\\SopCast.exe"=
"f:\\Program Files\\Vuze\\Azureus.exe"=
"f:\\Games\\Steam\\steamapps\\j2fcm\\team fortress 2\\hl2.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\Games\\DEMIGOD\\Stardock Games\\Demigod\\bin\\Demigod.exe"=
"f:\\Documents and Settings\\Jeffrey\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"f:\\Documents and Settings\\Jeffrey\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"f:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"f:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"f:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"f:\\Games\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"f:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 GEST Service;GEST Service for program management.;f:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/25/2008 10:01 PM 68136]
S0 sptd;sptd;f:\windows\system32\drivers\sptd.sys [1/4/2009 12:41 AM 691696]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;f:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [12/17/2009 12:26 AM 25832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1580436667-725345543-1003Core.job
- f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 19:06]

2010-03-25 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1580436667-725345543-1003UA.job
- f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 19:06]

2010-03-25 f:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1078081533-1580436667-725345543-1003.job
- f:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-11 f:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1078081533-1580436667-725345543-1003.job
- f:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-24 f:\windows\Tasks\User_Feed_Synchronization-{58754FE3-3D00-4C15-8592-145362416E93}.job
- f:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2010-03-25 f:\windows\Tasks\WGASetup.job
- f:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
FF - ProfilePath - f:\documents and settings\Jeffrey\Application Data\Mozilla\Firefox\Profiles\kszwx1ee.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coolminiornot.com/
FF - plugin: c:\program files\plugins\npmozax.dll
FF - plugin: c:\program files\plugins\npsnapfish.dll
FF - plugin: c:\program files\plugins\npunagi2.dll
FF - plugin: c:\program files\plugins\npwachk.dll
FF - plugin: f:\documents and settings\Jeffrey\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\greprefs\all.js - pref("html5.enable", false);
c:\program files\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - f:\program files\HijackThis\HijackThis.exe
AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - f:\documents and settings\Jeffrey\Local Settings\Application Data\{964C8871-6315-4FC5-8A47-F4C420428929}\NBCDirectInstaller.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1580436667-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:61,1b,29,a7,b2,f3,e1,77,12,83,81,81,a5,82,15,96,7c,47,ef,a4,c2,24,33,
71,b3,75,77,9d,dc,92,ea,d8,d6,71,e7,e8,cc,43,1d,d9,fd,60,ee,69,da,cc,3f,22,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-25 02:20:03
ComboFix-quarantined-files.txt 2010-03-25 09:20
ComboFix2.txt 2009-05-15 23:29
ComboFix3.txt 2009-05-13 13:22

Pre-Run: 392,572,104,704 bytes free
Post-Run: 393,486,589,952 bytes free

- - End Of File - - 101356C40623583D53BA89BE09DCDAEC

Edited to add chopped down version of CF log from attachment - Novi'.

Attached Files


Edited by Noviciate, 25 March 2010 - 03:24 PM.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 25 March 2010 - 03:35 PM

Good evening. smile.gif

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

Folder::
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SecurityCenter"=-


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before and a description of how the PC is behaving.

So long, and thanks for all the fish.

 

 


#11 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 March 2010 - 04:15 PM

The computer is seemingly running fine, but I've eben running Rkill EVERYTIME it starts up, otherwise it goes bonkers. I could try a restart now to see if virus will start up.


ComboFix 10-03-25.02 - Jeffrey 03/25/2010 14:05:49.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2647 [GMT -7:00]
Running from: f:\documents and settings\Jeffrey\Desktop\Cphix.exe
Command switches used :: f:\documents and settings\Jeffrey\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\daily.cvd
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\Desktop Security 2010.exe
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\mfc71.dll
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\MFC71ENU.DLL
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\msvcp71.dll
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\msvcr71.dll
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\pthreadVC2.dll
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\securitycenter.exe
f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\securityhelper.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 09:08 . 2010-03-25 09:20 -------- d-----w- F:\Cphix
2010-03-20 15:39 . 2009-08-07 02:23 274288 ----a-w- f:\windows\system32\mucltui.dll
2010-03-20 15:39 . 2009-08-07 02:23 215920 ----a-w- f:\windows\system32\muweb.dll
2010-03-19 21:00 . 2010-03-19 21:00 -------- d-----w- f:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-03-19 15:53 . 2010-03-19 15:54 -------- d-----w- F:\6a34e14e9cef1b6c275ac9
2010-03-19 09:07 . 2010-03-19 09:07 -------- d-----w- f:\documents and settings\Jeffrey\DoctorWeb
2010-03-18 23:40 . 2010-03-18 23:40 -------- d--h--w- f:\windows\PIF
2010-03-11 17:35 . 2010-03-11 17:35 -------- d-----w- f:\documents and settings\Jeffrey\Local Settings\Application Data\Real
2010-03-11 17:35 . 2010-03-11 17:35 300616 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-11 17:35 . 2010-03-11 17:35 329312 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-11 17:35 . 2010-03-11 17:35 118784 ----a-w- f:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-11 17:35 . 2010-03-11 17:35 -------- d-----w- f:\program files\Common Files\xing shared
2010-03-11 10:05 . 2010-03-11 10:05 -------- d-----w- f:\program files\MSXML 4.0
2010-03-11 02:07 . 2009-10-23 15:28 3558912 -c----w- f:\windows\system32\dllcache\moviemk.exe
2010-03-06 19:42 . 2010-03-06 19:42 -------- d-----w- f:\documents and settings\Jeffrey\Local Settings\Application Data\Scansoft
2010-03-06 19:21 . 2010-03-06 19:21 -------- d-----w- f:\documents and settings\All Users\Application Data\InstallShield
2010-03-06 19:21 . 2010-03-06 19:21 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Nuance
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\documents and settings\All Users\Application Data\ScanSoft
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\program files\Common Files\ScanSoft Shared
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\program files\Common Files\Nuance
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\program files\NaturallySpeaking10
2010-03-06 19:19 . 2010-03-06 19:19 -------- d-----w- f:\documents and settings\All Users\Application Data\Nuance
2010-03-06 19:19 . 2010-03-06 19:21 -------- d-----w- f:\windows\speech
2010-03-06 00:15 . 2010-03-06 00:26 -------- d-----w- f:\program files\DAEMON Tools Lite
2010-03-05 20:19 . 2010-03-05 20:19 -------- d-----w- f:\documents and settings\Jeffrey\Local Settings\Application Data\Threat Expert
2010-03-05 18:55 . 2010-03-06 19:42 -------- d-----w- f:\program files\Spyware Doctor
2010-02-24 22:40 . 2010-03-14 01:06 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\FileZilla
2010-02-24 22:40 . 2010-02-24 22:40 -------- d-----w- f:\program files\FileZilla FTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 17:47 . 2009-10-18 22:21 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\HPAppData
2010-03-25 17:42 . 2010-03-10 08:19 1715 ----a-w- f:\documents and settings\Jeffrey\Application Data\SAS7_000.DAT
2010-03-25 17:41 . 2009-04-19 09:15 -------- d---a-w- f:\documents and settings\All Users\Application Data\Temp
2010-03-25 09:10 . 2008-12-26 05:00 16608 ----a-w- f:\windows\gdrv.sys
2010-03-24 18:43 . 2009-02-06 02:09 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Azureus
2010-03-21 09:17 . 2009-05-10 05:37 -------- d-----w- f:\program files\Microsoft Silverlight
2010-03-21 06:42 . 2010-02-06 21:38 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\Bioshock
2010-03-19 01:06 . 2009-05-09 17:25 -------- d-----w- f:\program files\Anti-Malware
2010-03-19 01:06 . 2009-05-09 17:44 5115824 ----a-w- f:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-15 12:12 . 2009-09-23 16:49 1 ----a-w- f:\documents and settings\Jeffrey\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-12 23:54 . 2008-12-26 05:01 -------- d--h--w- f:\program files\InstallShield Installation Information
2010-03-11 17:35 . 2009-09-22 03:22 -------- d-----w- f:\program files\Common Files\Real
2010-03-11 17:35 . 2009-09-22 03:22 -------- d-----w- f:\program files\Real
2010-03-11 17:34 . 2009-03-05 07:00 499712 ----a-w- f:\windows\system32\msvcp71.dll
2010-03-11 17:34 . 2009-03-05 07:00 348160 ----a-w- f:\windows\system32\msvcr71.dll
2010-03-11 04:17 . 2009-01-14 02:31 -------- d-----w- f:\program files\Common Files\Adobe
2010-03-06 19:19 . 2008-12-26 05:01 -------- d-----w- f:\program files\Common Files\InstallShield
2010-03-06 00:26 . 2009-01-04 07:41 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\DAEMON Tools Lite
2010-03-06 00:15 . 2009-01-04 07:41 691696 ----a-w- f:\windows\system32\drivers\sptd.sys
2010-03-06 00:15 . 2009-01-04 07:44 -------- d-----w- f:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-06 00:11 . 2009-01-04 07:45 -------- d-----w- f:\documents and settings\Jeffrey\Application Data\DAEMON Tools Pro
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- f:\windows\system32\GPhotos.scr
2010-02-06 21:36 . 2010-02-06 21:36 -------- d--h--r- f:\documents and settings\Jeffrey\Application Data\SecuROM
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- f:\documents and settings\Jeffrey\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-21 10:19 . 2010-01-21 10:19 152576 ----a-w- f:\documents and settings\Jeffrey\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-21 10:19 . 2010-01-21 10:19 79488 ----a-w- f:\documents and settings\Jeffrey\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-19 03:16 . 2008-12-26 05:27 1324 ----a-w- f:\windows\system32\d3d9caps.dat
2010-01-07 23:07 . 2009-05-09 17:25 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-05-09 17:25 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- f:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="f:\games\steam\steam.exe" [2010-02-23 1217872]
"Google Update"="f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-09 135664]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSI"="f:\program files\SSI\ssi" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"JMB36X IDE Setup"="f:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="f:\windows\System32\xRaidSetup.exe" [2007-11-19 1966080]
"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-09-23 149280]
"HP Software Update"="f:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SSBkgdUpdate"="f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="f:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="f:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="f:\program files\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-11 202256]
"UpgrdModDragon"="f:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe" [2010-03-18 163840]
"WindowsRnpsoplugin"="f:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe" [2010-03-18 163840]
"QuickTimeQuickTimeResources"="f:\program files\quicktime\qtsystem\quicktimempeg.resources\ko.lproj\quicktimequicktimeresources.exe" [2010-03-18 163840]
"WindowsRDBGHELP"="f:\program files\openoffice.org 3\program\toolssoffice2.6.1.exe" [2010-03-18 163840]
"SAPISVR5System"="f:\program files\common files\microsoft shared\speech\sapi5sapisvr5.exe" [2010-03-18 163840]
"setup7InstallShield"="f:\program files\installshield installation information\{3a1b5d40-41e9-43fa-8c7b-a8667f5586ef}\setupinstallshield.exe" [2010-03-18 163840]
"setup7Setup"="f:\program files\installshield installation information\{3a1b5d40-41e9-43fa-8c7b-a8667f5586ef}\setupinstallshield.exe" [2010-03-18 163840]
"SystemOperating"="f:\program files\common files\microsoft shared\speech\sapi5sapisvr5.exe" [2010-03-18 163840]
"DAO360Microsoft"="f:\program files\common files\microsoft shared\dao\microsoftdao360.exe" [2010-03-18 163840]
"mrecMREC"="f:\program files\naturallyspeaking10\program\upgrdmod16\mrecmrec10.10.000.078.exe" [2010-03-18 163840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="f:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

f:\documents and settings\Jeffrey\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - f:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - f:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Games\\Steam\\steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"f:\\Program Files\\SopCast\\SopCast.exe"=
"f:\\Program Files\\Vuze\\Azureus.exe"=
"f:\\Games\\Steam\\steamapps\\j2fcm\\team fortress 2\\hl2.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"f:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\Games\\DEMIGOD\\Stardock Games\\Demigod\\bin\\Demigod.exe"=
"f:\\Documents and Settings\\Jeffrey\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"f:\\Documents and Settings\\Jeffrey\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"f:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"f:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"f:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"f:\\Games\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"f:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 GEST Service;GEST Service for program management.;f:\program files\GIGABYTE\EnergySaver\GSvr.exe [12/25/2008 10:01 PM 68136]
S0 sptd;sptd;f:\windows\system32\drivers\sptd.sys [1/4/2009 12:41 AM 691696]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;f:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [12/17/2009 12:26 AM 25832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1580436667-725345543-1003Core.job
- f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 19:06]

2010-03-25 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1580436667-725345543-1003UA.job
- f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 19:06]

2010-03-25 f:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1078081533-1580436667-725345543-1003.job
- f:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-25 f:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1078081533-1580436667-725345543-1003.job
- f:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-25 f:\windows\Tasks\User_Feed_Synchronization-{58754FE3-3D00-4C15-8592-145362416E93}.job
- f:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2010-03-25 f:\windows\Tasks\WGASetup.job
- f:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - f:\windows\system32\GPhotos.scr/200
FF - ProfilePath - f:\documents and settings\Jeffrey\Application Data\Mozilla\Firefox\Profiles\kszwx1ee.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coolminiornot.com/
FF - plugin: c:\program files\plugins\npmozax.dll
FF - plugin: c:\program files\plugins\npsnapfish.dll
FF - plugin: c:\program files\plugins\npunagi2.dll
FF - plugin: c:\program files\plugins\npwachk.dll
FF - plugin: f:\documents and settings\Jeffrey\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: f:\documents and settings\Jeffrey\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\greprefs\all.js - pref("html5.enable", false);
c:\program files\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Desktop Security 2010 - f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\Desktop Security 2010.exe
AddRemove-Desktop Security 2010 - f:\documents and settings\Jeffrey\Application Data\Desktop Security 2010\securityhelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 14:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1580436667-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:61,1b,29,a7,b2,f3,e1,77,12,83,81,81,a5,82,15,96,7c,47,ef,a4,c2,24,33,
71,b3,75,77,9d,dc,92,ea,d8,d6,71,e7,e8,cc,43,1d,d9,fd,60,ee,69,da,cc,3f,22,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
f:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-25 14:13:42
ComboFix-quarantined-files.txt 2010-03-25 21:13
ComboFix2.txt 2010-03-25 09:20
ComboFix3.txt 2009-05-15 23:29
ComboFix4.txt 2009-05-13 13:22

Pre-Run: 393,466,073,088 bytes free
Post-Run: 393,478,172,672 bytes free

- - End Of File - - DCA57C29F98AE5BED83F1EF949F6F156


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 25 March 2010 - 04:29 PM

QUOTE
I could try a restart now to see if virus will start up.
That would be a good idea. Let me know how you get on.

So long, and thanks for all the fish.

 

 


#13 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 March 2010 - 04:47 PM

Well - restart seems fine. Nothing has popped up FOR ONCE!... but in my start menu I still have Desktop Security showing up;

Start>All Programs>Desktop Security 2010

Haven't run Rkill yet either.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:07 PM

Posted 25 March 2010 - 06:56 PM

Right click the entry and select Delete.

So long, and thanks for all the fish.

 

 


#15 J2FcM

J2FcM
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 March 2010 - 07:56 PM

A delete, and ahhhh delete. Thank you very very VERY much for the assistance! I'll run malware for fun later this evening, but otherwise I'll foolishly assume everythings good to go for now!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users