Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - Search link redirects


  • This topic is locked This topic is locked
44 replies to this topic

#1 sfono96

sfono96

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 01 June 2010 - 07:02 PM

Hello,

I found some malware on my computer this morning here is the timing of events + symptoms:

TIMELINE:
1) Found that my computer was redirecting my google search links for search queries such "microsoft excel", "microsoft defender", "trojan remover" - did not redirect for things like "ESPN", "Tahiti", etc.
2) Redirects were going to STOPZILLA and other comparedby.us
3) I downloaded Malwarebyte AntiMalware (MBAM) and ran a search which found "trojan.dropper" and I chose to remove
4) After removal I restarted my system and everything appeared to be working fine - I ran a secondary MBAM scan and found nothing
5) About 1 hour after use I got the message: "Host Process for Windows Services stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available."
6) About 3 min later I get a message prompting me to install latest updates from Windows
7) I decide to do that and get SP2 for Windows Vista
8) After downloading the update I started install and restarted computer as directed - when update 2 of 3 completed it skipped update 3 and started to restart
9) Upon restart it said that I couldn't because I was missing the nsis driver and that I needed to boot from disk and repair computer
10) We tried this and were unsuccessful in starting up
11) My friend through the command prompt was able to find the driver and move to the correct location that allowed startup
12) Everything started up fine and SP2 finished updating 3 of 3 upon startup
13) Redirecting started again
14) "Host Process ... " message started again
15) Ran MBAM again and found nothing
16) Downloaded hijackthis 2.0.4 and have attached the following log
17) My computer is extra slow is shutting down but otherwise performs normally other than redirects

HijackThisLog:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:31:20 PM, on 6/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spark\Spark.exe
C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\samf\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://projectmanagement:8000/charts/chart2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\samf\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Network Server.lnk = C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go1on1.local
O17 - HKLM\Software\..\Telephony: DomainName = go1on1.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{79931430-163A-4036-8815-74643B58C62B}: Domain = go1on1.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{896BFAFD-6521-48B5-9C64-9EA47B0B7261}: Domain = go1on1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go1on1.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 1on1.com,go1on1.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go1on1.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = 1on1.com,go1on1.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 1on1.com,go1on1.com
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: O2FLASH - O2Micro International - C:\Windows\system32\DRIVERS\o2flash.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Symantec Corporation - C:\TEMP\Clt-Inst\vpremote.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 6326 bytes

Please someone help me clean up my computer. Your assistance is GREATLY appreciated.

sfono96


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 02 June 2010 - 03:13 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 04 June 2010 - 11:45 AM

EB,

Thank you so much for being available to help. I am having the "Windows failed to start" problem again. Says there is a problem with the ndis driver. When I start my computer I choose to "start normally" and then get to a black screen with the following message:

"Windows failed to start. A recent hardware of software change might be the cause. To fix the problem:
1) Insert your Windows installation disc and restart your computer.
2) Choose your language settings, and the click "Next'"
3) Click "Repair you computer."

If you do not have this disc, contact your system administrator or computer manufacturer for assistance.

File: \Windows\System32\drivers\ndis.sys

Status: 0xc0000098

Info: Windows failed to load because a critical system driver is missing, or corrupt."

I did have this message before and my friend helped me to find the driver (3 instances of) on my computer via the command prompt and then he "moved" it to the into the correct position. I am unfortunately in Tahiti and don't know how to do this on my own. If you could help me with this then I could get the other things (DDS + GMER).

I don't have an installation disk and tried to get the Windows Vista Recovery disk from an ISO file online. But still would not boot from that recovery disk I burned.

sfono96

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 05 June 2010 - 08:55 PM

Hello.

From what you said, it seems you still are unable to boot into Windows? If so, read my post here and see if you able to get a working burned Recovery Disk and boot off that.

Let me know how it goes, any problems etc... let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 06 June 2010 - 12:40 PM

Thanks EB - I got Windows booting up and here are my logs:



DDS (Ver_10-03-17.01) - NTFSx86
Run by samf at 22:58:31.25 on Sat 06/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3032.2055 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIBUKEY\Server\WkSvMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\samf\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://projectmanagement:8000/charts/chart2.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Spark] c:\program files\spark\Spark.exe
uRun: [Google Update] "c:\users\samf\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\networ~1.lnk - c:\program files\wibukey\server\WkSvMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\samf\appdata\roaming\mozilla\firefox\profiles\o5j3q7kc.default\
FF - prefs.js: browser.startup.homepage - hxxp://projectmanagement:8000/charts/chart2.html
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\users\samf\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
# Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs
*/
FF - user.js: browser.startup.homepage - hxxp://projectmanagement:8000/charts/chart2.html
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2009-9-11 13424]
R2 DisplayLinkService;DisplayLink Service;c:\program files\displaylink core software\DisplayLinkService.exe [2009-3-13 447848]
R3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2009-9-11 367728]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-1-8 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-1-8 41760]
S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [2009-3-13 20992]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe [2010-5-27 142192]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
SUnknown rpcnetp;rpcnetp; [x]

=============== Created Last 30 ================

2010-06-06 04:56:04 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-06-06 04:55:41 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-02 06:26:52 98816 ----a-w- c:\windows\sed.exe
2010-06-02 06:26:52 77312 ----a-w- c:\windows\MBR.exe
2010-06-02 06:26:52 256512 ----a-w- c:\windows\PEV.exe
2010-06-02 06:26:52 161792 ----a-w- c:\windows\SWREG.exe
2010-06-02 06:26:27 0 d-s---w- C:\ComboFix
2010-06-02 03:46:34 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-02 03:28:49 0 d-----w- c:\programdata\Hitman Pro
2010-06-02 03:28:41 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-01 17:45:49 0 d-----w- c:\programdata\TEMP
2010-06-01 17:11:26 0 d-----w- c:\program files\Trend Micro
2010-06-01 16:05:18 0 d-----w- c:\windows\system32\eu-ES
2010-06-01 16:05:18 0 d-----w- c:\windows\system32\ca-ES
2010-06-01 16:05:17 0 d-----w- c:\windows\system32\vi-VN
2010-06-01 15:30:45 0 d-----w- c:\windows\system32\EventProviders
2010-06-01 15:07:16 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-01 15:07:16 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-01 15:07:15 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-01 15:07:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-01 15:07:15 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-01 14:00:32 0 d-----w- c:\users\samf\appdata\roaming\Malwarebytes
2010-06-01 14:00:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 14:00:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 14:00:15 0 d-----w- c:\programdata\Malwarebytes
2010-06-01 14:00:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 17:22:17 0 d-----w- c:\temp\Clt-Inst
2010-05-27 17:22:17 0 d-----w- C:\TEMP
2010-05-26 03:39:19 0 d-----w- c:\windows\system32\QuickTime
2010-05-22 22:34:23 0 d-----w- c:\program files\common files\PX Storage Engine
2010-05-22 22:31:13 0 d-----w- c:\program files\DivX
2010-05-22 22:30:51 0 d-----w- c:\programdata\DivX
2010-05-21 18:17:01 0 d-----w- c:\users\samf\appdata\roaming\SQLyog
2010-05-21 17:29:35 190 ----a-w- c:\windows\ODBCINST.INI
2010-05-20 02:05:41 0 d-----w- c:\program files\uTorrent
2010-05-12 15:01:46 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-06-06 06:54:17 527848 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-06-06 06:54:17 0 ----a-w- c:\windows\system32\drivers\ndis.sys.broken
2010-06-01 16:38:17 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-06-01 16:38:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-01 16:38:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-01 16:05:08 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-01 15:42:26 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-12 17:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-11 20:27:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:00:27.64 ===============

I have attached DDS attach and GMER as instructed.

sfono96

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 June 2010 - 05:24 PM

It seems you ran Combofix earlier?

Can you post the C:\Combofix.txt log for me?

Also what is the current condition of your machine?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 06 June 2010 - 09:37 PM

Hi EB - I did not save a combofix log and did not try to run combofix again. It did say that it found a driver infected by TDSS Rootkit and that I had to restart computer. Upon restart, that is when I got the "Windows failed to start ..." (my 2nd post).

Should I try to run combofix again and save a log?

Also - I did a few search queries on Google via Firefox and Bing via Internet Explorer. I did not get redirected. However, when I try to open Chrome, I get a blue screen of death.

Whatever you tell me to do next I will.

Thanks,
sfono96



#8 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 06 June 2010 - 09:42 PM

EB - Google Chrome seems to be working fine now. I opened just after I sent last post because I was afraid that computer would crash but did not.

sfono96

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 07 June 2010 - 07:46 PM

Thanks for letting me know then.

Let's run Combofix here once more and see what we can see here.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 10 June 2010 - 08:50 PM

Hi EB - sorry for the slow response! I have been in some remote locations here in Tahiti and just got internet back. I am running once more off of my secondary computer (uninfected) because I can't seem to open internet browsers after the combofix run because some missing registry stuff. Anyway here is my combofix log:


ComboFix 10-06-10.03 - samf 06/10/2010 19:23:01.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3032.1624 [GMT -6:00]
Running from: c:\users\samf\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\System32\autochk.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 01:31 . 2010-06-11 01:31 -------- d-----w- c:\users\jstaten\AppData\Local\temp
2010-06-11 01:31 . 2010-06-11 01:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 01:31 . 2010-06-11 01:31 -------- d-----w- c:\users\jpackard.GO1ON1\AppData\Local\temp
2010-06-11 01:31 . 2010-06-11 01:31 -------- d-----w- c:\users\Cbuttars\AppData\Local\temp
2010-06-11 01:31 . 2010-06-11 01:31 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-06-11 01:21 . 2010-06-11 01:21 -------- d-----w- C:\32788R22FWJFW
2010-06-06 04:56 . 2010-06-11 01:33 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-06-06 04:55 . 2010-06-11 01:33 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-02 03:46 . 2010-06-02 04:09 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-02 03:28 . 2010-06-02 03:28 -------- d-----w- c:\programdata\Hitman Pro
2010-06-02 03:28 . 2010-06-02 03:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-02 02:55 . 2010-06-02 04:06 -------- d-----w- c:\users\samf\AppData\Local\vypthoydc
2010-06-01 17:11 . 2010-06-01 17:11 -------- d-----w- c:\program files\Trend Micro
2010-06-01 16:05 . 2010-06-01 16:05 -------- d-----w- c:\windows\system32\ca-ES
2010-06-01 16:05 . 2010-06-01 16:05 -------- d-----w- c:\windows\system32\eu-ES
2010-06-01 16:05 . 2010-06-01 16:05 -------- d-----w- c:\windows\system32\vi-VN
2010-06-01 15:30 . 2010-06-01 15:30 -------- d-----w- c:\windows\system32\EventProviders
2010-06-01 15:07 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-01 15:07 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-01 15:07 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-01 15:07 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-01 15:07 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-01 14:00 . 2010-06-01 14:00 -------- d-----w- c:\users\samf\AppData\Roaming\Malwarebytes
2010-06-01 14:00 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 14:00 . 2010-06-01 14:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 14:00 . 2010-06-01 14:00 -------- d-----w- c:\programdata\Malwarebytes
2010-06-01 14:00 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 17:22 . 2010-05-27 17:22 -------- d-----w- c:\temp\Clt-Inst
2010-05-27 17:22 . 2010-05-27 17:22 -------- d-----w- C:\TEMP
2010-05-26 03:39 . 2010-05-26 03:39 -------- d-----w- c:\windows\system32\QuickTime
2010-05-22 22:34 . 2010-05-22 22:40 -------- d-----w- c:\users\samf\AppData\Roaming\DivX
2010-05-22 22:34 . 2010-05-23 06:04 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-22 22:31 . 2010-05-23 06:04 -------- d-----w- c:\program files\DivX
2010-05-22 22:30 . 2010-05-23 06:04 -------- d-----w- c:\programdata\DivX
2010-05-21 18:17 . 2010-05-21 18:17 -------- d-----w- c:\users\samf\AppData\Roaming\SQLyog
2010-05-20 02:05 . 2010-05-20 02:05 -------- d-----w- c:\program files\uTorrent
2010-05-12 15:01 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 06:54 . 2009-10-20 20:29 527848 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-06-06 06:54 . 2009-10-20 20:29 0 ----a-w- c:\windows\system32\drivers\ndis.sys.broken
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-06-01 16:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-06-01 16:05 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-01 13:41 . 2010-02-11 02:37 -------- d-----w- c:\users\samf\AppData\Roaming\uTorrent
2010-05-27 20:48 . 2009-11-20 17:12 -------- d-----w- c:\users\samf\AppData\Roaming\MySQL
2010-05-26 17:36 . 2010-05-03 20:48 -------- d-----w- c:\program files\Spark
2010-05-22 22:34 . 2009-09-15 16:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-18 23:34 . 2009-12-17 18:40 680 ----a-w- c:\users\samf\AppData\Local\d3d9caps.dat
2010-05-15 09:01 . 2009-09-11 20:16 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 17:21 . 2009-10-03 07:31 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-14 02:44 . 2009-09-11 22:00 -------- d-----w- c:\program files\Microsoft SQL Server
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 434176]
"Google Update"="c:\users\samf\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-09 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-09 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-09 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Network Server.lnk - c:\program files\WIBUKEY\Server\WkSvMgr.exe [2009-9-25 3768320]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-9-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:59,3a,68,1a,a9,01,cb,01

R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort.sys [2009-03-13 20992]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2009-03-13 13424]
S0 rpcnetp;rpcnetp; [x]
S2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [2009-03-13 447848]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2009-03-13 367728]
S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdg.sys [2009-01-08 51616]
S3 O2SDGRDR;O2SDGRDR;c:\windows\system32\DRIVERS\o2sdg.sys [2009-01-08 41760]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836008515-1673899338-677352321-1313Core.job
- c:\users\samf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-04 18:57]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836008515-1673899338-677352321-1313UA.job
- c:\users\samf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-04 18:57]

2010-06-11 c:\windows\Tasks\User_Feed_Synchronization-{201C96EE-DB38-4F38-9B15-54B984ED86FE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]

2010-06-11 c:\windows\Tasks\User_Feed_Synchronization-{7D00E841-BC36-48C3-9988-943D4BC1A6DE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://projectmanagement:8000/charts/chart2.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\samf\AppData\Roaming\Mozilla\Firefox\Profiles\o5j3q7kc.default\
FF - prefs.js: browser.startup.homepage - hxxp://projectmanagement:8000/charts/chart2.html
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\users\samf\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
# Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs
*/
FF - user.js: browser.startup.homepage - hxxp://projectmanagement:8000/charts/chart2.html
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 19:34
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\System32\rpcnetp.exe
c:\program files\DisplayLink Core Software\DisplayLinkManager.exe
c:\program files\DisplayLink Core Software\DisplayLinkUI.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-10 19:44:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 01:43

Pre-Run: 194,257,653,760 bytes free
Post-Run: 195,427,012,608 bytes free

- - End Of File - - BC628C762A50C9F1F8719D4CEC4D9DE0

I have attached as well just in case. Thanks!!!

sfono96

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 11 June 2010 - 06:27 PM

Looking better.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
    File::
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
    Driver::
    rpcnetp
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 11 June 2010 - 08:05 PM

Hi EB - here it is (and I also attached):


ComboFix 10-06-10.03 - samf 06/11/2010 18:32:50.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3032.1815 [GMT -6:00]
Running from: c:\users\samf\Desktop\ComboFix.exe
Command switches used :: c:\users\samf\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rpcnetp


((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-12 00:40 . 2010-06-12 00:56 -------- d-----w- c:\users\samf\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\jstaten\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\jpackard\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\jpackard.GO1ON1\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\Cbuttars\AppData\Local\temp
2010-06-12 00:40 . 2010-06-12 00:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-06-11 09:21 . 2010-06-11 09:21 -------- d-----w- c:\program files\Windows Portable Devices
2010-06-11 09:06 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-06-11 09:06 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-06-11 09:06 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-06-11 09:04 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-11 09:04 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-06-11 09:04 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-11 01:45 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 01:45 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-11 01:40 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-07 02:42 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-06-07 02:42 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-07 02:42 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-06 04:56 . 2010-06-12 00:42 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-06-06 04:55 . 2010-06-12 00:41 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-02 03:46 . 2010-06-02 04:09 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-02 03:28 . 2010-06-02 03:28 -------- d-----w- c:\programdata\Hitman Pro
2010-06-02 03:28 . 2010-06-02 03:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-02 02:55 . 2010-06-02 04:06 -------- d-----w- c:\users\samf\AppData\Local\vypthoydc
2010-06-01 18:16 . 2010-06-01 18:16 388096 ----a-r- c:\users\samf\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 17:11 . 2010-06-01 17:11 -------- d-----w- c:\program files\Trend Micro
2010-06-01 16:05 . 2010-06-01 16:05 -------- d-----w- c:\windows\system32\ca-ES
2010-06-01 16:05 . 2010-06-01 16:05 -------- d-----w- c:\windows\system32\eu-ES
2010-06-01 16:05 . 2010-06-01 16:05 -------- d-----w- c:\windows\system32\vi-VN
2010-06-01 15:30 . 2010-06-01 15:30 -------- d-----w- c:\windows\system32\EventProviders
2010-06-01 15:07 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-01 15:07 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-01 15:07 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-01 15:07 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-01 15:07 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-01 14:00 . 2010-06-01 14:00 -------- d-----w- c:\users\samf\AppData\Roaming\Malwarebytes
2010-06-01 14:00 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 14:00 . 2010-06-01 14:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 14:00 . 2010-06-01 14:00 -------- d-----w- c:\programdata\Malwarebytes
2010-06-01 14:00 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 17:22 . 2010-05-27 17:22 -------- d-----w- c:\temp\Clt-Inst
2010-05-27 17:22 . 2010-05-27 17:22 -------- d-----w- C:\TEMP
2010-05-26 03:39 . 2010-05-26 03:39 -------- d-----w- c:\windows\system32\QuickTime
2010-05-22 22:40 . 2010-05-23 06:04 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-22 22:34 . 2010-05-22 22:30 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-22 22:34 . 2010-05-22 22:40 -------- d-----w- c:\users\samf\AppData\Roaming\DivX
2010-05-22 22:34 . 2010-05-23 06:04 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-22 22:31 . 2010-05-23 06:04 -------- d-----w- c:\program files\DivX
2010-05-22 22:30 . 2010-05-23 06:04 -------- d-----w- c:\programdata\DivX
2010-05-21 18:17 . 2010-05-21 18:17 -------- d-----w- c:\users\samf\AppData\Roaming\SQLyog
2010-05-20 02:05 . 2010-05-20 02:05 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 09:21 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-11 09:21 . 2010-06-11 09:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-06-11 09:03 . 2009-09-11 20:16 -------- d-----w- c:\programdata\Microsoft Help
2010-06-06 06:54 . 2009-10-20 20:29 527848 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-06-06 06:54 . 2009-10-20 20:29 0 ----a-w- c:\windows\system32\drivers\ndis.sys.broken
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-06-01 16:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-06-01 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-06-01 13:41 . 2010-02-11 02:37 -------- d-----w- c:\users\samf\AppData\Roaming\uTorrent
2010-05-27 20:48 . 2009-11-20 17:12 -------- d-----w- c:\users\samf\AppData\Roaming\MySQL
2010-05-26 17:36 . 2010-05-03 20:48 -------- d-----w- c:\program files\Spark
2010-05-22 22:34 . 2009-09-15 16:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-18 23:34 . 2009-12-17 18:40 680 ----a-w- c:\users\samf\AppData\Local\d3d9caps.dat
2010-05-12 17:21 . 2009-10-03 07:31 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-03 20:07 . 2009-11-23 23:07 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-04-14 02:44 . 2009-09-11 22:00 -------- d-----w- c:\program files\Microsoft SQL Server
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"Spark"="c:\program files\Spark\Spark.exe" [2007-11-14 434176]
"Google Update"="c:\users\samf\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-09 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-09 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-09 154136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Network Server.lnk - c:\program files\WIBUKEY\Server\WkSvMgr.exe [2009-9-25 3768320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:59,3a,68,1a,a9,01,cb,01

R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort.sys [2009-03-13 20992]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2009-03-13 13424]
S2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [2009-03-13 447848]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2009-03-13 367728]
S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdg.sys [2009-01-08 51616]
S3 O2SDGRDR;O2SDGRDR;c:\windows\system32\DRIVERS\o2sdg.sys [2009-01-08 41760]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836008515-1673899338-677352321-1313Core.job
- c:\users\samf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-04 18:57]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836008515-1673899338-677352321-1313UA.job
- c:\users\samf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-04 18:57]

2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{201C96EE-DB38-4F38-9B15-54B984ED86FE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]

2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{7D00E841-BC36-48C3-9988-943D4BC1A6DE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://projectmanagement:8000/charts/chart2.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\samf\AppData\Roaming\Mozilla\Firefox\Profiles\o5j3q7kc.default\
FF - prefs.js: browser.startup.homepage - hxxp://projectmanagement:8000/charts/chart2.html
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\users\samf\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
# Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs
*/
FF - user.js: browser.startup.homepage - hxxp://projectmanagement:8000/charts/chart2.html
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 18:56
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\System32\rpcnetp.exe
c:\program files\DisplayLink Core Software\DisplayLinkManager.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-11 19:01:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-12 01:01
ComboFix2.txt 2010-06-11 01:44

Pre-Run: 189,951,447,040 bytes free
Post-Run: 189,706,133,504 bytes free

- - End Of File - - D4328C2974ED6C9F03503413952E7A4A

Thx
sfono96

Attached Files



#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 14 June 2010 - 06:55 PM

Hello.

I apologize for the delay and to others I am helping with, I was sick recently and had some other personal work that had to be done. Sorry. sad.gif

Let's continue here...

That's good. Let's deal with the rest...

Let's get an online scan...

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

Kind Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 sfono96

sfono96
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 14 June 2010 - 08:17 PM

Hi EB - Thanks for the reply! I hope you do feel better soon!!!!

I can't seem to run any browser - google chrome, ie explorer, firefox - (even as administrator as instructed). Here is my error message:

"Illegal operation attempted on a registry key that has been marked for deletion."

Any ideas?

Thanks again,
sfono96



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 14 June 2010 - 09:22 PM

Ah, I see that problem.

Go ahead and restart your computer and that should resolve it. ;)
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users