Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker I think


  • This topic is locked This topic is locked
6 replies to this topic

#1 missdeeds

missdeeds

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 01 April 2010 - 10:20 PM

Hi,

I've never posted to a forum like this before: I've tried to follow the instructions, sorry if I have done something incorrectly. I can't find the attach button for adding the other dds file. Any help would be much appreciated:



DDS (Ver_10-03-17.01) - NTFSx86
Run by missdeeds at 19:52:18.61 on 01/04/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.2.1033.18.1912.806 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\NCH Swift Sound\WebDictate\webdictate.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\NCH Swift Sound\WebDictate\webdictate.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\missdeeds\Downloads\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.shoptoshiba.ca/welcome
mStart Page = hxxp://www.shoptoshiba.ca/welcome
mDefault_Page_URL = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [TOY5KNQ8OC] c:\users\missdeeds\appdata\local\temp\Skx.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [WebDictate] "c:\program files\nch swift sound\webdictate\webdictate.exe" -logon
dRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
dRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 93.188.162.113,93.188.166.97
TCP: {1713D51B-B531-4ECC-B4B7-659DD82E2784} = 93.188.162.113,93.188.166.97
TCP: {A6A2584C-6454-489A-8E6D-CF33E9421B97} = 93.188.162.113,93.188.166.97
TCP: {C75E56CB-7EA4-4531-8D78-2E5628F28590} = 93.188.162.113,93.188.166.97
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\missde~1\appdata\roaming\mozilla\firefox\profiles\tz9rgoqn.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-6 114768]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-5-6 20352]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-10-15 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-10-15 234888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-6 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-5-6 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-6 138680]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-3-7 583640]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 WebDictateService;Web Dictate;c:\program files\nch swift sound\webdictate\webdictate.exe [2010-3-19 552964]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-6 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-6 352920]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-4-14 51160]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-12 135664]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-5-6 937984]

=============== Created Last 30 ================

2010-03-19 15:52:43 0 d-----w- c:\program files\NCH Swift Sound
2010-03-13 04:17:50 0 d-----w- c:\program files\VSO
2010-03-11 07:17:07 0 d-----w- c:\programdata\Nero
2010-03-08 17:30:47 0 d-----w- c:\users\missde~1\appdata\roaming\Malwarebytes
2010-03-08 17:30:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-08 17:30:34 0 d-----w- c:\programdata\Malwarebytes
2010-03-08 17:30:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-08 17:30:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-08 02:51:39 0 d-----w- c:\programdata\Lavasoft
2010-03-08 02:51:39 0 d-----w- c:\program files\Lavasoft
2010-03-08 01:53:00 0 d---a-w- c:\programdata\TEMP
2010-03-08 01:52:08 1101824 begin_of_the_skype_highlighting              08 1101824      end_of_the_skype_highlighting ----a-w- c:\windows\system32\UniBox210.ocx
2010-03-08 01:52:07 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-03-08 01:52:07 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-03-08 01:52:06 506368 ----a-w- c:\windows\system32\msxml.dll
2010-03-08 01:51:58 0 d-----w- c:\program files\common files\PC Tools

==================== Find3M ====================

2010-04-02 02:40:28 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-02 02:33:45 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-02 02:33:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-27 16:24:03 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-24 17:37:38 153512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-13 04:18:03 87608 ----a-w- c:\users\missde~1\appdata\roaming\inst.exe
2010-03-13 04:18:03 47360 ----a-w- c:\users\missde~1\appdata\roaming\pcouffin.sys
2010-01-25 12:48:34 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45:56 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35:01 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34:56 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-05-07 02:26:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:55:14.62 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-01 20:06:25
Windows 6.0.6001 Service Pack 1
Running: rbn5mlzl.exe; Driver: C:\Users\MISSDE~1\AppData\Local\Temp\pxrdyuow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8498E1E8

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)




---- EOF - GMER 1.0.15 ----

Edited by Budapest, 01 April 2010 - 11:17 PM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:43 AM

Posted 05 April 2010 - 05:37 PM

Hi missdeeds, and welcome to Bleeping Computer.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 missdeeds

missdeeds
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 09 April 2010 - 11:07 PM

Hi there,

I ran the combofix as instructed, and now, i am unable to do anything on the computer. i get the error "illegal operation attempted on a registry key that has been marked for deletion"... i'm now in a friend's computer and have no idea how to access my programs and files. please help! here's the log:


ComboFix 10-04-08.06 - missdeeds 09/04/2010 20:03:57.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1912.1189 [GMT -7:00]
Running from: c:\users\missdeeds\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\missdeeds\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-08 22:01 . 2010-04-08 22:01 -------- d-----w- c:\program files\VSO
2010-04-08 21:35 . 2010-04-08 21:35 -------- dc----w- C:\ConvertXtoDVD
2010-04-07 01:31 . 2010-04-07 01:35 -------- d-----w- c:\program files\kSolo
2010-04-02 03:34 . 2010-04-02 03:34 -------- d-----w- c:\program files\iPod
2010-04-02 03:34 . 2010-04-02 03:35 -------- d-----w- c:\program files\iTunes
2010-04-02 03:28 . 2010-04-02 03:29 -------- d-----w- c:\program files\QuickTime
2010-04-02 03:22 . 2010-04-02 03:22 -------- d-----w- c:\program files\Bonjour
2010-03-19 15:52 . 2010-03-19 15:53 -------- d-----w- c:\program files\NCH Swift Sound
2010-03-11 16:48 . 2010-03-11 16:48 -------- d-----w- c:\users\missdeeds\AppData\Roaming\Nero
2010-03-11 07:17 . 2010-03-11 07:33 -------- d-----w- c:\program files\Common Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 03:37 . 2009-05-07 03:14 -------- d-----w- c:\users\missdeeds\AppData\Roaming\Skype
2010-04-10 03:36 . 2009-05-07 03:15 -------- d-----w- c:\users\missdeeds\AppData\Roaming\skypePM
2010-04-10 03:16 . 2009-05-06 17:03 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-10 02:58 . 2009-05-07 13:49 -------- d-----w- c:\users\missdeeds\AppData\Roaming\Azureus
2010-04-08 22:26 . 2009-05-21 21:31 -------- d-----w- c:\users\missdeeds\AppData\Roaming\Vso
2010-04-08 22:01 . 2009-05-21 21:31 47360 ----a-w- c:\users\missdeeds\AppData\Roaming\pcouffin.sys
2010-04-08 22:01 . 2009-05-21 21:31 47360 ----a-w- c:\users\missdeeds\AppData\Roaming\pcouffin.sys
2010-04-06 22:18 . 2009-05-10 18:16 6648 ----a-w- c:\users\missdeeds\AppData\Local\d3d9caps.dat
2010-04-02 03:34 . 2009-05-07 14:01 -------- d-----w- c:\program files\Common Files\Apple
2010-03-27 16:13 . 2010-03-08 02:51 -------- d-----w- c:\program files\Lavasoft
2010-03-24 17:37 . 2009-10-16 06:59 153512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-24 17:35 . 2009-05-06 17:42 86032 ----a-w- c:\users\missdeeds\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-22 20:17 . 2009-05-07 14:05 -------- d-----w- c:\users\missdeeds\AppData\Roaming\Apple Computer
2010-03-19 15:52 . 2009-12-28 02:31 -------- d-----w- c:\users\missdeeds\AppData\Roaming\NCH Swift Sound
2010-03-08 17:30 . 2010-03-08 17:30 -------- d-----w- c:\users\missdeeds\AppData\Roaming\Malwarebytes
2010-03-08 17:30 . 2010-03-08 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-08 01:51 . 2010-03-08 01:51 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-04 04:38 . 2009-05-17 04:34 -------- d-----w- c:\users\missdeeds\AppData\Roaming\dvdcss
2010-02-13 00:40 . 2010-02-13 00:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 11:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-30 19:34 . 2009-11-29 21:30 256 ----a-w- c:\windows\system32\pool.bin
2010-01-25 12:48 . 2010-02-23 18:34 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-23 18:34 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-23 18:34 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-23 18:34 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-23 18:34 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-23 18:34 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-23 18:34 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-23 18:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-23 18:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-23 18:35 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 19:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2008-04-24 430080]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-07 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2009-10-14 292824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-30 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2009-10-14 104408]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]
"WebDictate"="c:\program files\NCH Swift Sound\WebDictate\webdictate.exe" [2010-03-19 552964]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2008-04-24 430080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-14 2979144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 135664]
R2 WebDictateService;Web Dictate;c:\program files\NCH Swift Sound\WebDictate\webdictate.exe [2010-03-19 552964]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-28 685816]
S1 aswSP;avast! Self Protection; [x]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2009-10-14 583640]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-10 8192]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 01:59]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 01:59]

2010-04-09 c:\windows\Tasks\User_Feed_Synchronization-{94F674A2-6D9C-481E-AEB6-2218BB14DC56}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.shoptoshiba.ca/welcome
mStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
FF - ProfilePath - c:\users\missdeeds\AppData\Roaming\Mozilla\Firefox\Profiles\tz9rgoqn.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
AddRemove-Switch - c:\program files\NCH Swift Sound\Switch\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 20:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\MISSDE~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8458B1E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87f16322
\Driver\ACPI -> acpi.sys @ 0x807b8d4c
\Driver\atapi -> 0x8458c1e8
\Driver\iaStor -> 0x8458b1e8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\conime.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\TOSHIBA\Bluetooth Toshiba Stack\TosBtProc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-04-09 20:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 03:42

Pre-Run: 31,758,864,384 bytes free
Post-Run: 36,717,899,776 bytes free

- - End Of File - - EF26EE28F79DFBA460C58548275C47CD


#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:43 AM

Posted 10 April 2010 - 04:05 AM

Please reboot, it will be fixed... I'll check a log later...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:43 AM

Posted 10 April 2010 - 10:45 AM

Hi again missdeeds and thank you for the logfile!.. smile.gif.

QUOTE(missdeeds @ Apr 10 2010, 06:07 AM) View Post
I ran the combofix as instructed, and now, i am unable to do anything on the computer. i get the error "illegal operation attempted on a registry key that has been marked for deletion"... i'm now in a friend's computer and have no idea how to access my programs and files. please help!

As I mentioned above, reboot fixes that... It's a pretty rare situation, though...

Logs look much better now... Tell me what problem persists...

Firstly,
Please re-run Gmer:
Open the program - you should see the Rootkit / Malware tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Important: Close any open programs/windows!
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Secondly,
Please scan your computer with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:43 AM

Posted 23 April 2010 - 01:58 PM

Still with us missdeeds??.. smile.gif.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:43 AM

Posted 13 May 2010 - 12:18 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users