Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Helpwith a Virus!!


  • This topic is locked This topic is locked
2 replies to this topic

#1 xochitl

xochitl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 02 April 2010 - 10:32 AM

I apologise if I have posted this on the wrong forum!
"
Every time I turn on my computer I get a virus that takes over my security centre. If i run "rkill" then I get rid of it for the time being yet, when I turn the computer off and then on again the same thing happens!

I have tried to detect, quarantine and delete the virus with the following programs to no avail.

Malwarebytes' Anti-Malware
Aviraantivirus


They always are able to detect some malware (which is something new in itself - I was not getting hit by malware so often until a couple of days ago, when this virus hit) but are not able to weed out the one that boots up every time i start the computer. Perhaps recklessley, I took the decision to use Combofix and have pasted the following log below. Could anyone help me figure out what to do or advise me?

Thanks very much for your time,

Xochitl

PS When I ran Combofix it said that I was using Norton Antivirus scanning software but I thought I had uninstalled it years ago. Any ideas why there are still traces of it on the system?[/size]

ComboFix 10-04-01.02 - Julia Flood 02/04/2010 15:53:48.1.1 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.34.3082.18.2430.1518 [GMT 1:00]
Running from: c:\users\Julia Flood\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-760066708-277424822-869293619-1001
c:\users\Julia Flood\AppData\Local\av.exe
c:\users\Julia Flood\AppData\Local\ave.exe
c:\users\Julia Flood\AppData\Local\Temp\avp32.exe
c:\users\Julia Flood\AppData\Local\Temp\smss.exe
c:\users\Julia Flood\AppData\Local\Temp\win32.exe
c:\users\Julia Flood\AppData\Roaming\sdra64.exe
c:\users\JULIAF~1\AppData\Local\Temp\avp32.exe
c:\users\JULIAF~1\AppData\Local\Temp\smss.exe
c:\users\JULIAF~1\AppData\Local\Temp\win32.exe
c:\windows\system32\erxw62.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-04-02 15:06 . 2010-04-02 15:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-02 15:06 . 2010-04-02 15:06 -------- d-----w- c:\users\Julia Flood\AppData\Local\temp
2010-04-02 10:37 . 2010-03-09 03:28 411368 ----a-w- c:\programdata\Mozilla Firefox\plugins\npdeploytk.dll
2010-04-02 10:27 . 2010-04-02 10:27 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\Your Protection
2010-04-02 10:04 . 2010-04-02 10:04 -------- d-----w- c:\windows\system32\Registry Patrol
2010-04-02 10:03 . 2010-04-02 10:14 -------- d-----w- c:\program files\Registry Patrol
2010-04-01 23:27 . 2010-04-01 23:29 -------- d-sh--w- c:\users\Julia Flood\AppData\Roaming\lowsec
2010-04-01 22:22 . 2010-04-01 22:22 -------- d--h--w- c:\windows\keyg
2010-04-01 20:16 . 2010-04-01 20:16 184320 --sha-w- c:\users\Julia Flood\AppData\Local\1360466830.dll
2010-03-28 22:05 . 2010-03-16 20:47 553480 ----a-w- c:\programdata\Mozilla Firefox\uninstall\helper.exe
2010-03-25 15:36 . 2010-03-25 15:36 -------- d-----w- c:\windows\Sun
2010-03-22 18:36 . 2010-03-22 18:36 -------- d-----w- c:\program files\Windows Portable Devices
2010-03-22 09:06 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-03-22 09:06 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-03-22 09:06 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-03-22 09:04 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-03-22 09:04 . 2009-10-01 01:01 33280 ----a-w- c:\windows\system32\WpdConns.dll
2010-03-22 09:04 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-03-22 09:04 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-03-22 09:04 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-03-22 09:04 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-03-22 09:04 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-03-22 09:04 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-03-22 09:04 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-03-22 09:04 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-03-22 09:04 . 2009-10-01 01:01 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2010-03-22 09:04 . 2009-10-01 01:01 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2010-03-22 09:04 . 2009-10-01 01:01 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2010-03-22 09:03 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-03-22 09:03 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-03-22 09:03 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-03-22 06:30 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-03-22 06:30 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-22 06:30 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-21 19:35 . 2010-03-21 19:36 -------- d-----w- c:\windows\system32\ca-ES
2010-03-21 19:35 . 2010-03-21 19:36 -------- d-----w- c:\windows\system32\eu-ES
2010-03-21 19:35 . 2010-03-21 19:36 -------- d-----w- c:\windows\system32\vi-VN
2010-03-20 20:58 . 2010-03-20 20:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-10 07:27 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 07:26 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-10 07:26 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-07 10:48 . 2010-03-08 08:41 -------- d-----w- c:\users\Julia Flood\AppData\Local\wocaoy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 15:06 . 2008-08-09 12:29 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\skypePM
2010-04-02 14:30 . 2006-12-15 03:04 664368 ----a-w- c:\windows\system32\perfh00A.dat
2010-04-02 14:30 . 2006-12-15 03:04 128552 ----a-w- c:\windows\system32\perfc00A.dat
2010-04-02 14:26 . 2008-08-07 06:11 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\Skype
2010-04-02 10:39 . 2008-08-04 19:06 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 10:36 . 2008-08-04 19:06 -------- d-----w- c:\program files\Java
2010-04-01 23:40 . 2008-08-06 16:40 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\Winamp
2010-03-31 20:06 . 2008-08-05 17:04 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\LimeWire
2010-03-28 22:05 . 2010-03-28 22:05 -------- d-----w- c:\programdata\Mozilla Firefox
2010-03-22 18:57 . 2008-08-04 15:14 60240 ----a-w- c:\users\Julia Flood\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-22 18:36 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-22 18:26 . 2010-03-22 18:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-22 18:26 . 2010-03-22 18:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-21 19:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-21 19:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-21 19:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-21 19:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-21 19:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-21 19:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-21 19:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-19 07:14 . 2008-08-04 15:17 43129 ----a-w- c:\users\Julia Flood\AppData\Roaming\nvModes.dat
2010-03-16 16:33 . 2010-03-28 22:05 98304 ----a-w- c:\programdata\Mozilla Firefox\nssdbm3.dll
2010-03-16 16:33 . 2010-03-28 22:05 249856 ----a-w- c:\programdata\Mozilla Firefox\freebl3.dll
2010-03-16 16:33 . 2010-03-28 22:05 155648 ----a-w- c:\programdata\Mozilla Firefox\softokn3.dll
2010-03-10 07:31 . 2009-01-15 22:08 -------- d-----w- c:\programdata\Microsoft Help
2010-03-09 03:28 . 2008-12-14 16:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 16:13 . 2009-02-26 22:46 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\Image Zone Express
2010-02-24 10:16 . 2009-10-02 20:29 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-31 06:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 06:41 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 06:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 06:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-21 16:20 . 2009-11-19 10:54 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\Move Networks
2010-02-21 15:16 . 2010-02-21 15:16 144162 ----a-w- c:\users\Julia Flood\AppData\Roaming\Move Networks\uninstall.exe
2010-02-21 15:16 . 2009-12-18 03:27 5603776 ----a-w- c:\users\Julia Flood\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
2010-02-21 14:48 . 2009-07-12 18:48 -------- d-----w- c:\program files\LimeWire
2010-02-08 13:27 . 2008-09-09 08:19 -------- d-----w- c:\program files\Google
2010-02-02 19:34 . 2010-02-02 19:32 -------- d-----w- c:\program files\iTunes
2010-02-02 19:32 . 2010-02-02 19:32 -------- d-----w- c:\program files\iPod
2010-02-02 19:32 . 2008-08-04 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-02-02 19:28 . 2010-02-02 19:27 -------- d-----w- c:\program files\QuickTime
2010-02-02 19:20 . 2010-02-02 19:20 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-01 19:19 . 2010-02-01 19:19 -------- d-----w- c:\users\Julia Flood\AppData\Roaming\Malwarebytes
2010-02-01 19:19 . 2010-02-01 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 15:38 . 2010-03-22 06:30 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-03-22 06:30 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-03-22 06:30 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-03-22 06:30 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BinatoneInternetPhone"="c:\program files\Binatone Internet Phone\BinatoneInternetPhone.exe" [2007-10-16 425984]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-17 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"WindowsErrorHook"="c:\windows\keyg\\WindowsErrorHook.exe" [2010-04-01 339968]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-14 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:fa,a8,1c,28,2f,c9,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 133104]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2009-06-26 85504]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 15:10]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 15:10]

2010-04-02 c:\windows\Tasks\User_Feed_Synchronization-{A4CB5EC3-9E3B-46D8-BCE1-B33177331DBF}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://es.es.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://es.rd.yahoo.com/customize/ycomp/defaults/su/*http://es.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\users\Julia Flood\AppData\Roaming\Mozilla\Firefox\Profiles\uatslbma.default\
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Julia Flood\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programdata\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\programdata\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programdata\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programdata\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programdata\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programdata\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programdata\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programdata\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programdata\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A9BA40A1-74F1-52BD-F431-00B15A2C8953} - c:\windows\system32\erxw62.dll
HKCU-Run-uzmde - c:\users\Julia Flood\AppData\Roaming\mauvkh.dll
HKCU-Run-ygxjtkky - c:\users\Julia Flood\AppData\Local\wocaoy\rbowsftav.exe
HKLM-Run-Acer Tour - (no file)
SharedTaskScheduler-{A9BA40A1-74F1-52BD-F431-00B15A2C8953} - c:\windows\system32\erxw62.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 16:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-02 16:10:24
ComboFix-quarantined-files.txt 2010-04-02 15:10

Pre-Run: 27.123.097.600 bytes libres
Post-Run: 27.053.355.008 bytes libres

Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,26
- - End Of File - - 64963F591D361C26961753CA5C5A1E0E

Edited by Orange Blossom, 02 April 2010 - 11:02 AM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:51 AM

Posted 06 April 2010 - 05:33 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:51 AM

Posted 10 April 2010 - 08:24 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users