Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Unruy!gen1, attempted attacks and iexplore pop up ads


  • This topic is locked This topic is locked
33 replies to this topic

#1 AtticusKZ

AtticusKZ

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 July 2010 - 12:07 AM

Hello,

Recently in the past week I have been getting iexplore pop up ads come up even when I'm not doing anything on the computer. Then the Norton 360 was alerting that W32.Unruy!gen1 was a threat in the computer and it would get rid of the threat, but a minute later it would alert again. Other things that Norton 360 alerted to and blocked were numerous alerts for 'smss.exe (smss.exe) detected by SONAR' and 'services.exe (W32.Unruy!gen1) detected by Auto-Protect' as well as blocking/removing a couple different Trojans. All these high risk ones started around June 17th from what the history says.

I am also getting alerts that 'a recent attempt to attack my computer was blocked' (these come up mostly when I do things online). Norton's history report has High blocked intrusion attempts frequently every hour since June 27th.

Also one other problem is the computer doesn't always want to start up and last time it looped the start-up 3 times before finally starting up normal.

I did a full system scan and it got rid of a few minor threats, but also 4 viruses. There were still problems so I went ahead and

Hello,

(I posted this once before, but half of my post was missing. I am new to this so sorry for any issues!).

My computer is infected with W32.Unruy!gen1. Norton 360 continuously shows alerts of blocking smss.exe (W32.Unruy!gen1) and services.exe (W32.Unruy!gen1). There have also been different blocked Trojans reported on the security history.

I continuously get alerts of Norton blocking attempted attacks on my computer while I am online. I was also getting iexplore pop up ads for no reason, but those seemed to have stopped.

Sometimes the computer has trouble starting up and last time it looped the start-up 3 times before finally loading all the way. The computer also freezes up after being on for an extended amount of time (over a few hours).

I did a full system scan while in SafeMode (with system restore disabled) per the instructions I received while troubleshooting for help (with Norton 360), but no threats were found and I still have W32.Unruy!gen1 showing up.

Here are the scans of my computer that you recommend posting while asking for help. Thanks in advance and I really hope you can help me!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kristin at 23:00:09.01 on Wed 06/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1753 [GMT -4:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k%

Merged two topics then the posts removing duplicate attachments. ~ OB

Attached Files


Edited by Orange Blossom, 01 July 2010 - 08:04 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 05 July 2010 - 03:16 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 07:22 PM

Hello Gringo,

Thank you so much for the help. Nothing much has changed as far as what's going wrong on the computer, but I did forget to mention that I get re-directed while using Google search. Not always, but a lot of the time. Other than that, its about the same.

Here's the new scans; thank you!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kristin at 20:11:07.70 on Tue 07/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1918 [GMT -4:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:

Attached Files



#4 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 07:34 PM

Okay,

It is still not letting me post the DDS or the RK Unhooker report so here are the links from the RapidShare website. I did have trouble loading them onto that website too. Firefox would not let the page load anything and Internet Explorer didn't show everything (needed Java to run the site). I hope these work....


http://rapidshare.com/files/405401977/DDS.txt


http://rapidshare.com/files/405402006/Report.txt

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 06 July 2010 - 07:39 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 09:34 PM

Okay, here's the combofix log. I put it as an attachment also since I am having trouble posting things.

The Norton 360 opened saying that W32.Unruy!.gen1 has been detected and to close all open files. Am I able to turn the antivirus/firewall back on or wait until all is finished/fixed?

I am now getting the iexplore pop-ups again which had stopped for a while before. There still seems to be a problem.

ComboFix 10-07-06.02 - Kristin 07/06/2010 21:29:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2182 [GMT -4:00]
Running from: c:\documents and settings\Kristin\Desktop\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kristin\GoToAssistDownloadHelper.exe
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-06-27 22:57 . 2010-06-27 22:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-27 22:57 . 2010-06-27 22:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-27 21:44 . 2010-06-27 21:44 -------- d-----w- c:\program files\Enigma Software Group
2010-06-27 21:44 . 2010-06-27 22:14 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-27 21:43 . 2010-06-27 21:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-27 21:01 . 2010-06-27 21:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-27 05:59 . 2010-06-27 05:59 -------- d-sh--w- c:\documents and settings\Administrator.HART-6B609F3DAE.000\IETldCache
2010-06-27 05:59 . 2010-06-27 05:59 -------- d-----w- c:\documents and settings\Administrator.HART-6B609F3DAE.000\Application Data\Tific
2010-06-27 05:19 . 2010-06-27 05:19 503808 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\msvcp71.dll
2010-06-27 05:19 . 2010-06-27 05:19 499712 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\jmc.dll
2010-06-27 05:19 . 2010-06-27 05:19 348160 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\msvcr71.dll
2010-06-27 05:16 . 2010-06-27 05:16 -------- d-----w- c:\documents and settings\Kristin\Application Data\Tific
2010-06-27 05:00 . 2010-06-27 05:00 503808 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\msvcp71.dll
2010-06-27 05:00 . 2010-06-27 05:00 499712 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\jmc.dll
2010-06-27 05:00 . 2010-06-27 05:00 348160 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\msvcr71.dll
2010-06-22 02:12 . 2010-06-22 02:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-17 23:36 . 2010-06-17 23:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-06-17 23:35 . 2010-06-17 23:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-16 01:52 . 2010-06-16 01:52 50354 ----a-w- c:\documents and settings\Cathy\Application Data\Facebook\uninstall.exe
2010-06-16 01:52 . 2010-06-16 01:52 -------- d-----w- c:\documents and settings\Cathy\Application Data\Facebook
2010-06-11 19:04 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Cathy\Application Data\Facebook\npfbplugin_1_0_3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 04:05 . 2009-06-07 02:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-02 00:52 . 2009-02-19 15:19 1 ----a-w- c:\documents and settings\Kristin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-20 02:01 . 2009-11-02 04:25 1 ----a-w- c:\documents and settings\Cathy\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-06 10:41 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-06 04:01 . 2010-05-21 00:13 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-02 05:22 . 2008-04-13 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:03 . 2010-05-21 00:13 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-04-22 03:02 . 2010-05-21 00:13 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-04-22 02:29 . 2010-05-21 00:13 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-20 05:30 . 2008-04-14 03:39 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

c:\documents and settings\Cathy\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-05 00:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-10-18 20:27 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-18 19:42 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ImapiService"=3 (0x3)
"FlipShare Service"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [5/20/2010 8:13 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [5/20/2010 8:13 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/22/2010 7:42 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [5/20/2010 8:13 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [5/20/2010 8:13 PM 116784]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\ccsvchst.exe [5/20/2010 8:13 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/26/2010 10:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100706.002\IDSXpx86.sys [7/6/2010 3:09 AM 331640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 20:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.modelhorsesalespages.com/sales/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Kristin\Application Data\Mozilla\Firefox\Profiles\g5mxtflf.default\
FF - prefs.js: browser.startup.homepage - www.modelhorsesalespages.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,2d,e6,89,5d,63,83,4c,aa,ea,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,2d,e6,89,5d,63,83,4c,aa,ea,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-07-06 21:46:28
ComboFix-quarantined-files.txt 2010-07-07 01:46

Pre-Run: 62,319,439,872 bytes free
Post-Run: 62,631,448,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 455C82DA54181FFA68F5514FDE5040F8

Attached Files



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 06 July 2010 - 09:52 PM

Hello

looks like you have several nasty rootkits onboard.

I need you to do this next - it won't fix anything but gives me some info that I need


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • Right click on the screen and select > Select All
  • Press Control+C
  • Open a notepad and press Control+V
  • now please copy that report to this thread


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 09:56 PM

Okay, here's that report:

ComboFix 10-07-06.02 - Kristin 07/06/2010 21:29:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2182 [GMT -4:00]
Running from: c:\documents and settings\Kristin\Desktop\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kristin\GoToAssistDownloadHelper.exe
c:\windows\system32\AutoRun.inf

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-06-27 22:57 . 2010-06-27 22:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-27 22:57 . 2010-06-27 22:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-27 21:44 . 2010-06-27 21:44 -------- d-----w- c:\program files\Enigma Software Group
2010-06-27 21:44 . 2010-06-27 22:14 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-27 21:43 . 2010-06-27 21:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-27 21:01 . 2010-06-27 21:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-27 05:59 . 2010-06-27 05:59 -------- d-sh--w- c:\documents and settings\Administrator.HART-6B609F3DAE.000\IETldCache
2010-06-27 05:59 . 2010-06-27 05:59 -------- d-----w- c:\documents and settings\Administrator.HART-6B609F3DAE.000\Application Data\Tific
2010-06-27 05:19 . 2010-06-27 05:19 503808 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\msvcp71.dll
2010-06-27 05:19 . 2010-06-27 05:19 499712 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\jmc.dll
2010-06-27 05:19 . 2010-06-27 05:19 348160 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\msvcr71.dll
2010-06-27 05:16 . 2010-06-27 05:16 -------- d-----w- c:\documents and settings\Kristin\Application Data\Tific
2010-06-27 05:00 . 2010-06-27 05:00 503808 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\msvcp71.dll
2010-06-27 05:00 . 2010-06-27 05:00 499712 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\jmc.dll
2010-06-27 05:00 . 2010-06-27 05:00 348160 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\msvcr71.dll
2010-06-22 02:12 . 2010-06-22 02:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-17 23:36 . 2010-06-17 23:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-06-17 23:35 . 2010-06-17 23:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-16 01:52 . 2010-06-16 01:52 50354 ----a-w- c:\documents and settings\Cathy\Application Data\Facebook\uninstall.exe
2010-06-16 01:52 . 2010-06-16 01:52 -------- d-----w- c:\documents and settings\Cathy\Application Data\Facebook
2010-06-11 19:04 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Cathy\Application Data\Facebook\npfbplugin_1_0_3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 04:05 . 2009-06-07 02:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-02 00:52 . 2009-02-19 15:19 1 ----a-w- c:\documents and settings\Kristin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-20 02:01 . 2009-11-02 04:25 1 ----a-w- c:\documents and settings\Cathy\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-06 10:41 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-06 04:01 . 2010-05-21 00:13 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-02 05:22 . 2008-04-13 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:03 . 2010-05-21 00:13 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-04-22 03:02 . 2010-05-21 00:13 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-04-22 02:29 . 2010-05-21 00:13 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-20 05:30 . 2008-04-14 03:39 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

c:\documents and settings\Cathy\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-05 00:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-10-18 20:27 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-18 19:42 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ImapiService"=3 (0x3)
"FlipShare Service"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [5/20/2010 8:13 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [5/20/2010 8:13 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/22/2010 7:42 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [5/20/2010 8:13 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [5/20/2010 8:13 PM 116784]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\ccsvchst.exe [5/20/2010 8:13 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/26/2010 10:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100706.002\IDSXpx86.sys [7/6/2010 3:09 AM 331640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 20:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.modelhorsesalespages.com/sales/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Kristin\Application Data\Mozilla\Firefox\Profiles\g5mxtflf.default\
FF - prefs.js: browser.startup.homepage - www.modelhorsesalespages.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,2d,e6,89,5d,63,83,4c,aa,ea,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,2d,e6,89,5d,63,83,4c,aa,ea,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-07-06 21:46:28
ComboFix-quarantined-files.txt 2010-07-07 01:46

Pre-Run: 62,319,439,872 bytes free
Post-Run: 62,631,448,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 455C82DA54181FFA68F5514FDE5040F8


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 06 July 2010 - 09:58 PM

Hello

You sent me the combofix report again - please try again


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 10:03 PM

I thought it looked familiar. It wasn't letting me select anything else for a bit there. Here's the new one:

MBRCheck, version 1.0.0
© 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 06 July 2010 - 10:14 PM

Hello

Yep that is the report I need

Print out these instructions to use while in the Recovery Console: (This is for XP only)
    1.Restart your computer.
    2.Before Windows loads, you will be prompted to choose which Operating System to start.
    3.Use the up and down arrow key to select Microsoft Windows Recovery Console
    4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
    5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):
    • fixmbr

please reboot the computer twice and after that rerun combofix for me and let me have the log please

also have you had problems with sound lately?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 10:17 PM

Okay, I'll do that and get back to you. And YES I have had issues with sound! Didn't even think about that. Its all hooked up correctly and I don't get any sound at all.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 06 July 2010 - 10:21 PM

ok Ill be here
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 AtticusKZ

AtticusKZ
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 06 July 2010 - 10:52 PM

Here's the new combofix scan:

ComboFix 10-07-06.02 - Kristin 07/06/2010 23:41:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2174 [GMT -4:00]
Running from: c:\documents and settings\Kristin\Desktop\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-06-27 22:57 . 2010-06-27 22:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-27 22:57 . 2010-06-27 22:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-27 21:44 . 2010-06-27 21:44 -------- d-----w- c:\program files\Enigma Software Group
2010-06-27 21:44 . 2010-06-27 22:14 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-27 21:43 . 2010-06-27 21:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-27 21:01 . 2010-06-27 21:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-27 05:59 . 2010-06-27 05:59 -------- d-sh--w- c:\documents and settings\Administrator.HART-6B609F3DAE.000\IETldCache
2010-06-27 05:59 . 2010-06-27 05:59 -------- d-----w- c:\documents and settings\Administrator.HART-6B609F3DAE.000\Application Data\Tific
2010-06-27 05:19 . 2010-06-27 05:19 503808 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\msvcp71.dll
2010-06-27 05:19 . 2010-06-27 05:19 499712 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\jmc.dll
2010-06-27 05:19 . 2010-06-27 05:19 348160 ----a-w- c:\documents and settings\Kristin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4e286a6e-n\msvcr71.dll
2010-06-27 05:16 . 2010-06-27 05:16 -------- d-----w- c:\documents and settings\Kristin\Application Data\Tific
2010-06-27 05:00 . 2010-06-27 05:00 503808 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\msvcp71.dll
2010-06-27 05:00 . 2010-06-27 05:00 499712 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\jmc.dll
2010-06-27 05:00 . 2010-06-27 05:00 348160 ----a-w- c:\documents and settings\Cathy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4fadee64-n\msvcr71.dll
2010-06-22 02:12 . 2010-06-22 02:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-17 23:36 . 2010-06-17 23:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-06-17 23:35 . 2010-06-17 23:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-16 01:52 . 2010-06-16 01:52 50354 ----a-w- c:\documents and settings\Cathy\Application Data\Facebook\uninstall.exe
2010-06-16 01:52 . 2010-06-16 01:52 -------- d-----w- c:\documents and settings\Cathy\Application Data\Facebook
2010-06-11 19:04 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Cathy\Application Data\Facebook\npfbplugin_1_0_3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 04:05 . 2009-06-07 02:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-02 00:52 . 2009-02-19 15:19 1 ----a-w- c:\documents and settings\Kristin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-20 02:01 . 2009-11-02 04:25 1 ----a-w- c:\documents and settings\Cathy\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-06 10:41 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-06 04:01 . 2010-05-21 00:13 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-02 05:22 . 2008-04-13 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:03 . 2010-05-21 00:13 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-04-22 03:02 . 2010-05-21 00:13 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-04-22 02:29 . 2010-05-21 00:13 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-20 05:30 . 2008-04-14 03:39 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-07_01.42.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 03:37 . 2010-07-07 03:37 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
- 2009-02-18 19:38 . 2010-07-07 01:38 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-18 19:38 . 2010-07-07 03:26 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-07 03:26 . 2010-07-07 03:30 69632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5E73300C-8977-11DF-961E-0007E96FED36}.dat
+ 2010-06-18 00:18 . 2010-07-07 03:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2010-06-18 00:18 . 2010-07-07 01:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2010-06-17 23:35 . 2010-07-07 03:25 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-06-17 23:35 . 2010-07-07 01:33 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-02-18 19:38 . 2010-07-07 03:26 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-18 19:38 . 2010-07-07 01:38 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-07 03:26 . 2010-07-07 03:29 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5E73300B-8977-11DF-961E-0007E96FED36}.dat
+ 2010-06-17 23:36 . 2010-07-07 03:26 1884160 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2009-02-18 19:38 . 2010-07-07 03:25 5832704 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

c:\documents and settings\Cathy\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-09-05 00:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-10-18 20:27 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 18:01 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-18 19:42 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ImapiService"=3 (0x3)
"FlipShare Service"=2 (0x2)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [5/20/2010 8:13 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [5/20/2010 8:13 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/22/2010 7:42 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [5/20/2010 8:13 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [5/20/2010 8:13 PM 116784]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\ccsvchst.exe [5/20/2010 8:13 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/26/2010 10:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100706.003\IDSXpx86.sys [7/6/2010 10:02 PM 331640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 20:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.modelhorsesalespages.com/sales/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Kristin\Application Data\Mozilla\Firefox\Profiles\g5mxtflf.default\
FF - prefs.js: browser.startup.homepage - www.modelhorsesalespages.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 23:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,2d,e6,89,5d,63,83,4c,aa,ea,62,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,2d,e6,89,5d,63,83,4c,aa,ea,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1760)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-06 23:50:49
ComboFix-quarantined-files.txt 2010-07-07 03:50
ComboFix2.txt 2010-07-07 01:46

Pre-Run: 62,653,452,288 bytes free
Post-Run: 62,630,436,864 bytes free

- - End Of File - - 2D7949650D7D1F1A8401B701EC911036


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:52 AM

Posted 06 July 2010 - 11:00 PM

Hello

I want you to rerun this for me before I move on

MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • Right click on the screen and select > Select All
  • Press Control+C
  • Open a notepad and press Control+V
  • now please copy that report to this thread


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users