Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not quiet removed wwwmen32.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 Qwerky

Qwerky

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 14 April 2010 - 07:54 AM

Hi

I believe to have a real nasty rootkit infection on my computer.

So far i've run a HijackThis analysis, and fixed things that stood out in my semi-tech eyes. One of Which was wwwmen32.exe which i google and it said that it was a 4 day old rootkit.
I've run a complete scan with Superantispyware that found a heap of stuff, of which another rootkit infection.
I deleted the findings, which surprise me i have at all, because i have a fully updated
Panda Antivirus 2008 Internet Security solution installed.
All this has so far been done in secure mode in Vista.

But my computer still persist to not allow me to start the taskmanager (in non-secure mode) and if i want to start a a full scan in Panda it scans a single file and and says it has completed the scan.
When my computer boots to windows i get a pop-up in the corner that says that the security center is disabled, and i can't enable it.
I also get a pop-up everytime most of the services have managed to boot in Windows that states that the "internet resident proxy" has stopped working.
Then if i try to use the computer, then most of the time it ends up freezing and showing a BSOD.

It might be RECYCLER, because i've been moving stuff back and forth between my laptop and desktop with a flash drive and my Panda on the laptop just told me that it stopped H:\RECYCLER\autorun.exe from running.

Help would be greatly appriciated!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 14:08:57,86 on 14-04-2010
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.45.1030.18.3325.2016 [GMT 2:00]

AV: Panda Internet Security 2008 *On-access scanning enabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
SP: Panda Internet Security 2008 *enabled* (Updated) {FE6602D3-1E71-4EBB-B4E3-D1C9CBDAF0A1}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: Panda Internet Security 2008 *enabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Panda Security\Panda Internet Security 2008\PskSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrvx86.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Windows\System32\khalmnpr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\LG Soft India\fortePivot\bin\fortePivot.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\PSIService.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\program files\adobe\acrobat 9.0\acrobat\acrotray .exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
M:\virus\Defogger.exe
M:\virus\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.aldi.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Taskman=c:\recycler\s-1-5-21-0631751806-0862793667-128441918-5579\mgrls32.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Hjælp til tilmelding til Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
mRun: [APVXDWIN] "c:\program files\panda security\panda internet security 2008\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda internet security 2008\Inicio.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\fortep~1.lnk - c:\program files\lg soft india\fortepivot\bin\fortePivot.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\panda security\panda internet security 2008\pavlsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avldr - avldr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\wz3xex8d.default\
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\users\andrew\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");

============= SERVICES / DRIVERS ===============

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2009-4-7 71608]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2009-4-7 51256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2009-4-7 21816]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2009-4-7 191672]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2009-4-7 132664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2009-4-7 38968]
R1 SMSFLT;SMS Filter Plugin;c:\windows\system32\drivers\smsflt.sys [2009-4-7 37304]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2009-4-7 30648]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8660.sys [2009-4-7 46648]
R2 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2009-4-7 13880]
R2 cpoint;Panda CPoint Driver;c:\windows\system32\drivers\cpoint.sys [2009-4-7 24760]
R2 IAANTMON;Intel® Matrix Storage Event Monitor;c:\program files\intel\intel matrix storage manager\IAANTmon.exe [2008-10-31 358936]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda internet security 2008\PsCtrlS.exe [2009-4-7 169264]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda internet security 2008\PAVFNSVR.EXE [2009-4-7 173360]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2009-4-7 178872]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda software\pavshld\PavPrSrv.exe [2009-4-7 63024]
R2 PAVSRV;Panda anti-virus service;c:\program files\panda security\panda internet security 2008\pavsrvx86.exe [2009-4-7 165680]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda internet security 2008\psksvc.exe [2009-4-7 27696]
R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;c:\windows\system32\drivers\netimflt.sys [2009-4-7 143160]
R3 NxpCap;CTX capture service;c:\windows\system32\drivers\NxpCap.sys [2008-10-25 1332576]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2008-10-31 13976]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-4-7 101248]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2007-4-12 34136]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-9-10 552448]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
VBEFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
VBSFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*

=============== Created Last 30 ================

2010-04-14 12:08:35 0 ----a-w- c:\users\andrew\defogger_reenable
2010-04-14 07:33:57 0 d-----w- c:\users\andrew\appdata\roaming\SUPERAntiSpyware.com
2010-04-14 07:33:57 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-14 05:49:46 4 ----a-w- c:\program files\453463.dat
2010-04-13 19:48:37 29696 ----a-w- c:\windows\system32\PRAGMAqfvibxjirw.dll
2010-04-13 19:48:37 143 ----a-w- c:\windows\system32\PRAGMAgnvmicfynb.dat
2010-04-13 19:48:37 0 d-----w- c:\windows\PRAGMAuybenxxwor
2010-04-13 19:47:23 31232 ----a-w- c:\windows\system32\khalmnpr.exe.delme138
2010-04-13 19:47:23 31232 ----a-w- c:\windows\system32\khalmnpr.exe
2010-04-13 19:47:19 12 ----a-w- c:\users\andrew\appdata\roaming\ypgmjw.dat
2010-04-13 19:46:51 4 ----a-w- c:\users\andrew\appdata\roaming\avdrn.dat
2010-04-13 19:46:39 0 d-----w- c:\users\andrew\appdata\roaming\CAF1323C1C755F196ED56F62228C8C84
2010-04-07 12:19:10 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-04-07 12:19:10 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-04-07 12:19:10 102912 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-04-07 12:19:10 101248 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-04-07 12:18:33 0 d-----w- c:\program files\Mobile Partner

==================== Find3M ====================

2010-04-14 12:01:41 76996 ----a-w- c:\windows\system32\perfc006.dat
2010-04-14 12:01:41 463106 ----a-w- c:\windows\system32\perfh006.dat
2010-04-14 11:37:06 324756 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-04-14 11:37:06 324756 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-04-14 11:37:06 1264 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-04-14 11:37:06 1264 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-04-07 12:19:10 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-07 12:19:10 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-07 12:19:10 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-10-31 00:15:05 36364 ----a-w- c:\windows\inf\perflib\0406\perfd.dat
2008-10-31 00:15:05 36364 ----a-w- c:\windows\inf\perflib\0406\perfc.dat
2008-10-31 00:15:05 300302 ----a-w- c:\windows\inf\perflib\0406\perfi.dat
2008-10-31 00:15:05 300302 ----a-w- c:\windows\inf\perflib\0406\perfh.dat
2008-10-29 12:15:28 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-28 22:01:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-08-28 22:01:59 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-08-28 22:01:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-06 23:03:54 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-06 23:03:54 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-06 23:03:54 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-06 23:03:54 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-04 20:23:13 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-10-29 12:08:48 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:09:50,36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:47 AM

Posted 18 April 2010 - 05:49 AM

Hello, Qwerky

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Looks like a rootkit, which means it may have backdoor capabilities:

nuke.gif Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Qwerky

Qwerky
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 19 April 2010 - 11:54 AM

Hi Jat

I'd like to try and clean it up as much as possible, so i can save the files i need and then reformat the whole thing.

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:47 AM

Posted 19 April 2010 - 03:55 PM

Thats ok,

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Qwerky

Qwerky
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 21 April 2010 - 07:49 AM

Hi Jat

I can't open the file. It says "You've tried a void action on a value in the registrydatabase, which has been flagged for deletion" (i've translated it because i don't think you read Danish tongue.gif)
But maybe that's just normal? Thought i'd let you know.

Attached Files



#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:47 AM

Posted 21 April 2010 - 06:46 PM

Hello,

Just for future reference, could you paste the log instead of attaching, it just makes it easier to analyse smile.gif

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Killall::

Driver::
SASDIFSV
SASKUTIL
SASENUM

RenV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Microsoft LifeCam\lifeexp .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe

File::
c:\users\Andrew\AppData\Roaming\ypgmjw.dat
c:\users\Andrew\AppData\Roaming\CAF1323C1C755F196ED56F62228C8C84\appreg70700.exe
c:\windows\PRAGMAuybenxxwor
c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS
c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.sys
c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"AdobeCS4ServiceManager"=-
"Acrobat Assistant 8.0"=-
"SunJavaUpdateSched"=-
"iTunesHelper"=-
"LifeCam"=-

Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 Qwerky

Qwerky
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 21 April 2010 - 07:26 PM

Sure thing. I had just read it as if you wanted it attached.

ComboFix 10-04-19.05 - Andrew 22-04-2010 2:04.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.45.1030.18.3325.2275 [GMT 2:00]
Kører fra: c:\users\Andrew\Desktop\ComboFix.exe
Kommandoer benyttet :: c:\users\Andrew\Desktop\CFScript.txt
AV: Panda Internet Security 2008 *On-access scanning disabled* (Outdated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Internet Security 2008 *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
SP: Panda Internet Security 2008 *disabled* (Outdated) {FE6602D3-1E71-4EBB-B4E3-D1C9CBDAF0A1}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS"
"c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS"
"c:\users\Andrew\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.sys"
"c:\users\Andrew\AppData\Roaming\CAF1323C1C755F196ED56F62228C8C84\appreg70700.exe"
"c:\users\Andrew\AppData\Roaming\ypgmjw.dat"
"c:\windows\PRAGMAuybenxxwor"
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrew\AppData\Roaming\CAF1323C1C755F196ED56F62228C8C84\appreg70700.exe
c:\users\Andrew\AppData\Roaming\ypgmjw.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SASDIFSV
-------\Legacy_SASKUTIL
-------\Service_SASDIFSV
-------\Service_SASENUM
-------\Service_SASKUTIL


((((((((((((((((((((((((((((( Filer skabt fra 2010-03-22 til 2010-04-22 )))))))))))))))))))))))))))))))))))
.

2010-04-22 00:11 . 2010-04-22 00:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-22 00:11 . 2010-04-22 00:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-21 10:54 . 2010-04-22 00:13 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-04-14 07:33 . 2010-04-14 07:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\SUPERAntiSpyware.com
2010-04-14 05:49 . 2010-04-14 05:49 4 ----a-w- c:\program files\453463.dat
2010-04-13 19:46 . 2010-04-22 00:10 -------- d-----w- c:\users\Andrew\AppData\Roaming\CAF1323C1C755F196ED56F62228C8C84
2010-04-08 11:12 . 2010-04-09 14:12 -------- d-----w- c:\users\Andrew\AppData\Roaming\vlc
2010-04-07 12:19 . 2009-09-10 12:55 102912 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-04-07 12:19 . 2009-07-24 13:51 101248 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-04-07 12:19 . 2009-06-22 18:01 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-04-07 12:19 . 2007-08-09 02:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-04-07 12:18 . 2010-04-07 12:20 -------- d-----w- c:\program files\Mobile Partner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 00:14 . 2009-04-07 12:30 322584 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT.bck
2010-04-22 00:14 . 2009-04-07 12:30 1264 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG.bck
2010-04-22 00:14 . 2009-04-07 11:45 322584 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT
2010-04-22 00:14 . 2009-04-07 11:45 1264 ----a-w- c:\windows\system32\drivers\APPFLTR.CFG
2010-04-22 00:13 . 2009-04-07 10:26 -------- d-----w- c:\users\Andrew\AppData\Roaming\uTorrent
2010-04-22 00:04 . 2009-11-23 08:40 -------- d-----w- c:\program files\Microsoft LifeCam
2010-04-22 00:04 . 2009-10-23 13:23 -------- d-----w- c:\program files\iTunes
2010-04-22 00:04 . 2009-09-10 14:28 -------- d-----w- c:\program files\QuickTime
2010-04-21 17:03 . 2008-10-31 00:15 76996 ----a-w- c:\windows\system32\perfc006.dat
2010-04-21 17:03 . 2008-10-31 00:15 463106 ----a-w- c:\windows\system32\perfh006.dat
2010-04-21 10:31 . 2008-01-21 02:24 11776 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-04-14 11:34 . 2009-04-07 10:07 -------- d-----w- c:\users\Andrew\AppData\Roaming\InstallShield
2010-04-14 11:30 . 2008-10-31 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-08 11:12 . 2009-05-03 01:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\dvdcss
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-10-29 12:08 . 2008-10-29 12:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
</pre>


((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-09-15 288560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" [2007-11-23 406832]
"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 27952]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-18 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
fortePivot.lnk - c:\program files\LG Soft India\fortePivot\bin\fortePivot.exe [2009-4-30 61440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-26 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 17:02 50736 ----a-w- c:\windows\System32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-07-24 101248]
R3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2007-04-12 34136]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-07 552448]
S1 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT.SYS [2007-09-28 71608]
S1 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT.SYS [2007-05-11 51256]
S1 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetmon.SYS [2007-11-14 21816]
S1 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT.SYS [2007-07-11 191672]
S1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETFLTDI.SYS [2007-10-25 06:50 132664]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2007-05-23 38968]
S1 SMSFLT;SMS Filter Plugin;c:\windows\system32\Drivers\SMSFLT.SYS [2007-05-11 37304]
S1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT.SYS [2007-05-11 30648]
S2 AmFSM;AmFSM;c:\windows\system32\DRIVERS\amm8660.sys [2007-09-28 46648]
S2 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [2009-04-07 13880]
S2 cpoint;Panda CPoint Driver;c:\windows\system32\Drivers\cpoint.sys [2007-06-08 24760]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2007-07-12 178872]
S2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2008\PskSvc.exe [2007-03-21 27696]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys [x]
S3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;c:\windows\system32\DRIVERS\netimflt.sys [2007-11-19 143160]
S3 NxpCap;CTX capture service;c:\windows\system32\DRIVERS\NxpCap.sys [2008-09-25 1332576]
S3 PavSRK.sys;PavSRK.sys;c:\windows\system32\PavSRK.sys [x]
S3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [x]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]

.
Indhold af mappen 'Planlagte Opgaver'

2010-04-22 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-07-26 07:55]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3248185949-1450468785-2061738612-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-08 16:08]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3248185949-1450468785-2061738612-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-08 16:08]

2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{A8EF96A0-B738-4F81-8A9F-586061A8C470}.job
- c:\windows\system32\msfeedssync.exe [2009-08-14 20:13]
.
.
------- Yderligere scanning -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
LSP: c:\program files\Panda Security\Panda Internet Security 2008\pavlsp.dll
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\wz3xex8d.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\users\Andrew\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLITIKKER ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 02:13
Windows 6.0.6001 Service Pack 1 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\S-1-5-21-3248185949-1450468785-2061738612-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:62,63,d3,73,b8,84,af,25,eb,5b,f6,db,31,84,e1,8f,78,c0,39,89,88,85,ee,
28,ac,ba,b2,6a,f3,c7,01,16,cb,f9,33,c5,83,17,ae,aa,18,cd,16,9b,1a,9f,5c,d5,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'Explorer.exe'(7516)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\LG Soft India\fortePivot\bin\MSGHOOK.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Panda Security\Panda Internet Security 2008\pavsrvx86.exe
c:\program files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\Panda Security\Panda Internet Security 2008\TPSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
c:\program files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
c:\program files\Common Files\Panda Software\PavShld\pavprsrv.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\windows\system32\PSIService.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
c:\program files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Gennemført tid: 2010-04-22 02:20:23 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2010-04-22 00:20
ComboFix2.txt 2010-04-21 10:54

Pre-Kørsel: 655.475.544.064 byte ledig
Post-Kørsel: 655.337.414.656 byte ledig

- - End Of File - - 56D8F502686543D248263C7C872A9CDC


#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:09:47 AM

Posted 22 April 2010 - 05:49 AM

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by Jat90, 22 April 2010 - 05:50 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users