Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

muted volume and popups


  • Please log in to reply
22 replies to this topic

#1 aiyarunaway

aiyarunaway

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 July 2010 - 11:28 AM

just recently my computer was working fine until the volume keeps on muting itself every few minutes. (the slide control for the volume goes down itself ) then i noticed pop ups from internet explorer pops up itself even though i use Firefox. i have ran a scan to check if it was a virus and it had no detection.

* i was told to seek help here

Bootkit Remover version 1.0.0.1
2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: b19ee33a0168d5f0bb9afbe12e2bc035

Size Device Name MBR Status
--------------------------------------------
33 GB \\.\PhysicalDrive0 Unknown boot code





DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:05:55.33 on Tue 07/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.99 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
svchost.exe
svchost.exe 4
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Administrator\My Documents\Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Administrator\My Documents\Firefox\plugin-container.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework

Edited by aiyarunaway, 13 July 2010 - 11:29 AM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 AM

Posted 18 July 2010 - 09:52 AM

hi,

It looks like part of the DDS log is missing, please re-run it and post the entire log. You can also run this for a start:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#3 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 18 July 2010 - 03:11 PM

the dds log ... for some reason it wont post fully on here...
itkeeps on saying the connection was reseted each time i upload it
however when i edited it by typing otherthings i can post it ... why is that?
as for attachments i cant attach dds log


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4324

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/18/2010 4:01:19 PMhttp://www.bleepingcomputer.com/forums/topic331336.html#
mbam-log-2010-07-18 (16-01-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 198705
Time elapsed: 2 hour(s), 8 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fhncieae (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kudyjdxl (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbxuoguc (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqkvghqq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\exe.exe (Trojan.Kates) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1D.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\d098f1b2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\NLGe.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 13:46:25.10 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.173 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\SNDVOL32.EXE
svchost.exe 4
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
svchost.exe 4
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe

Edited by aiyarunaway, 18 July 2010 - 03:34 PM.


#4 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 18 July 2010 - 03:37 PM

the continuation of the dds log

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun%3

Edited by aiyarunaway, 18 July 2010 - 03:40 PM.


#5 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 AM

Posted 18 July 2010 - 07:36 PM

Ok how are the popups after running Malwarebytes? Are you getting re-directed, do you end of at web sites you dont intend to go to? By the way your DDS log is still missing sections;

I ran it on my machine and you can see the sections it should have:

DDS (Ver_10-03-17.01) - NTFSx86
Run by da at 19:13:30.93 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2666 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\DAEMON Tools Pro\DTAgent.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\da\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = localhost:8080
BHO: SimpleAdblock Class: {ffcb3198-32f3-4e8b-9539-4324694ed664} - c:\program files\common files\simple adblock\SimpleAdblock.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTAgent.exe" -autorun
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
TCP: {51EB1DCC-9885-4951-B73F-00B314929838} = 4.2.2.5,4.2.2.3
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File


================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\da\applic~1\mozilla\firefox\profiles\mgt19bsx.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\da\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

============= SERVICES / DRIVERS ===============

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 udmpsvc;User Mode Process Dumper;system32\kktools\userdump.exe -Service --> system32\kktools\userdump.exe -Service
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2010-6-28 1442816]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\HCW85cir.sys [2010-6-28 28160]
R3 udmpdrvr;User Mode Process Dumper Driver;c:\windows\system32\drivers\userdump.sys [2010-5-9 64384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-20 1684736]
S3 cpuz128;cpuz128;\??\c:\docume~1\da\locals~1\temp\cpuz_x32.sys --> c:\docume~1\da\locals~1\temp\cpuz_x32.sys
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys --> c:\windows\system32\drivers\cv2k1.sys
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-3-20 28672]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-5-12 14424]
S3 PortReporter;Port Reporter;c:\program files\portreporter\PortReporter.exe [2009-4-3 90183]
S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [2009-1-18 30272]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-11-7 36928]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2009-10-22 16456]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2009-10-22 11088]
S3 rkhdrv40;Rootkit Unhooker Driver;
S3 SaxNDIS;Ax3soft Packet Driver (SaxNDIS);c:\windows\system32\drivers\SAXNDIS.sys [2009-5-15 35840]
S3 TFilter;TFilter;\??\c:\progra~1\avanqu~1\system~1\tfilter.sys --> c:\progra~1\avanqu~1\system~1\TFilter.sys [?]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]


=============== Created Last 30 ================

2010-07-18 15:36:58 135037795 ----a-w- c:\windows\firefox3772.dmp
2010-07-18 13:55:31 0 d-----w- c:\windows\AllMedia Grabber
2010-07-18 13:55:31 0 d-----w- c:\program files\AllMedia Grabber
2010-07-18 13:41:57 125775111 ----a-w- c:\windows\firefox1780.dmp
2010-07-18 12:29:01 143363259 ----a-w- c:\windows\firefox3360.dmp
2010-07-17 12:06:06 0 d-----w- C:\users
2010-07-14 23:17:07 141284671 ----a-w- c:\windows\firefox844.dmp
2010-07-14 21:57:10 124727465 ----a-w- c:\windows\firefox172.dmp
2010-07-11 02:08:19 125796205 ----a-w- c:\windows\firefox2156.dmp
2010-07-10 14:02:53 0 d-----w- c:\program files\ExeIcon3DBox
2010-07-08 22:33:57 150153153 ----a-w- c:\windows\firefox4040.dmp
2010-07-06 11:51:31 12408 ----a-w- c:\windows\system32\Lnk.tlb
2010-07-06 11:51:30 7 ----a-w- c:\windows\grabber4.dat
2010-06-28 20:40:37 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2010-06-28 20:40:37 307256 ----a-w- c:\windows\system32\hcwpnp32.dll
2010-06-28 20:40:37 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2010-06-28 20:40:06 3844 ----a-w- c:\windows\HCWPNP.INI
2010-06-28 20:39:40 1419232 ----a-r- c:\windows\system32\hcw85wdf_01005.dll
2010-06-28 20:39:16 28160 ----a-r- c:\windows\system32\drivers\HCW85cir.sys
2010-06-28 20:39:14 1442816 ----a-r- c:\windows\system32\drivers\HCW85BDA.sys
2010-06-27 12:09:12 115063957 ----a-w- c:\windows\firefox2244.dmp
2010-06-27 01:19:02 155775491 ----a-w- c:\windows\firefox3292.dmp


==================== Find3M ====================

2010-06-17 20:30:11 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-05 21:14:48 360580 ----a-w- c:\windows\eSellerateEngine.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 01:55:30 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-05-05 01:55:24 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-05-05 01:53:40 3997696 ----a-w- c:\windows\system32\aticaldd.dll
2010-05-05 01:48:36 15056896 ----a-w- c:\windows\system32\atioglxx.dll
2010-05-05 01:26:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-05-05 01:12:44 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-06-02 02:53:49 2 --shatr- c:\windows\winstart.bat

============= FINISH: 19:13:43.39 ===============

How Can I Reduce My Risk to Malware?


#6 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 20 July 2010 - 04:51 PM

After the scan the popups are still there. im being redirected to ad pages that i dont want to go to. also when ever i try to post the dds logs on this page it always says connection fail even though the connection is fine. i copied the dds log into a memory stick and posted through another computor it is fine though.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 13:46:25.10 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.173 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\SNDVOL32.EXE
svchost.exe 4
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
svchost.exe 4
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [QuickTime Task] "c:\program files\final codecs\qttask.exe" -atboottime
mRun: [fhncieae] c:\documents and settings\localservice\local settings\application data\gmjabfadp\ewhcpnytssd.exe
mRun: [kudyjdxl] c:\documents and settings\localservice\local settings\application data\vtfbqhiee\cmaohsntssd.exe
mRun: [bbxuoguc] c:\documents and settings\localservice\local settings\application data\fbljmksfm\pvbibrftssd.exe
mRun: [qqkvghqq] c:\documents and settings\localservice\local settings\application data\mruxrgnfw\cwwgfmltssd.exe
dRun: [fbdulthk] c:\documents and settings\localservice\local settings\application data\ddtstgwnc\xmoxilftssd.exe
dRun: [fhncieae] c:\documents and settings\localservice\local settings\application data\gmjabfadp\ewhcpnytssd.exe
dRun: [kudyjdxl] c:\documents and settings\localservice\local settings\application data\vtfbqhiee\cmaohsntssd.exe
dRun: [bbxuoguc] c:\documents and settings\localservice\local settings\application data\fbljmksfm\pvbibrftssd.exe
dRun: [qqkvghqq] c:\documents and settings\localservice\local settings\application data\mruxrgnfw\cwwgfmltssd.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256055296394
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\i0rnoe0y.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i0rnoe0y.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nppl3260.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nprjplug.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nprpjplug.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin2.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin3.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin4.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin5.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin6.dll
FF - plugin: c:\program files\final codecs\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\documents and settings\administrator\my documents\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\all.js - pref("html5.enable", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\documents and settings\administrator\my documents\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\documents and settings\administrator\my documents\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\documents and settings\administrator\my documents\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\documents and settings\administrator\my documents\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-29 31944]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2009-10-21 16384]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-10-22 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-29 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-29 54872]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-10-22 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-10-22 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-10-22 168776]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [2009-10-20 119296]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2008-3-4 22568]
S3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [2010-3-21 169984]

=============== Created Last 30 ================

2010-07-13 16:03:05 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-07-13 13:51:39 22016 ----a-w- c:\windows\exe.exe
2010-07-13 13:51:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-13 00:36:48 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-07-12 15:56:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 15:56:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-12 15:56:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 15:56:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 01:32:17 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-12 01:30:28 0 d-----w- c:\program files\common files\Software Update Utility
2010-07-12 01:30:20 0 d-----w- c:\docume~1\alluse~1\applic~1\NexonUS

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 13:49:09.65 ===============


#7 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 AM

Posted 20 July 2010 - 08:42 PM

ok thanks for the info. We will get another download to use. Its called Combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#8 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 21 July 2010 - 09:49 AM

When i ran combo fix, i can never get the program to run till the end. It always crashes when it is the part for scanning the files. A blue screen follows it and it said an error occurred in system then it reboots itself. any solutions? thanks

Edited by aiyarunaway, 21 July 2010 - 09:50 AM.


#9 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 AM

Posted 21 July 2010 - 07:38 PM

yes you can try running combofix in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option: safe mode.
once at the safe mode desktop run combofix. Post the combofix log.

After running combofix, back in normal mode run TDSSkiller:

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop. double click to launch the utility. Follow the prompts.
Please post the report.txt that will be generated on your desktop after it is done running.


How Can I Reduce My Risk to Malware?


#10 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 21 July 2010 - 09:22 PM

ComboFix 10-07-20.01 - Administrator 07/21/2010 21:59:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.823 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Recent\Thumbs.db
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\windows\leDECPI.dll

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-21 14:19 . 2010-07-21 14:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-13 15:29 . 2010-07-13 15:30 -------- d-----w- c:\program files\7-Zip
2010-07-13 13:51 . 2010-07-13 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-13 13:51 . 2010-07-13 13:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-13 00:36 . 2010-07-13 00:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-12 15:58 . 2010-07-12 15:58 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-07-12 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 15:56 . 2010-07-12 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-12 15:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 15:56 . 2010-07-12 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 14:02 . 2010-07-12 14:02 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2010-07-12 01:32 . 2010-07-12 01:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-12 01:30 . 2010-07-12 01:30 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-12 01:30 . 2010-07-12 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-07-11 20:01 . 2010-07-11 20:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-11 19:19 . 2010-07-11 19:19 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-11 19:18 . 2010-07-11 19:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-11 15:06 . 2010-07-11 15:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-02 01:09 . 2010-07-02 01:09 -------- d-----w- c:\documents and settings\user\Application Data\acccore
2010-07-02 01:09 . 2010-07-12 19:36 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AIM
2010-07-02 01:09 . 2010-07-02 01:09 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 01:07 . 2010-06-03 03:42 -------- d-----w- c:\documents and settings\user\Application Data\ooVoo Details
2010-06-18 01:41 . 2010-06-18 01:41 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-06-18 01:41 . 2010-06-18 01:41 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-06-18 01:41 . 2010-06-18 01:41 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-06-18 01:41 . 2010-06-18 01:41 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-06-18 01:41 . 2010-06-18 01:41 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-06-18 01:41 . 2010-06-18 01:41 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-06-15 12:21 . 2009-10-23 12:22 -------- d-----w- c:\program files\Final Codecs
2010-06-15 12:15 . 2010-06-15 12:15 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:55 . 2010-03-06 23:03 -------- d-----w- c:\program files\iTunes
2010-06-10 15:00 . 2010-04-13 01:43 -------- d-----w- c:\program files\ooVoo
2010-06-10 14:58 . 2010-06-10 14:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\oovooinstaller
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30580\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30580\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30580\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30580\AcrobatUpdater.exe
2010-06-03 18:51 . 2010-06-03 18:51 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-12dd0051-n\msvcr71.dll
2010-06-03 18:51 . 2010-06-03 18:51 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-12dd0051-n\msvcp71.dll
2010-06-03 18:51 . 2010-06-03 18:51 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-12dd0051-n\jmc.dll
2010-05-26 23:09 . 2010-05-26 23:09 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-71b44626-n\msvcp71.dll
2010-05-26 23:09 . 2010-05-26 23:09 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-71b44626-n\jmc.dll
2010-05-26 23:09 . 2010-05-26 23:09 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-71b44626-n\msvcr71.dll
2010-05-06 10:41 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 05:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2008-12-30 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2010-05-31 18707640]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-29 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-19 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\Final Codecs\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 01:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [10/21/2009 9:01 AM 16384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\drivers\PCX504.sys [10/20/2009 11:29 AM 119296]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [3/4/2008 7:28 AM 22568]
S3 PCX500;Cisco Wireless LAN Adapters Driver;c:\windows\system32\drivers\pcx500.sys [3/21/2010 8:09 PM 169984]
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-22 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2009-10-21 06:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i0rnoe0y.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i0rnoe0y.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nppl3260.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nprjplug.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nprpjplug.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Final Codecs\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\documents and settings\Administrator\My Documents\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\documents and settings\Administrator\My Documents\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{99E00A4C-D35E-11DD-BA95-9B6A56D89593} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKU-Default-Run-Wpilepayuka - c:\windows\leDECPI.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 22:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,83,dd,6f,c8,4d,3a,4f,8c,eb,d2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,08,83,dd,6f,c8,4d,3a,4f,8c,eb,d2,\

[HKEY_USERS\S-1-5-21-1177238915-1935655697-1202660629-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,5a,2b,7b,e6,2c,cd,48,a3,80,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,a1,94,e1,86,e3,69,4d,81,11,25,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,5a,2b,7b,e6,2c,cd,48,a3,80,fc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2010-07-21 22:19:09
ComboFix-quarantined-files.txt 2010-07-22 02:18

Pre-Run: 2,729,553,920 bytes free
Post-Run: 3,138,224,128 bytes free

- - End Of File - - 6A323379CF06F60C9A8210E3CB5B3825


#11 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 21 July 2010 - 09:26 PM

22:24:47:350 2656 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
22:24:47:350 2656 ================================================================================
22:24:47:350 2656 SystemInfo:

22:24:47:350 2656 OS Version: 5.1.2600 ServicePack: 3.0
22:24:47:350 2656 Product type: Workstation
22:24:47:350 2656 ComputerName: XP
22:24:47:360 2656 UserName: Administrator
22:24:47:360 2656 Windows directory: C:\WINDOWS
22:24:47:360 2656 System windows directory: C:\WINDOWS
22:24:47:360 2656 Processor architecture: Intel x86
22:24:47:360 2656 Number of processors: 1
22:24:47:360 2656 Page size: 0x1000
22:24:47:360 2656 Boot type: Normal boot
22:24:47:360 2656 ================================================================================
22:24:47:550 2656 Initialize success
22:24:47:550 2656
22:24:47:550 2656 Scanning Services ...
22:24:48:271 2656 Raw services enum returned 351 services
22:24:48:291 2656
22:24:48:291 2656 Scanning Drivers ...
22:24:49:803 2656 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:24:49:833 2656 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
22:24:49:873 2656 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys
22:24:49:944 2656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:24:50:004 2656 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:24:50:394 2656 AgereSoftModem (aff071b6290776e1fa162837c35eac78) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
22:24:50:655 2656 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
22:24:50:725 2656 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:24:50:795 2656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:24:50:855 2656 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:24:50:965 2656 ati2mtag (cfb737fb9e2c8f508baf14a4a8bedf22) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
22:24:51:065 2656 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:24:51:185 2656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:24:51:255 2656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:24:51:336 2656 CamDrL (cba8bce5bf67a3c619d5ce540bed9cf7) C:\WINDOWS\system32\DRIVERS\Camdrl.sys
22:24:51:556 2656 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:24:51:606 2656 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:24:51:626 2656 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:24:51:686 2656 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:24:51:816 2656 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:24:51:936 2656 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:24:52:007 2656 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:24:52:067 2656 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:24:52:327 2656 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:24:52:768 2656 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:24:52:998 2656 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:24:53:178 2656 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:24:53:258 2656 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
22:24:53:288 2656 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
22:24:53:308 2656 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
22:24:53:389 2656 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:24:53:559 2656 E1000 (c42009e37e377ae55968768e521e05c3) C:\WINDOWS\system32\DRIVERS\e1000325.sys
22:24:53:679 2656 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
22:24:53:749 2656 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:24:53:759 2656 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:24:53:779 2656 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:24:53:809 2656 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:24:53:879 2656 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:24:53:909 2656 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:24:53:979 2656 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:24:54:039 2656 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:24:54:150 2656 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:24:54:250 2656 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:24:54:320 2656 HSFHWICH (e7bcc7ec37dd2dd36a39bb9ac87a897b) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
22:24:54:410 2656 HSF_DPV (822c60f2abee73a0e089230d94064f39) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:24:54:550 2656 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:24:54:720 2656 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:24:54:771 2656 IBMPMDRV (bf648877413f6160e480814a24942b65) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
22:24:54:841 2656 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:24:54:881 2656 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
22:24:54:921 2656 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:24:54:951 2656 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:24:55:011 2656 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:24:55:071 2656 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:24:55:101 2656 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:24:55:131 2656 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:24:55:181 2656 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
22:24:55:321 2656 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:24:55:381 2656 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:24:55:431 2656 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:24:55:472 2656 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
22:24:55:542 2656 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:24:55:602 2656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:24:55:682 2656 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys
22:24:55:732 2656 ManyCam (c6d085c7045200143528136a43a65fde) C:\WINDOWS\system32\DRIVERS\ManyCam.sys
22:24:55:892 2656 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:24:55:952 2656 mfeapfk (1f334eb2a13816df45671ebb98896da7) C:\WINDOWS\system32\drivers\mfeapfk.sys
22:24:56:012 2656 mfeavfk (8a1dedbbdad33587f6fad780ce4b34b5) C:\WINDOWS\system32\drivers\mfeavfk.sys
22:24:56:032 2656 mfebopk (d800e31a019a6979698eef0507baa746) C:\WINDOWS\system32\drivers\mfebopk.sys
22:24:56:082 2656 mfehidk (0ae14fab8e25c258c6ebf3827c649273) C:\WINDOWS\system32\drivers\mfehidk.sys
22:24:56:173 2656 mferkdk (e72afc5056f6804c616e7dc32a38945f) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
22:24:56:223 2656 mfetdik (a47f0f63e92730de15d41624ab998c5c) C:\WINDOWS\system32\drivers\mfetdik.sys
22:24:56:313 2656 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:24:56:433 2656 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:24:56:513 2656 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:24:56:603 2656 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:24:56:663 2656 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:24:56:713 2656 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:24:56:854 2656 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:24:56:984 2656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:24:57:034 2656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:24:57:114 2656 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:24:57:124 2656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:24:57:174 2656 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:24:57:234 2656 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:24:57:264 2656 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:24:57:304 2656 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:24:57:324 2656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:24:57:364 2656 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:24:57:384 2656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:24:57:434 2656 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:24:57:454 2656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:24:57:464 2656 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:24:57:494 2656 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:24:57:514 2656 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:24:57:545 2656 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:24:57:555 2656 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:24:57:615 2656 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
22:24:57:745 2656 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:24:57:845 2656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:24:57:885 2656 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:24:57:895 2656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:24:57:995 2656 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:24:58:045 2656 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:24:58:055 2656 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:24:58:115 2656 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:24:58:175 2656 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:24:58:235 2656 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:24:58:356 2656 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:24:58:516 2656 PCX500 (592b9d0fb93647c35b6f6883c988d225) C:\WINDOWS\system32\DRIVERS\pcx500.sys
22:24:58:576 2656 PCX504 (26f2d9161d4ecb4dc13c7eea92c3f595) C:\WINDOWS\system32\DRIVERS\PCX504.sys
22:24:58:686 2656 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:24:58:696 2656 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:24:58:736 2656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:24:58:816 2656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:24:58:876 2656 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
22:24:58:916 2656 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:24:58:957 2656 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:24:59:007 2656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:24:59:037 2656 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:24:59:047 2656 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:24:59:077 2656 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:24:59:107 2656 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:24:59:207 2656 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:24:59:257 2656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:24:59:297 2656 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:24:59:317 2656 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:24:59:327 2656 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:24:59:397 2656 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:24:59:487 2656 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys
22:24:59:517 2656 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:24:59:607 2656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:24:59:688 2656 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
22:24:59:738 2656 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:24:59:798 2656 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:24:59:868 2656 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:24:59:968 2656 SynTP (820d28f30ac01ce86860a35dcc7bfaab) C:\WINDOWS\system32\DRIVERS\SynTP.sys
22:24:59:998 2656 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:25:00:078 2656 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:25:00:128 2656 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:25:00:148 2656 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:25:00:198 2656 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:25:00:268 2656 Tp4Track (11cc72f5c4e37554a985880e928cbba9) C:\WINDOWS\system32\DRIVERS\tp4track.sys
22:25:00:288 2656 TPHKDRV (29f3601d4233a53f819010fee8c04a60) C:\WINDOWS\system32\drivers\TPHKDRV.sys
22:25:00:379 2656 TPPWR (8d6678aaab7ca42a71999e7b931cdf1d) C:\WINDOWS\system32\drivers\Tppwr.sys
22:25:00:519 2656 TwoTrack (17687545f77a648af7f9f1064eb61191) C:\WINDOWS\system32\DRIVERS\TwoTrack.sys
22:25:00:569 2656 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:25:00:639 2656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:25:00:709 2656 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:25:00:779 2656 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:25:00:819 2656 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:25:00:889 2656 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:25:00:959 2656 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:25:01:050 2656 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:25:01:150 2656 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:25:01:380 2656 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:25:01:600 2656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:25:01:660 2656 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:25:01:831 2656 w29n51 (a22abd73e0d6ba666cba4e86eeb001b3) C:\WINDOWS\system32\DRIVERS\w29n51.sys
22:25:02:061 2656 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:25:02:141 2656 Wdf01000 (8b35229d2761bc8ed526cb69e4f6685e) C:\WINDOWS\system32\Drivers\wdf01000.sys
22:25:02:221 2656 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:25:02:321 2656 winachsf (5ea185425bfcbc2d4b96d673d8c4deaf) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:25:02:462 2656 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:25:02:562 2656 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:25:02:582 2656 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:25:02:582 2656
22:25:02:582 2656 Completed
22:25:02:582 2656
22:25:02:592 2656 Results:
22:25:02:592 2656 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:25:02:592 2656 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:25:02:592 2656
22:25:02:602 2656 KLMD(ARK) unloaded successfully


#12 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 AM

Posted 22 July 2010 - 04:20 PM

hi,

Ok good. Hows it looking on your end now?

How Can I Reduce My Risk to Malware?


#13 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 22 July 2010 - 08:37 PM

it is still muted and pop ups still continue.


#14 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:34 AM

Posted 23 July 2010 - 07:32 PM

ok. Run two apps for me:


Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
---------------------------------------------------
Please download MBR.exe from here ->

http://www2.gmer.net/mbr/mbr.exe
Save it to your desktop, double click to start.
It will generate a .txt file on your desktop.
Please post the .txt file

How Can I Reduce My Risk to Malware?


#15 aiyarunaway

aiyarunaway
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 23 July 2010 - 07:54 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/07/23 20:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB68FD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\~df7759.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~df7cd.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dfa49f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dfb5c5.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dfdb61.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dfe930.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dff6be.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~df19c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~df1a8d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~df2a00.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\application data\oovoo details\logs\20100723_2024_00.ovolog
Status: Size mismatch (API: 97008, Raw: 96836)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\34YBVSO8\httpErrorPagesScripts[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\34YBVSO8\favcenter[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\N79S8XOV\dnserror[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\N79S8XOV\errorPageStrings[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\N79S8XOV\ErrorPageTemplate[2]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\N79S8XOV\httpErrorPagesScripts[2]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9GKYM3N\afr[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9GKYM3N\impCAK0YCT2
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9GKYM3N\jsonCAAH82BM
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9GKYM3N\st[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9GKYM3N\st[2]
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\i0rnoe0y.default\sessionstore.js
Status: Size mismatch (API: 292575, Raw: 291388)

Path: c:\documents and settings\localservice\local settings\application data\microsoft\internet explorer\recovery\active\{1e0bf690-96bd-11df-9eac-00028ade52a9}.dat
Status: Allocation size mismatch (API: 12288, Raw: 8192)

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users