Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with redirecting and pop up malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 vishwas

vishwas

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 24 June 2010 - 06:58 PM

Hi

My computer has been infected from last two days....

There seems to be multiple problems...do not know if it is a single issue or multiple malwares.

It started with...a new window opens (with taking me to results.google-analytics page) whenever i start IE or Firefox.....then when i try to visit websites...it says no connection ...and gives me a diagnose problem button....when i press this button it starts to identify the problem....if I cancel the problem identification then it takes me to the intended website.... when i try to update the microsoft security essential it gives me a error saying no internet connection...looks like the server has been hijacked or something...

from today I am getting pop ups saying my computer is infected...

PS; My windows firewall was off for a couple of days...may be that is when someone sneeked in...i am attaching the required files for ur reference...


Thanks for helping....





DDS (Ver_10-03-17.01) - NTFSx86
Run by vishwas at 17:27:26.64 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.798 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\cognos\c8\derby10.1.2.1\bin\derby.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\cognos\c8\bin\cogbootstrapservice.exe
C:\Program Files\cognos\c8\bin\jre\1.5.0\bin\java.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Users\vishwas\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\vishwas\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [googletalk] c:\users\vishwas\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\users\vishwas\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.54,93.188.161.184
TCP: {3C4C231C-BD71-4AC7-A165-5023550969D3} = 93.188.162.54,93.188.161.184
TCP: {4338E894-4F18-47A7-BF74-8E8101681140} = 93.188.162.54,93.188.161.184
TCP: {4BCF6DA5-01F9-4A19-8534-177C761067E9} = 93.188.162.54,93.188.161.184
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\vishwas\appdata\roaming\mozilla\firefox\profiles\8ikdegag.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\vishwas\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\vishwas\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\vishwas\appdata\roaming\mozilla\firefox\profiles\8ikdegag.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\vishwas\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
R1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);c:\windows\system32\drivers\NEOFLTR_550_12491.sys [2007-12-26 64144]
R1 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
R2 IBM Cognos 8;IBM Cognos 8;c:\program files\cognos\c8\bin\cogbootstrapservice.exe [2010-6-4 151552]
R2 IBM Cognos Content Database;IBM Cognos Content Database;c:\program files\cognos\c8\derby10.1.2.1\bin\derby.exe [2010-6-4 65536]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
R3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2010-3-4 24645]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-1-19 21504]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-3-11 25088]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]

=============== Created Last 30 ================

2010-06-24 22:22:11 0 ----a-w- c:\users\vishwas\defogger_reenable
2010-06-22 16:22:57 50176 ----a-w- c:\windows\system32\ernel32.dll
2010-06-22 16:22:52 50176 ----a-w- c:\users\vishwas\appdata\roaming\2f87744b.exe
2010-06-11 18:42:34 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-10 23:29:47 600 ----a-w- c:\users\vishwas\cogtrwin.ini
2010-06-10 22:28:59 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 22:28:57 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 04:22:25 40960 ---ha-w- c:\windows\system32\iscsient.dll
2010-06-08 04:21:32 12 ----a-w- c:\users\vishwas\appdata\roaming\gklupx.dat
2010-06-07 16:15:03 0 d-----w- C:\cognos training
2010-06-05 20:12:56 0 d-----w- c:\program files\Microsoft Visual Studio .NET
2010-06-05 20:10:42 0 d-----w- C:\oraclexe
2010-06-04 23:20:05 50200 ----a-w- c:\windows\system32\perf-ReportServer-rsctr.dll
2010-06-04 23:07:39 79896 ----a-w- c:\windows\system32\perf-MSSQLSERVER-sqlctr10.0.1600.22.dll
2010-06-04 20:21:54 0 d-----w- c:\program files\Apache Software Foundation
2010-06-04 19:10:13 0 d-----w- C:\SQL Server Enterprise 2008 x86+x64+ia64 en-us
2010-06-04 19:10:10 0 d-----w- c:\program files\common files\GSTools
2010-06-04 18:49:29 0 d-----w- c:\windows\system32\vers
2010-06-04 18:49:28 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2010-06-04 18:39:49 0 d-----w- c:\program files\cognos
2010-06-03 19:23:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-06-03 06:22:06 0 d-----w- C:\Microsoft Office Enterprise 2007
2010-06-03 01:45:03 0 d-----w- C:\cognos

==================== Find3M ====================

2010-06-24 21:49:06 80271 ----a-w- c:\programdata\nvModes.dat
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 23:02:38 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-05 17:01:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-24 21:05:42 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-24 21:05:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-24 21:05:27 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-19 23:51:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-19 19:40:48 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-16 17:54:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 17:30:42.09 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 AM

Posted 28 June 2010 - 11:08 AM

Hi vishwas,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

Also please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

#3 vishwas

vishwas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 28 June 2010 - 11:48 AM

Hi

Thanks for the reply..

As of now....i am still getting redirected to some bogus marketing or search sites....only the frequency has increased since my first post....I have attached the latest dss file ...


DDS (Ver_10-03-17.01) - NTFSx86
Run by vishwas at 11:43:05.56 on Mon 06/28/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.771 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\cognos\c8\derby10.1.2.1\bin\derby.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Users\vishwas\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\cognos\c8\bin\cogbootstrapservice.exe
C:\Program Files\cognos\c8\bin\jre\1.5.0\bin\java.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\vishwas\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [googletalk] c:\users\vishwas\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\users\vishwas\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.54,93.188.161.184
TCP: {3C4C231C-BD71-4AC7-A165-5023550969D3} = 93.188.162.54,93.188.161.184
TCP: {4338E894-4F18-47A7-BF74-8E8101681140} = 93.188.162.54,93.188.161.184
TCP: {4BCF6DA5-01F9-4A19-8534-177C761067E9} = 93.188.162.54,93.188.161.184
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\vishwas\appdata\roaming\mozilla\firefox\profiles\8ikdegag.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\vishwas\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\vishwas\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\vishwas\appdata\roaming\mozilla\firefox\profiles\8ikdegag.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\vishwas\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
R1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);c:\windows\system32\drivers\NEOFLTR_550_12491.sys [2007-12-26 64144]
R1 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
R2 IBM Cognos 8;IBM Cognos 8;c:\program files\cognos\c8\bin\cogbootstrapservice.exe [2010-6-4 151552]
R2 IBM Cognos Content Database;IBM Cognos Content Database;c:\program files\cognos\c8\derby10.1.2.1\bin\derby.exe [2010-6-4 65536]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
R3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2010-3-4 24645]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-1-19 21504]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1113448]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-3-11 25088]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]

=============== Created Last 30 ================

2010-06-26 03:52:14 0 d-----w- c:\program files\common files\PX Storage Engine
2010-06-26 03:47:57 0 d-----w- c:\programdata\DivX
2010-06-24 22:22:11 0 ----a-w- c:\users\vishwas\defogger_reenable
2010-06-22 16:22:57 50176 ----a-w- c:\windows\system32\ernel32.dll
2010-06-22 16:22:52 50176 ----a-w- c:\users\vishwas\appdata\roaming\2f87744b.exe
2010-06-11 18:42:34 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-10 23:29:47 600 ----a-w- c:\users\vishwas\cogtrwin.ini
2010-06-10 22:28:59 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 22:28:57 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 04:22:25 40960 ---ha-w- c:\windows\system32\iscsient.dll
2010-06-08 04:21:32 12 ----a-w- c:\users\vishwas\appdata\roaming\gklupx.dat
2010-06-07 16:15:03 0 d-----w- C:\cognos training
2010-06-05 20:12:56 0 d-----w- c:\program files\Microsoft Visual Studio .NET
2010-06-05 20:10:42 0 d-----w- C:\oraclexe
2010-06-04 23:20:05 50200 ----a-w- c:\windows\system32\perf-ReportServer-rsctr.dll
2010-06-04 23:07:39 79896 ----a-w- c:\windows\system32\perf-MSSQLSERVER-sqlctr10.0.1600.22.dll
2010-06-04 20:21:54 0 d-----w- c:\program files\Apache Software Foundation
2010-06-04 19:10:13 0 d-----w- C:\SQL Server Enterprise 2008 x86+x64+ia64 en-us
2010-06-04 19:10:10 0 d-----w- c:\program files\common files\GSTools
2010-06-04 18:49:29 0 d-----w- c:\windows\system32\vers
2010-06-04 18:49:28 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2010-06-04 18:39:49 0 d-----w- c:\program files\cognos
2010-06-03 19:23:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-06-03 06:22:06 0 d-----w- C:\Microsoft Office Enterprise 2007
2010-06-03 01:45:03 0 d-----w- C:\cognos

==================== Find3M ====================

2010-06-27 23:52:50 80271 ----a-w- c:\programdata\nvModes.dat
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 23:02:38 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\PxAFS.DLL
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-05 17:01:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-24 21:05:42 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-24 21:05:42 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-24 21:05:27 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-19 23:51:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-19 19:40:48 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-16 17:54:30 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 11:45:09.17 ===============


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 AM

Posted 28 June 2010 - 12:32 PM

Please perform the steps in the order they are written.
  1. Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click your default connection (for wired connection Local Area connection is the default) and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
      • The option Obtain an IP address automatically should be checked.
      • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.
      • The option Obtain an IP address automatically should be checked.
      • The option Obtain DNS server address automatically should be checked.
    • Click OK twice.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NameServer /f >nul
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3} /v NameServer /f >nul 2>&1
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4338E894-4F18-47A7-BF74-8E8101681140} /v NameServer /f >nul 2>&1
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4BCF6DA5-01F9-4A19-8534-177C761067E9} /v NameServer /f >nul 2>&1
    move /y c:\users\vishwas\appdata\roaming\2f87744b.exe "%temp%\bad.old" >nul 2>&1

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A window flashes, this is normal.

  3. Reboot the computer.

  4. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 vishwas

vishwas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 28 June 2010 - 01:22 PM

Here is the combofix file....

ComboFix 10-06-27.06 - vishwas 06/28/2010 12:59:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1077 [GMT -5:00]
Running from: c:\users\vishwas\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
The following files were disabled during the run:
c:\windows\system32\iscsient.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\317kU1mY.dll
c:\windows\system32\spool\prtprocs\w32x86\79y1c9s.dll
c:\windows\system32\spool\prtprocs\w32x86\9317wS179.dll
c:\windows\system32\spool\prtprocs\w32x86\93gMYWS7e.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 18:12 . 2010-06-28 18:12 -------- d-----w- c:\users\vishwas\AppData\Local\temp
2010-06-28 18:12 . 2010-06-28 18:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-26 03:54 . 2010-06-26 03:54 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-26 03:54 . 2010-06-26 03:47 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-06-26 03:54 . 2010-06-26 03:47 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-06-26 03:54 . 2010-06-26 03:54 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-26 03:54 . 2010-06-26 03:54 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-26 03:54 . 2010-06-26 03:54 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-26 03:53 . 2010-06-26 03:53 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-06-26 03:53 . 2010-06-26 03:53 -------- d-----w- c:\users\vishwas\AppData\Roaming\DivX
2010-06-26 03:52 . 2010-06-26 03:52 84062 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-06-26 03:52 . 2010-06-26 03:52 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-06-26 03:47 . 2010-06-26 03:54 -------- d-----w- c:\programdata\DivX
2010-06-22 01:14 . 2010-06-22 01:14 -------- d-----w- c:\users\vishwas\AppData\Local\Apps
2010-06-22 01:14 . 2010-06-22 01:15 -------- d-----w- c:\users\vishwas\AppData\Local\Deployment
2010-06-11 18:42 . 2010-06-11 18:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-11 18:33 . 2010-06-11 18:33 -------- d-----r- C:\MSOCache
2010-06-10 22:28 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 22:28 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 04:22 . 2010-06-08 04:22 40960 ----a-w- c:\windows\system32\iscsient.dll.vir
2010-06-07 16:15 . 2010-06-23 21:54 -------- d-----w- C:\cognos training
2010-06-05 20:12 . 2010-06-05 20:12 -------- d-----w- c:\program files\Microsoft Visual Studio .NET
2010-06-05 20:10 . 2010-06-05 20:13 -------- d-----w- C:\oraclexe
2010-06-04 23:20 . 2008-07-10 07:49 50200 ----a-w- c:\windows\system32\perf-ReportServer-rsctr.dll
2010-06-04 23:07 . 2008-07-10 07:49 79896 ----a-w- c:\windows\system32\perf-MSSQLSERVER-sqlctr10.0.1600.22.dll
2010-06-04 22:48 . 2010-06-04 22:48 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-06-04 20:21 . 2010-06-04 20:21 -------- d-----w- c:\program files\Apache Software Foundation
2010-06-04 19:10 . 2010-06-20 03:34 -------- d-----w- C:\SQL Server Enterprise 2008 x86+x64+ia64 en-us
2010-06-04 19:10 . 2010-06-04 19:10 -------- d-----w- c:\program files\Common Files\GSTools
2010-06-04 18:49 . 2010-06-04 18:49 -------- d-----w- c:\windows\system32\vers
2010-06-04 18:49 . 2008-09-22 20:06 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2010-06-04 18:39 . 2010-06-10 23:17 -------- d-----w- c:\program files\cognos
2010-06-03 06:22 . 2010-06-03 06:22 -------- d-----w- C:\Microsoft Office Enterprise 2007
2010-06-03 01:45 . 2010-06-15 16:35 -------- d-----w- C:\cognos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 17:47 . 2010-01-19 18:22 80271 ----a-w- c:\programdata\nvModes.dat
2010-06-26 03:54 . 2010-03-09 05:58 -------- d-----w- c:\program files\DivX
2010-06-26 03:51 . 2010-03-09 05:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 21:05 . 2010-01-30 17:59 680 ----a-w- c:\users\vishwas\AppData\Local\d3d9caps.dat
2010-06-22 22:32 . 2010-01-18 10:51 -------- d-----w- c:\programdata\NOS
2010-06-22 17:19 . 2010-03-09 03:30 1 ----a-w- c:\users\vishwas\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-20 04:19 . 2010-01-20 00:37 164880 ---ha-w- c:\users\vishwas\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2010-06-19 23:00 . 2007-08-04 10:35 -------- d-----w- c:\programdata\Microsoft Help
2010-06-19 06:43 . 2010-04-02 20:25 439816 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\setup.exe
2010-06-18 16:47 . 2010-02-02 22:35 -------- d-----w- c:\users\vishwas\AppData\Roaming\vlc
2010-06-14 00:14 . 2007-08-04 10:31 -------- d-----w- c:\program files\Microsoft Works
2010-06-14 00:08 . 2010-01-19 01:59 -------- d-----w- c:\program files\Microsoft
2010-06-14 00:06 . 2010-01-20 02:12 121728 ----a-w- c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-06-13 23:50 . 2010-01-20 01:10 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-11 19:13 . 2010-01-18 01:06 130112 ----a-w- c:\users\vishwas\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-11 18:52 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2010-06-11 04:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-08 04:21 . 2010-06-08 04:21 12 ----a-w- c:\users\vishwas\AppData\Roaming\gklupx.dat
2010-06-05 20:18 . 2007-08-04 09:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 23:20 . 2010-06-04 23:20 13472 ----a-w- c:\windows\inf\MSRS 2008 Windows Service\0009\tmp70CF.tmp
2010-06-04 23:20 . 2010-06-04 23:20 13472 ----a-w- c:\windows\inf\MSRS 2008 Windows Service\0000\tmp70CF.tmp
2010-06-04 23:20 . 2010-06-04 23:20 13416 ----a-w- c:\windows\inf\MSRS 2008 Web Service\0009\tmp70CF.tmp
2010-06-04 23:20 . 2010-06-04 23:20 13416 ----a-w- c:\windows\inf\MSRS 2008 Web Service\0000\tmp70CF.tmp
2010-06-04 23:18 . 2010-01-20 02:27 397664 ----a-w- c:\programdata\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\1033\ResourceCache.dll
2010-06-04 23:18 . 2010-01-20 02:26 397664 ----a-w- c:\programdata\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\1033\ResourceCache.dll
2010-06-04 22:41 . 2007-08-04 10:36 -------- d-----w- c:\program files\Microsoft.NET
2010-06-04 21:10 . 2010-04-18 06:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 20:42 . 2010-04-08 04:42 -------- d-----w- c:\program files\Veoh Networks
2010-06-04 20:37 . 2010-02-01 08:41 -------- d-----w- c:\users\vishwas\AppData\Roaming\uTorrent
2010-06-04 02:31 . 2010-05-06 22:57 -------- d-----w- c:\programdata\Skype
2010-06-04 02:22 . 2010-03-22 02:22 -------- d-----w- c:\program files\TeamViewer
2010-06-03 19:23 . 2010-06-03 19:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-28 21:20 . 2010-05-06 22:57 -------- d-----w- c:\users\vishwas\AppData\Roaming\Skype
2010-05-28 20:53 . 2010-05-06 23:02 -------- d-----w- c:\users\vishwas\AppData\Roaming\skypePM
2010-05-21 19:14 . 2010-01-18 07:08 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-07 17:55 . 2010-05-07 17:55 255472 ----a-w- c:\users\vishwas\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-07 14:18 . 2010-05-07 14:18 20854256 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-05-06 23:02 . 2010-05-06 23:02 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-06 22:55 . 2010-01-19 21:29 -------- d-----w- c:\users\vishwas\AppData\Roaming\Yahoo!
2010-05-04 05:59 . 2010-06-10 22:29 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 22:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 22:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 22:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 22:29 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40 . 2007-02-06 23:03 133616 ----a-w- c:\windows\system32\PxAFS.DLL
2010-04-23 14:13 . 2010-05-25 17:58 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-23 10:22 . 2010-04-23 10:22 2898232 ----a-w- c:\users\vishwas\AppData\Roaming\Mozilla\Firefox\Profiles\8ikdegag.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-04-15 22:49 . 2010-05-02 15:17 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-08 20:48 . 2010-05-02 15:17 18184 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-04-08 20:48 . 2010-05-02 15:17 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-06 21:52 . 2010-05-02 15:17 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-04-05 17:01 . 2010-06-10 22:29 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-03 05:23 . 2010-04-03 05:23 79368 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-04-03 05:23 . 2010-04-03 05:23 64000 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-04-03 05:23 . 2010-04-03 05:23 52288 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-04-03 05:23 . 2010-04-03 05:23 50688 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-04-03 05:23 . 2010-04-03 05:23 49152 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-04-03 05:23 . 2010-04-03 05:23 118784 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"googletalk"="c:\users\vishwas\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Google Update"="c:\users\vishwas\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-24 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-09 202256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2010-3-4 41051]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:32,e4,12,78,5f,99,ca,01

R2 IBM Cognos 8;IBM Cognos 8;c:\program files\cognos\c8\bin\cogbootstrapservice.exe [2008-09-25 151552]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 204800]
R3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2010-03-04 24645]
R3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-10 218136]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256]
R3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 1113448]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2010-03-11 25088]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [x]
S1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);c:\windows\system32\Drivers\NEOFLTR_550_12491.SYS [2007-12-26 64144]
S1 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
S2 IBM Cognos Content Database;IBM Cognos Content Database;c:\program files\cognos\c8\derby10.1.2.1\bin\derby.exe [2008-08-05 65536]
S2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133174436-3653506040-417915026-1000Core.job
- c:\users\vishwas\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-22 01:15]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133174436-3653506040-417915026-1000UA.job
- c:\users\vishwas\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-22 01:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\vishwas\AppData\Roaming\Mozilla\Firefox\Profiles\8ikdegag.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\vishwas\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\vishwas\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\users\vishwas\AppData\Roaming\Mozilla\Firefox\Profiles\8ikdegag.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\users\vishwas\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\vishwas\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 13:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-28 13:18:13
ComboFix-quarantined-files.txt 2010-06-28 18:18

Pre-Run: 31,925,329,920 bytes free
Post-Run: 32,189,026,304 bytes free

- - End Of File - - 32FC337B5E563E7ACA61804918635C7D


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 AM

Posted 28 June 2010 - 01:36 PM

Well done. thumbup2.gif
  1. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/326888/infected-with-redirecting-and-pop-up-malware/

    Collect::
    c:\windows\system32\iscsient.dll.vir
    c:\windows\system32\iscsient.dll

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 vishwas

vishwas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 28 June 2010 - 03:49 PM


ComboFix 10-06-27.06 - vishwas 06/28/2010 13:41:37.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.974 [GMT -5:00]
Running from: c:\users\vishwas\Desktop\ComboFix.exe
Command switches used :: c:\users\vishwas\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\system32\iscsient.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iscsient.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 18:52 . 2010-06-28 18:56 -------- d-----w- c:\users\vishwas\AppData\Local\temp
2010-06-28 18:52 . 2010-06-28 18:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-26 03:53 . 2010-06-26 03:53 -------- d-----w- c:\users\vishwas\AppData\Roaming\DivX
2010-06-26 03:52 . 2010-06-26 03:52 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-06-26 03:47 . 2010-06-26 03:54 -------- d-----w- c:\programdata\DivX
2010-06-22 01:14 . 2010-06-22 01:14 -------- d-----w- c:\users\vishwas\AppData\Local\Apps
2010-06-22 01:14 . 2010-06-22 01:15 -------- d-----w- c:\users\vishwas\AppData\Local\Deployment
2010-06-11 18:42 . 2010-06-11 18:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-11 18:33 . 2010-06-11 18:33 -------- d-----r- C:\MSOCache
2010-06-10 22:28 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 22:28 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-07 16:15 . 2010-06-23 21:54 -------- d-----w- C:\cognos training
2010-06-05 20:12 . 2010-06-05 20:12 -------- d-----w- c:\program files\Microsoft Visual Studio .NET
2010-06-05 20:10 . 2010-06-05 20:13 -------- d-----w- C:\oraclexe
2010-06-04 23:20 . 2008-07-10 07:49 50200 ----a-w- c:\windows\system32\perf-ReportServer-rsctr.dll
2010-06-04 23:07 . 2008-07-10 07:49 79896 ----a-w- c:\windows\system32\perf-MSSQLSERVER-sqlctr10.0.1600.22.dll
2010-06-04 22:48 . 2010-06-04 22:48 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-06-04 20:21 . 2010-06-04 20:21 -------- d-----w- c:\program files\Apache Software Foundation
2010-06-04 19:10 . 2010-06-20 03:34 -------- d-----w- C:\SQL Server Enterprise 2008 x86+x64+ia64 en-us
2010-06-04 19:10 . 2010-06-04 19:10 -------- d-----w- c:\program files\Common Files\GSTools
2010-06-04 18:49 . 2010-06-04 18:49 -------- d-----w- c:\windows\system32\vers
2010-06-04 18:49 . 2008-09-22 20:06 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2010-06-04 18:39 . 2010-06-10 23:17 -------- d-----w- c:\program files\cognos
2010-06-03 06:22 . 2010-06-03 06:22 -------- d-----w- C:\Microsoft Office Enterprise 2007
2010-06-03 01:45 . 2010-06-15 16:35 -------- d-----w- C:\cognos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 18:55 . 2010-01-19 18:22 80271 ----a-w- c:\programdata\nvModes.dat
2010-06-26 03:54 . 2010-06-26 03:54 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-26 03:54 . 2010-06-26 03:54 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-26 03:54 . 2010-06-26 03:54 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-26 03:54 . 2010-03-09 05:58 -------- d-----w- c:\program files\DivX
2010-06-26 03:54 . 2010-06-26 03:54 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-26 03:53 . 2010-06-26 03:53 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 84062 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-26 03:52 . 2010-06-26 03:52 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-06-26 03:51 . 2010-06-26 03:51 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-06-26 03:51 . 2010-03-09 05:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-26 03:47 . 2010-06-26 03:54 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-06-26 03:47 . 2010-06-26 03:54 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-06-23 21:05 . 2010-01-30 17:59 680 ----a-w- c:\users\vishwas\AppData\Local\d3d9caps.dat
2010-06-22 22:32 . 2010-01-18 10:51 -------- d-----w- c:\programdata\NOS
2010-06-22 17:19 . 2010-03-09 03:30 1 ----a-w- c:\users\vishwas\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-20 04:19 . 2010-01-20 00:37 164880 ---ha-w- c:\users\vishwas\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2010-06-19 23:00 . 2007-08-04 10:35 -------- d-----w- c:\programdata\Microsoft Help
2010-06-19 06:43 . 2010-04-02 20:25 439816 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\setup.exe
2010-06-18 16:47 . 2010-02-02 22:35 -------- d-----w- c:\users\vishwas\AppData\Roaming\vlc
2010-06-14 00:14 . 2007-08-04 10:31 -------- d-----w- c:\program files\Microsoft Works
2010-06-14 00:08 . 2010-01-19 01:59 -------- d-----w- c:\program files\Microsoft
2010-06-14 00:06 . 2010-01-20 02:12 121728 ----a-w- c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-06-13 23:50 . 2010-01-20 01:10 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-11 19:13 . 2010-01-18 01:06 130112 ----a-w- c:\users\vishwas\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-11 18:52 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2010-06-11 04:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-08 04:21 . 2010-06-08 04:21 12 ----a-w- c:\users\vishwas\AppData\Roaming\gklupx.dat
2010-06-05 20:18 . 2007-08-04 09:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 23:18 . 2010-01-20 02:27 397664 ----a-w- c:\programdata\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\1033\ResourceCache.dll
2010-06-04 23:18 . 2010-01-20 02:26 397664 ----a-w- c:\programdata\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\1033\ResourceCache.dll
2010-06-04 22:41 . 2007-08-04 10:36 -------- d-----w- c:\program files\Microsoft.NET
2010-06-04 21:10 . 2010-04-18 06:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 20:42 . 2010-04-08 04:42 -------- d-----w- c:\program files\Veoh Networks
2010-06-04 20:37 . 2010-02-01 08:41 -------- d-----w- c:\users\vishwas\AppData\Roaming\uTorrent
2010-06-04 02:31 . 2010-05-06 22:57 -------- d-----w- c:\programdata\Skype
2010-06-04 02:22 . 2010-03-22 02:22 -------- d-----w- c:\program files\TeamViewer
2010-06-03 19:23 . 2010-06-03 19:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-28 21:20 . 2010-05-06 22:57 -------- d-----w- c:\users\vishwas\AppData\Roaming\Skype
2010-05-28 20:53 . 2010-05-06 23:02 -------- d-----w- c:\users\vishwas\AppData\Roaming\skypePM
2010-05-21 19:14 . 2010-01-18 07:08 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-07 17:55 . 2010-05-07 17:55 255472 ----a-w- c:\users\vishwas\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-07 14:18 . 2010-05-07 14:18 20854256 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-05-06 23:02 . 2010-05-06 23:02 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-06 22:55 . 2010-01-19 21:29 -------- d-----w- c:\users\vishwas\AppData\Roaming\Yahoo!
2010-05-04 05:59 . 2010-06-10 22:29 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 22:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 22:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 22:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 22:29 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40 . 2007-02-06 23:03 133616 ----a-w- c:\windows\system32\PxAFS.DLL
2010-04-23 14:13 . 2010-05-25 17:58 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-23 10:22 . 2010-04-23 10:22 2898232 ----a-w- c:\users\vishwas\AppData\Roaming\Mozilla\Firefox\Profiles\8ikdegag.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-04-05 17:01 . 2010-06-10 22:29 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-03 05:23 . 2010-04-03 05:23 79368 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-04-03 05:23 . 2010-04-03 05:23 64000 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-04-03 05:23 . 2010-04-03 05:23 52288 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-04-03 05:23 . 2010-04-03 05:23 50688 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-04-03 05:23 . 2010-04-03 05:23 49152 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-04-03 05:23 . 2010-04-03 05:23 118784 ----a-w- c:\users\vishwas\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"googletalk"="c:\users\vishwas\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Google Update"="c:\users\vishwas\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-24 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-09 202256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2010-3-4 41051]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:32,e4,12,78,5f,99,ca,01

R2 IBM Cognos 8;IBM Cognos 8;c:\program files\cognos\c8\bin\cogbootstrapservice.exe [2008-09-25 151552]
R3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2010-03-04 24645]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-10 218136]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256]
R3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 1113448]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2010-03-11 25088]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [x]
S1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);c:\windows\system32\Drivers\NEOFLTR_550_12491.SYS [2007-12-26 64144]
S1 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
S2 IBM Cognos Content Database;IBM Cognos Content Database;c:\program files\cognos\c8\derby10.1.2.1\bin\derby.exe [2008-08-05 65536]
S2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [x]
S2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 204800]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133174436-3653506040-417915026-1000Core.job
- c:\users\vishwas\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-22 01:15]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133174436-3653506040-417915026-1000UA.job
- c:\users\vishwas\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-22 01:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\vishwas\AppData\Roaming\Mozilla\Firefox\Profiles\8ikdegag.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2164)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-28 14:07:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-28 19:06
ComboFix2.txt 2010-06-28 18:18

Pre-Run: 32,219,205,632 bytes free
Post-Run: 31,964,626,944 bytes free

- - End Of File - - 5ACB43ACFA2138605759629E977878CD
Upload was successful








Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4251

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/28/2010 3:21:59 PM
mbam-log-2010-06-28 (15-21-59).txt

Scan type: Quick scan
Objects scanned: 136980
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 AM

Posted 28 June 2010 - 04:05 PM

  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    Java™ 6 Update 18
    Java™ SE Runtime Environment 6


  2. Tell me also how is your computer running.


#9 vishwas

vishwas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 28 June 2010 - 06:27 PM

Hi...
i uninsatlled the older version of Java.....

Also, my system seems to work fine now...not experiencing any redirects now...should I do anything else?

thanks for the help...

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 AM

Posted 28 June 2010 - 06:42 PM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may delete any tool or log we used from your computer.


Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing vishwas. smile.gif

#11 vishwas

vishwas
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 28 June 2010 - 06:55 PM

Hi...

Thanks for all the help....I did uninstall the combofix...

If the problem resurfaces...how do I contact you?


Vishwas

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:23 AM

Posted 28 June 2010 - 06:59 PM

I'm here till July 8 and then go on vacation for 4 weeks. Before or after that send me a PM and I reopen this thread.

And you are very welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users