Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected!


  • This topic is locked This topic is locked
41 replies to this topic

#31 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 15 April 2010 - 04:01 PM

http://findsearchseek.com/jump2/?affiliate...amp;subid=97190

that popped up randomly.. I never had popups before so I'm a bit confused.. but again, if you see no problems with my computer right now i'll gladly deal with this "problem." the popups are rare and not very annoying so i really don't mind at all unless they're harmful in any way.

EDIT: just got like 20 virus notifications. one of them says: Malicious code found in file C:\WINDOWS\system32\drivers\intelppm.sys. Infection: Rootkit.Win32.TDSS.ap. Action: none.

Another said: Malicious code found in computer. Infection: Rootkit. Win32.TDSS. Action: The scanner was unable to remove the infection..

anddd they keep coming.....

Edited by DiCanio, 15 April 2010 - 09:00 PM.


BC AdBot (Login to Remove)

 


#32 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:58 PM

Posted 16 April 2010 - 06:27 AM

Hi,

No, if you are getting popups, there is something still off, I would think. You are currently not getting redirected on google and such?
Please run a new script with ComboFix:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
C:\WINDOWS\system32\drivers\intelppm.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

If ComboFix wants to update, please let it do so. Let me know if the Popups persist after running the script.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#33 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 16 April 2010 - 10:36 AM

ComboFix 10-04-15.05 - 100350691 16/04/2010 11:28:44.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1344 [GMT -4:00]
Running from: d:\my documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\100350691\Desktop\CFScript.txt
AV: F-Secure Client Security 8.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 01:55 . 2010-04-16 01:55 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-15 20:14 . 2010-04-15 20:14 503808 ----a-w- c:\documents and settings\100350691\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4dab874e-n\msvcp71.dll
2010-04-15 20:14 . 2010-04-15 20:14 499712 ----a-w- c:\documents and settings\100350691\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4dab874e-n\jmc.dll
2010-04-15 20:14 . 2010-04-15 20:14 348160 ----a-w- c:\documents and settings\100350691\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4dab874e-n\msvcr71.dll
2010-04-15 20:14 . 2010-04-15 20:14 -------- d-----w- c:\program files\Common Files\Java
2010-04-15 20:14 . 2010-04-15 20:14 61440 ----a-w- c:\documents and settings\100350691\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e3b1088-n\decora-sse.dll
2010-04-15 20:14 . 2010-04-15 20:14 12800 ----a-w- c:\documents and settings\100350691\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e3b1088-n\decora-d3d.dll
2010-04-15 20:14 . 2010-04-15 20:14 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 20:14 . 2010-04-15 20:14 -------- d-----w- c:\program files\Java
2010-04-14 22:35 . 2010-04-14 22:35 -------- d-----w- c:\program files\ESET
2010-04-14 18:34 . 2008-08-08 20:04 17968 ----a-r- c:\windows\system32\drivers\vmscsi_2.sys
2010-04-12 23:41 . 2010-04-12 23:38 77312 ----a-w- C:\mbr.exe
2010-04-08 01:27 . 2010-04-08 01:27 -------- d-----w- c:\program files\Trend Micro
2010-04-06 17:24 . 2008-04-13 17:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-06 17:24 . 2008-04-13 17:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 15:26 . 2010-01-05 03:12 -------- d-----w- c:\documents and settings\100350691\Application Data\uTorrent
2010-04-16 15:20 . 2009-06-02 17:40 -------- d-----w- c:\program files\F-Secure
2010-04-16 05:38 . 2009-04-22 16:04 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 02:33 . 2010-02-28 03:04 -------- d-----w- c:\program files\Songbird
2010-04-15 20:52 . 2009-12-17 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\vulScan
2010-04-15 03:54 . 2009-07-06 14:20 104023 ----a-w- c:\windows\system32\nvModes.dat
2010-04-14 20:28 . 2010-01-19 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-14 20:20 . 2010-01-05 03:13 -------- d-----w- c:\program files\uTorrent
2010-04-14 20:20 . 2010-01-05 02:53 -------- d-----w- c:\program files\Zune
2010-04-08 18:10 . 2010-01-31 04:47 -------- d-----w- c:\documents and settings\100350691\Application Data\Skype
2010-04-08 17:47 . 2010-01-18 07:02 -------- d-----w- c:\documents and settings\100350691\Application Data\skypePM
2010-04-06 17:24 . 2008-06-06 22:21 37376 ----a-w- c:\windows\system32\tpshocks.exe
2010-04-03 06:20 . 2009-06-03 18:32 646808 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-16 00:44 . 2010-03-16 00:33 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-07 22:12 . 2010-03-07 22:12 -------- d-----w- c:\program files\SopCast
2010-03-03 02:47 . 2010-03-03 02:42 -------- d-----w- c:\documents and settings\100350691\Application Data\Azureus
2010-03-03 02:42 . 2010-03-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-03 02:42 . 2010-03-03 02:42 -------- d-----w- c:\program files\Conduit
2010-02-28 02:36 . 2010-01-18 03:52 -------- d-----w- c:\program files\Winamp
2010-02-28 02:28 . 2010-02-28 02:28 -------- d-----w- c:\documents and settings\100350691\Application Data\Songbird2
2010-02-23 05:20 . 2010-01-09 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SoftwareSecure
2010-02-17 19:57 . 2009-01-16 17:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 07:02 . 2010-01-18 07:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-16 18:38 . 2010-01-04 20:31 48040 ----a-w- c:\documents and settings\100350691\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-04-14_18.45.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-16 15:28 . 2010-04-16 15:28 16384 c:\windows\Temp\Perflib_Perfdata_68c.dat
+ 2010-04-16 15:26 . 2010-04-16 15:26 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
+ 2004-08-04 12:00 . 2010-04-16 15:31 75152 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-04-14 18:22 75152 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-04-16 02:09 36352 c:\windows\system32\dllcache\intelppm.sys
+ 2004-08-04 12:00 . 2010-04-16 15:31 450302 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-04-14 18:22 450302 c:\windows\system32\perfh009.dat
+ 2010-04-15 20:14 . 2010-04-15 20:14 153376 c:\windows\system32\javaws.exe
+ 2010-04-15 20:14 . 2010-04-15 20:14 145184 c:\windows\system32\javaw.exe
+ 2010-04-15 20:14 . 2010-04-15 20:14 145184 c:\windows\system32\java.exe
+ 2010-04-15 20:14 . 2010-04-15 20:14 180224 c:\windows\Installer\1bad2a.msi
+ 2010-04-15 20:14 . 2010-04-15 20:14 577536 c:\windows\Installer\1bad24.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"uTorrent"="c:\program files\uTorrent\utorrent.exe" [2010-03-11 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"indrerrm"="c:\windows\system32\$.indrerrm\indrerrm" [X]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-11-21 385024]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704]
"TpShocks"="TpShocks.exe" [2010-04-06 37376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]
"nwiz"="nwiz.exe" [2008-12-05 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-05 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
"LogonType"= 0 (0x0)
"AllowMultipleTSSessions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 23:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2008-08-08 20:04 364544 ----a-r- c:\windows\system32\TPSvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-182271\Scripts\Logon\0\0]
"Script"=\\oncampus.local\NETLOGON\AcademicIntegrity\stu\icon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-682003330-725345543-182271\Scripts\Logon\1\0]
"Script"=\\oncampus.local\NETLOGON\IE6SiteAddition.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S??d, ?de ??d g? o?tr?l?? !!! !!! !]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"

[HKLM\~\startupfolder\C:^Documents and Settings^100350691^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\100350691\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-03-11 19:57 319792 ----a-w- c:\program files\uTorrent\utorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware Tools]
2008-08-08 20:04 92720 ----a-w- c:\program files\VMware\VMware Tools\VMwareTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware User Process]
2008-08-08 20:04 268848 ----a-w- c:\program files\VMware\VMware Tools\VMwareUser.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\drivers\atiide.sys [03/06/2009 2:17 PM 3456]
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [02/06/2009 1:41 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [02/06/2009 1:41 PM 79936]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [14/05/2008 4:21 PM 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [05/05/2008 11:50 AM 17968]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [23/03/2009 11:03 AM 155648]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [11/12/2008 12:38 PM 92592]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [17/12/2009 5:58 PM 139264]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\LANDesk\LDClient\amtmon.exe [17/12/2009 5:58 PM 1044480]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [02/06/2009 1:48 PM 53248]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [17/12/2009 5:58 PM 372736]
R2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [08/08/2008 4:04 PM 15408]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [18/05/2007 12:57 PM 229856]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [02/06/2009 1:40 PM 111296]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [02/06/2009 1:41 PM 55904]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [17/12/2009 5:58 PM 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [17/12/2009 5:58 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [17/12/2009 5:58 PM 3712]
S2 SSIRuntimeService;SSIRuntimeService;c:\program files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [11/09/2007 9:41 AM 45056]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [08/08/2008 4:04 PM 264752]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys --> c:\windows\system32\Drivers\ATSwpWDF.sys [?]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [03/06/2009 2:26 PM 243856]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [08/08/2008 4:04 PM 294912]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [05/05/2008 11:50 AM 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [05/05/2008 11:50 AM 62768]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [05/05/2008 11:50 AM 34992]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [02/06/2009 1:40 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [02/06/2009 1:40 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-06-02 14:56]

2010-03-15 c:\windows\Tasks\Scheduled task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2009-06-02 10:51]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\100350691\Application Data\Mozilla\Firefox\Profiles\n62ky86u.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 11:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1168)
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\System32\hgfs.dll

- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\nview.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\nvwddi.dll
.
Completion time: 2010-04-16 11:36:02
ComboFix-quarantined-files.txt 2010-04-16 15:35
ComboFix2.txt 2010-04-14 20:54
ComboFix3.txt 2010-04-14 18:48

Pre-Run: 35,252,424,704 bytes free
Post-Run: 35,221,250,048 bytes free

- - End Of File - - 1D6E1C7CB8252B1D052802C9D71F3135


#34 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 16 April 2010 - 10:39 AM

Everything seems fine right now, although like I said last night I got several (hundreds) of virus notifications from my antivirus software. I'm assuming my latest running of combofix fixed that?

Thanks again!

#35 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:58 PM

Posted 18 April 2010 - 12:44 PM

Hi,

ComboFix is not showing that the file was fixed. Please delete the copy of gmer you've previously downloaded. Download a fresh copy of gmer form here: Main Mirror

Please run it with only the option section checked.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#36 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 18 April 2010 - 01:46 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 14:45:32
Windows 5.1.2600 Service Pack 3
Running: 5ssqd2qn.exe; Driver: C:\DOCUME~1\100350~1\LOCALS~1\Temp\kfwyraow.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!IoCreateDevice 805758EE 5 Bytes JMP B9D1DFCC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8770360, 0x388D2D, 0xE8000020]

---- EOF - GMER 1.0.15 ----


#37 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:58 PM

Posted 19 April 2010 - 04:00 AM

Hi,

the log is looking clean (and gmer is running now. smile.gif )

Does your PC still have problems? Did you get notifications from your anti virus program or popups again?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#38 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 19 April 2010 - 10:31 AM

everything is running fantastically right now. Thank you so much myrti!! smile.gif

#39 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:58 PM

Posted 19 April 2010 - 11:01 AM

Hi,

great! smile.gif

Before we get to the final step I would like you to update your java:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Let me know if you run into any trouble doing this.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#40 DiCanio

DiCanio
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 19 April 2010 - 02:04 PM

Yeah, I got that done a couple days ago when you posted it. Looks like I'm all cleaned up then.. again, thanks so much, my computer is running like brand new right now.. I would've never thought that was possible a week ago.

#41 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:58 PM

Posted 20 April 2010 - 08:31 AM

Hi,

happy to hear that everything seems to be working! smile.gif

As a final step please remove the programs we used:
Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
  2. Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  3. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#42 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:58 PM

Posted 24 April 2010 - 04:14 PM

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users