Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect/Trojan infection possibly


  • Please log in to reply
1 reply to this topic

#1 reichstitch

reichstitch

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 13 July 2010 - 10:36 AM

Hello,

The computer guy at our office told me to run Combofix and that's why I'm on this forum now. Below is the Combofix log that I've been instructed to post on this site. Hopefully things aren't horrible! Please help!!! Thanks!!!

ComboFix 10-07-12.06 - Owner 07/13/2010 9:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.172 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\BackUp
c:\windows\BackUp\Backup.bkf
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\MailSwitch.ocx
c:\windows\system32\6to4v32.dll
c:\windows\system32\B1KPkoi8.dll
c:\windows\system32\bOk6835V.exe.a_a
c:\windows\system32\certstore.dat
c:\windows\system32\No3kOK5T.exe.a_a
c:\windows\xpsp1hfm.log
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-13 09:29 . 2010-07-13 09:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-13 09:28 . 2010-07-13 09:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 14:11 . 2009-02-09 15:23 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-07-09 15:23 . 2009-06-22 19:25 -------- d-----w- c:\program files\EZ-Filing
2010-06-07 13:26 . 2006-06-27 14:45 -------- d-----w- c:\program files\Java
2010-05-04 17:20 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-26 16:12 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-26 16:11 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-06-27 26112]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-6-10 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-8-17 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2005-06-23 16:24 50776 ----a-w- c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 00:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1151419726\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-26 22:07 90112 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 19:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 22:19 129536 ----a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151419726\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2007 11:36 AM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 12:39 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-13 c:\windows\Tasks\At1.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At10.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At11.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At12.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At13.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At14.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At15.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At16.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At17.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At18.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At19.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At2.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At20.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At21.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At22.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At23.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At24.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At25.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At26.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At27.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At28.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At29.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At3.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At30.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At31.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At32.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At33.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At34.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At35.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At36.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At37.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At38.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At39.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At4.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\At40.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At41.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At42.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-12 c:\windows\Tasks\At43.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At44.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At45.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At46.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At47.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At48.job
- c:\windows\system32\bOk6835V.exe [2008-08-18 06:46]

2010-07-13 c:\windows\Tasks\At5.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At6.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At7.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At8.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-13 c:\windows\Tasks\At9.job
- c:\windows\system32\No3kOK5T.exe [2008-08-18 20:22]

2010-07-12 c:\windows\Tasks\doc backup.job
- c:\windows\system32\ntbackup.exe [2001-08-18 12:36]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 17:39]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 17:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\98nu6is1.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 09:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2644)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\MICROS~4\wcescomm.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-07-13 09:58:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-13 14:58

Pre-Run: 55,728,545,792 bytes free
Post-Run: 57,995,177,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5D8947CFE538C1DE3A4619086E5BE7B4

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:01 AM

Posted 18 July 2010 - 09:48 AM

Wow, tell the computer guy it should be assumed other machines are also compromised.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users