Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invisible Audio Ads


  • This topic is locked This topic is locked
12 replies to this topic

#1 almagnifico24

almagnifico24

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 15 August 2010 - 02:27 AM

Extremely annoying. I have read other similar threads, but nothing in them has seemed to help.

Ads only run when I have connection to the internet. Strangely, they even play when I am logged of windows.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Al24 at 3:22:35.80 on Sun 08/15/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1656 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxdxcoms.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
svchost.exe 4
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Application\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
svchost.exe 4
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Users\Garry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.msi.com.tw
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - d:\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\applic~1\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [PlayNC Launcher]
uRun: [Steam] "d:\l4d2\steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [GrooveMonitor] "d:\application\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://d:\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\applic~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\applic~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://live.amsterdamlivexxx.com/cab/securelogin-devel.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\applic~1\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\applic~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\garry\appdata\roaming\mozilla\firefox\profiles\8tsoonx4.working\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: d:\new\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\new\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-12-23 159744]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-4-28 54784]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-5-30 93968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-27 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-22 52768]

=============== Created Last 30 ================

2010-08-15 06:34:47 0 d-----w- c:\programdata\Sun
2010-08-15 06:31:05 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 05:50:13 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-27 05:50:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 05:32:35 0 d-----w- c:\program files\Trend Micro
2010-07-27 01:17:26 0 d-----w- c:\users\garry\appdata\roaming\Malwarebytes
2010-07-27 01:17:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 01:17:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-27 01:17:17 0 d-----w- c:\programdata\Malwarebytes
2010-07-27 01:17:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-08-15 06:42:25 64031 ----a-w- c:\programdata\nvModes.dat
2010-08-14 03:53:10 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-14 03:53:10 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-22 19:14:29 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-10 16:22:03 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-23 16:26:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-30 06:43:48 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-30 06:43:48 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-30 06:43:48 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 3:22:47.16 ===============





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:25:58 AM, on 8/15/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Application\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com.tw
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com.tw
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\APPLIC~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Application\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Steam] "d:\l4d2\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\APPLIC~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\APPLIC~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\APPLIC~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_b...sreqlab_srl.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://live.amsterdamlivexxx.com/cab/securelogin-devel.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\APPLIC~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Unknown owner - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe (file missing)
O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7441 bytes

Help?

edit: ah, sorry for bump.

EDIT: Posts merged ~BP

Edited by Budapest, 18 August 2010 - 05:11 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:35 PM

Posted 21 August 2010 - 02:33 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 almagnifico24

almagnifico24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 21 August 2010 - 05:11 PM

Hi, I followed the instructions in Elle's post. I still have the same issue with audio ads. They play randomly, they can be hours apart sometimes.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Garry at 17:43:51.58 on Sat 08/21/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2040 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxdxcoms.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
svchost.exe 4
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Application\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
svchost.exe 4
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Garry\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.msi.com.tw
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - d:\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\applic~1\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [PlayNC Launcher]
uRun: [Steam] "d:\l4d2\steam.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [GrooveMonitor] "d:\application\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://d:\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\applic~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\applic~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://live.amsterdamlivexxx.com/cab/securelogin-devel.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\applic~1\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\applic~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\garry\appdata\roaming\mozilla\firefox\profiles\8tsoonx4.working\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: d:\new\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\new\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-12-23 159744]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-4-28 54784]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-5-30 93968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-27 3658752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-22 52768]

=============== Created Last 30 ================

2010-08-21 21:43:20 0 ----a-w- c:\users\garry\defogger_reenable
2010-08-15 06:34:47 0 d-----w- c:\programdata\Sun
2010-08-15 06:31:05 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 05:50:13 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-27 05:50:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 05:32:35 0 d-----w- c:\program files\Trend Micro
2010-07-27 01:17:26 0 d-----w- c:\users\garry\appdata\roaming\Malwarebytes
2010-07-27 01:17:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 01:17:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-27 01:17:17 0 d-----w- c:\programdata\Malwarebytes
2010-07-27 01:17:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-08-21 21:40:41 64031 ----a-w- c:\programdata\nvModes.dat
2010-08-21 01:50:24 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-21 01:50:23 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-10 16:22:03 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-23 16:26:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-30 06:43:48 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-30 06:43:48 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-30 06:43:48 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 17:44:19.83 ===============






========================================================================================================GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-21 18:02:23
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Garry\AppData\Local\Temp\kwrcqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DE01340, 0x3F97E7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!DialogBoxIndirectParamW 7640BD25 5 Bytes JMP 6EFD0696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!DialogBoxParamW 76421FD5 5 Bytes JMP 6EFD0620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!DialogBoxParamA 764480B2 5 Bytes JMP 6EFD065B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!DialogBoxIndirectParamA 764483DD 5 Bytes JMP 6EFD06D1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!MessageBoxIndirectA 7645D471 5 Bytes JMP 6EFD05DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!MessageBoxIndirectW 7645D56B 5 Bytes JMP 6EFD0598 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!MessageBoxExA 7645D5D1 5 Bytes JMP 6EFD055E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] USER32.dll!MessageBoxExW 7645D5F5 5 Bytes JMP 6EFD0524 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4820] ole32.dll!OleLoadFromStream 77369726 5 Bytes JMP 6EFD0893 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 4820

---- EOF - GMER 1.0.15 ----


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 25 August 2010 - 07:59 PM

Hello.

It looks like you caught an MBR rootkit. Let's see what we can do.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
The Panda

#5 almagnifico24

almagnifico24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 27 August 2010 - 05:08 PM

ComboFix 10-08-26.04 - Garry 08/27/2010 16:43:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2103 [GMT -4:00]
Running from: c:\users\Garry\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Garry\AppData\Local\Windows Server
c:\users\Garry\AppData\Local\Windows Server\uses32.dat
c:\users\Garry\AppData\Roaming\.#
c:\users\Garry\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\Garry\AppData\Roaming\Microsoft\bass.dll
c:\users\Garry\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\Garry\AppData\Roaming\Microsoft\mjcriu.dll
c:\users\Garry\AppData\Roaming\Microsoft\peaadje.dll
c:\users\Garry\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\Garry\AppData\Roaming\Microsoft\rsaadjd.dll
c:\windows\system32\skinboxer43.dll

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-27 20:48 . 2010-08-27 20:48 -------- d-----w- c:\users\Garry\AppData\Local\temp
2010-08-27 20:48 . 2010-08-27 20:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-22 14:20 . 2010-08-25 23:38 -------- d-----w- c:\users\Garry\AppData\Local\Google
2010-08-15 06:34 . 2010-08-15 06:34 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 06:31 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 06:28 . 2010-08-27 20:38 -------- d-----w- c:\users\Garry\AppData\Local\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-27 20:43 . 2008-12-23 16:52 64031 ----a-w- c:\programdata\nvModes.dat
2010-08-27 01:44 . 2010-05-09 01:56 1356 ----a-w- c:\users\Garry\AppData\Local\d3d9caps.dat
2010-08-16 23:12 . 2008-12-23 17:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-16 13:47 . 2010-05-09 20:30 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 1
2010-08-15 07:07 . 2009-11-23 04:49 -------- d-----w- c:\program files\NCH Software
2010-08-15 06:31 . 2009-10-12 17:31 -------- d-----w- c:\program files\Java
2010-08-15 06:26 . 2008-12-23 16:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-13 19:33 . 2010-03-29 05:29 -------- d-----w- c:\users\Garry\AppData\Roaming\Skype
2010-08-13 19:32 . 2010-03-29 05:31 -------- d-----w- c:\users\Garry\AppData\Roaming\skypePM
2010-08-06 13:33 . 2009-11-30 04:00 -------- d-----w- c:\programdata\Rosetta Stone
2010-07-29 19:17 . 2010-07-27 05:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-27 05:52 . 2010-07-27 05:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 05:32 . 2010-07-27 05:32 388096 ----a-r- c:\users\Garry\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-27 05:32 . 2010-07-27 05:32 -------- d-----w- c:\program files\Trend Micro
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\users\Garry\AppData\Roaming\Malwarebytes
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\programdata\Malwarebytes
2010-07-08 17:50 . 2009-06-06 03:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Steam"="d:\l4d2\steam.exe" [2010-05-09 1238352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Google Update"="c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13560352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 92704]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-11-12 6687264]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-08-27 79232]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-10-09 708608]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"GrooveMonitor"="d:\application\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-21 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-9-19 2356552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Garry^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- d:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2008-06-11 10:16 1454080 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-08-27 159744]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 589824]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-30 93968]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-27 3658752]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]

.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837110395-3046191573-3705401906-1000Core.job
- c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 14:20]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837110395-3046191573-3705401906-1000UA.job
- c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Garry\AppData\Roaming\Mozilla\Firefox\Profiles\8tsoonx4.Working\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\users\Garry\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: d:\new\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\new\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-PlayNC Launcher - (no file)
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-iccnwtcm - c:\users\Garry\AppData\Local\hpcxwsign\qbgalmbtssd.exe
MSConfigStartUp-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1837110395-3046191573-3705401906-1000\Software\SecuROM\License information*]
"datasecu"=hex:aa,f3,ff,df,90,8b,3c,71,bd,48,b9,4c,67,fa,e2,b4,10,c0,40,52,93,
3e,2a,11,4e,ce,48,c1,b0,e4,60,3c,09,6a,3c,13,d5,01,fa,03,b9,c3,13,1b,4c,c5,\
"rkeysecu"=hex:93,08,23,d2,72,79,db,c0,a1,40,d1,40,42,3e,70,dd

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-27 16:50:18
ComboFix-quarantined-files.txt 2010-08-27 20:50

Pre-Run: 7,159,222,272 bytes free
Post-Run: 7,019,974,656 bytes free

- - End Of File - - 6E6FB6FEAD5A3EA466FAD7CF2B601E0E

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 27 August 2010 - 06:56 PM

Hello.

Looks like ComboFix removed the main infection. We'll clean up some leftovers.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    DDS::
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please tell me which symptoms are still present.

With Regards,
The Panda

#7 almagnifico24

almagnifico24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 27 August 2010 - 11:02 PM

The log produced from Combofix this time was absolutely massive. The .txt file is 1.73 MB, so I can't attach it, and it is far to long to post. I posted it with the (SnapShot@2010-08-27_20.49.01) removed.

Immediately after I ran Combofix this time with the script, I was not able to run any programs such as IE,Firefox,YahooIM,Chrome,WMP, etc... An error appeared and said something about the registry being deleted. Everything worked fine after a reboot.

Kaspersky report is in attachment.



Also, I don't think I fully stopped S&D's Teatimer program, as when I rebooted it ran on start up and gave a bunch of prompts about changes to the registry/etc. Do I need to start the process over?

Good news is I have not heard a single audio advertisement since I initially started the process with combofix.

ComboFix 10-08-26.04 - Garry 08/27/2010 21:19:16.2.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2134 [GMT -4:00]
Running from: c:\users\Garry\Desktop\ComboFix.exe
Command switches used :: c:\users\Garry\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-28 )))))))))))))))))))))))))))))))
.

2010-08-28 01:23 . 2010-08-28 01:23 -------- d-----w- c:\users\Garry\AppData\Local\temp
2010-08-28 01:23 . 2010-08-28 01:23 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-28 01:23 . 2010-08-28 01:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-28 01:23 . 2010-08-28 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-22 14:20 . 2010-08-25 23:38 -------- d-----w- c:\users\Garry\AppData\Local\Google
2010-08-15 06:34 . 2010-08-15 06:34 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 06:31 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 06:28 . 2010-08-27 20:38 -------- d-----w- c:\users\Garry\AppData\Local\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 01:01 . 2008-12-23 16:52 64031 ----a-w- c:\programdata\nvModes.dat
2010-08-27 01:44 . 2010-05-09 01:56 1356 ----a-w- c:\users\Garry\AppData\Local\d3d9caps.dat
2010-08-16 23:12 . 2008-12-23 17:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-16 13:47 . 2010-05-09 20:30 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 1
2010-08-15 07:07 . 2009-11-23 04:49 -------- d-----w- c:\program files\NCH Software
2010-08-15 06:31 . 2009-10-12 17:31 -------- d-----w- c:\program files\Java
2010-08-15 06:26 . 2008-12-23 16:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-13 19:33 . 2010-03-29 05:29 -------- d-----w- c:\users\Garry\AppData\Roaming\Skype
2010-08-13 19:32 . 2010-03-29 05:31 -------- d-----w- c:\users\Garry\AppData\Roaming\skypePM
2010-08-06 13:33 . 2009-11-30 04:00 -------- d-----w- c:\programdata\Rosetta Stone
2010-07-29 19:17 . 2010-07-27 05:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-27 05:52 . 2010-07-27 05:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 05:32 . 2010-07-27 05:32 388096 ----a-r- c:\users\Garry\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-27 05:32 . 2010-07-27 05:32 -------- d-----w- c:\program files\Trend Micro
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\users\Garry\AppData\Roaming\Malwarebytes
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\programdata\Malwarebytes
2010-07-08 17:50 . 2009-06-06 03:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-27_20.49.01 )))))))))))))))))))))))))))))))))))))))))

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Steam"="d:\l4d2\steam.exe" [2010-05-09 1238352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Google Update"="c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]
"PlayNC Launcher"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13560352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 92704]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-11-12 6687264]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-08-27 79232]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-10-09 708608]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"GrooveMonitor"="d:\application\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-21 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-9-19 2356552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Garry^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- d:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2008-06-11 10:16 1454080 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-08-27 159744]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 589824]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-30 93968]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-27 3658752]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]

.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837110395-3046191573-3705401906-1000Core.job
- c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 14:20]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837110395-3046191573-3705401906-1000UA.job
- c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Garry\AppData\Roaming\Mozilla\Firefox\Profiles\8tsoonx4.Working\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\users\Garry\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: d:\new\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\new\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-27 21:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1837110395-3046191573-3705401906-1000\Software\SecuROM\License information*]
"datasecu"=hex:aa,f3,ff,df,90,8b,3c,71,bd,48,b9,4c,67,fa,e2,b4,10,c0,40,52,93,
3e,2a,11,4e,ce,48,c1,b0,e4,60,3c,09,6a,3c,13,d5,01,fa,03,b9,c3,13,1b,4c,c5,\
"rkeysecu"=hex:93,08,23,d2,72,79,db,c0,a1,40,d1,40,42,3e,70,dd

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-27 21:24:51
ComboFix-quarantined-files.txt 2010-08-28 01:24
ComboFix2.txt 2010-08-27 20:50

Pre-Run: 7,116,648,448 bytes free
Post-Run: 6,978,969,600 bytes free

- - End Of File - - 765D29576C03F65A8B60E93CAE837A8A

Attached Files


Edited by almagnifico24, 27 August 2010 - 11:05 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 28 August 2010 - 09:34 AM

Hello.

The large log was likely caused by a Windows Update that occured between the ComboFix runs.

QUOTE
Immediately after I ran Combofix this time with the script, I was not able to run any programs such as IE,Firefox,YahooIM,Chrome,WMP, etc... An error appeared and said something about the registry being deleted. Everything worked fine after a reboot.
Did the message happen say: Could not open registry key marked for deletion?

For some reason, the MBR rootkit is still being detected. Let's try to take it out from the recovery console.

Using Recovery Console
Shutdown your computer. Start it again.
After hearing the beep, tap the F8 key repeatitively until you see the boot selection screen.
Use the arrow keys to select "Microsoft Windows Recovery Console" and hit Enter.
You will be asked which installation you want to log into. This is usually 1 - C:\WINDOWS. Type 1 followed by Enter.

Type each of the following lines one at a time followed by Enter:
CODE
fixmbr
exit

Allow your computer to restart normally.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    File::
    C:\Windows\System32\Complace.dll
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run MBRCheck
Please download MBRCheck.exe to your desktop.
  • Double click to run it.
  • It will prompt you with some text.
  • Left click on title bar (where program name and path is written).
  • From menu chose Edit -> Select All.
  • Press Enter key on keyboard to copy selected text.
  • Copy - Paste that text into your next reply.

Please tell me if any there are any problems.

With Regards,
The Panda

#9 almagnifico24

almagnifico24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 28 August 2010 - 03:23 PM

"Could not open registry key marked for deletion?" Yes, that sounds very familiar.

It appears my computer manufacturer has a preinstalled recovery options, but there is no "Microsoft Windows Recovery Console". After booting and using F8, I am on the Advance Boot Options screen. The first one to select is "Repair Your Computer"
This brings me to select of the manufactures recovery manager or Windows System Recovery Option

In the Window's System Recovery Option I tried using the Command Prompt. Accessed C: and then fixmbr but it is not recognized.

What should I do?

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 28 August 2010 - 05:24 PM

Hello.

Sorry, I forgot that you were not using Windows XP.

Please skip to running CFScript.

With Regards,
The Panda

#11 almagnifico24

almagnifico24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 28 August 2010 - 08:25 PM

ComboFix 10-08-26.04 - Garry 08/28/2010 21:08:25.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2167 [GMT -4:00]
Running from: c:\users\Garry\Desktop\ComboFix.exe
Command switches used :: c:\users\Garry\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\System32\Complace.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\Complace.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-29 01:12 . 2010-08-29 01:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-29 01:12 . 2010-08-29 01:12 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-29 01:12 . 2010-08-29 01:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-28 01:24 . 2010-08-29 01:14 -------- d-----w- c:\users\Garry\AppData\Local\temp
2010-08-22 14:20 . 2010-08-25 23:38 -------- d-----w- c:\users\Garry\AppData\Local\Google
2010-08-15 06:34 . 2010-08-15 06:34 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 06:31 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 06:28 . 2010-08-27 20:38 -------- d-----w- c:\users\Garry\AppData\Local\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-29 01:15 . 2008-12-23 16:52 64031 ----a-w- c:\programdata\nvModes.dat
2010-08-27 01:44 . 2010-05-09 01:56 1356 ----a-w- c:\users\Garry\AppData\Local\d3d9caps.dat
2010-08-16 23:12 . 2008-12-23 17:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-16 13:47 . 2010-05-09 20:30 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 1
2010-08-15 07:07 . 2009-11-23 04:49 -------- d-----w- c:\program files\NCH Software
2010-08-15 06:31 . 2009-10-12 17:31 -------- d-----w- c:\program files\Java
2010-08-15 06:26 . 2008-12-23 16:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-13 19:33 . 2010-03-29 05:29 -------- d-----w- c:\users\Garry\AppData\Roaming\Skype
2010-08-13 19:32 . 2010-03-29 05:31 -------- d-----w- c:\users\Garry\AppData\Roaming\skypePM
2010-08-06 13:33 . 2009-11-30 04:00 -------- d-----w- c:\programdata\Rosetta Stone
2010-07-29 19:17 . 2010-07-27 05:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-27 05:52 . 2010-07-27 05:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 05:32 . 2010-07-27 05:32 388096 ----a-r- c:\users\Garry\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-27 05:32 . 2010-07-27 05:32 -------- d-----w- c:\program files\Trend Micro
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\users\Garry\AppData\Roaming\Malwarebytes
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 01:17 . 2010-07-27 01:17 -------- d-----w- c:\programdata\Malwarebytes
2010-07-08 17:50 . 2009-06-06 03:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Steam"="d:\l4d2\steam.exe" [2010-08-28 1242448]
"Google Update"="c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-04 13560352]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-04 92704]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-11-12 6687264]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-08-27 79232]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-10-09 708608]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"GrooveMonitor"="d:\application\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-21 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-9-19 2356552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Garry^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- d:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2008-06-11 10:16 1454080 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PlayNC Launcher"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 589824]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-08-27 159744]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-04-28 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-30 93968]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-27 3658752]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-01-22 52768]

.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837110395-3046191573-3705401906-1000Core.job
- c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 14:20]

2010-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1837110395-3046191573-3705401906-1000UA.job
- c:\users\Garry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Garry\AppData\Roaming\Mozilla\Firefox\Profiles\8tsoonx4.Working\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\users\Garry\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Garry\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: d:\new\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: d:\new\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: d:\quicktime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-28 21:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1837110395-3046191573-3705401906-1000\Software\SecuROM\License information*]
"datasecu"=hex:aa,f3,ff,df,90,8b,3c,71,bd,48,b9,4c,67,fa,e2,b4,10,c0,40,52,93,
3e,2a,11,4e,ce,48,c1,b0,e4,60,3c,09,6a,3c,13,d5,01,fa,03,b9,c3,13,1b,4c,c5,\
"rkeysecu"=hex:93,08,23,d2,72,79,db,c0,a1,40,d1,40,42,3e,70,dd

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-08-28 21:18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-29 01:18
ComboFix2.txt 2010-08-28 01:48
ComboFix3.txt 2010-08-28 01:24
ComboFix4.txt 2010-08-27 20:50

Pre-Run: 6,280,839,168 bytes free
Post-Run: 6,296,248,320 bytes free

- - End Of File - - A9E2A1DBD0D004F7CE221F00F5EB7942










==========================================================================================================================================================================









MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: MSI
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Micro-Star International
System Product Name: GX627
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 149):
0x81E50000 \SystemRoot\system32\ntkrnlpa.exe
0x81E1D000 \SystemRoot\system32\hal.dll
0x80401000 \SystemRoot\system32\kdcom.dll
0x80409000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80469000 \SystemRoot\system32\PSHED.dll
0x8047A000 \SystemRoot\system32\BOOTVID.dll
0x80482000 \SystemRoot\system32\CLFS.SYS
0x804C3000 \SystemRoot\system32\CI.dll
0x8060B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80687000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80694000 \SystemRoot\system32\drivers\acpi.sys
0x806DA000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E3000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EB000 \SystemRoot\system32\drivers\pci.sys
0x80712000 \SystemRoot\System32\drivers\partmgr.sys
0x80721000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80724000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8072E000 \SystemRoot\system32\drivers\volmgr.sys
0x8073D000 \SystemRoot\System32\drivers\volmgrx.sys
0x80787000 \SystemRoot\System32\drivers\mountmgr.sys
0x80797000 \SystemRoot\system32\drivers\atapi.sys
0x8079F000 \SystemRoot\system32\drivers\ataport.SYS
0x807BD000 \SystemRoot\system32\DRIVERS\msahci.sys
0x807C7000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x805A3000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D5000 \SystemRoot\system32\drivers\fileinfo.sys
0x89E0B000 \SystemRoot\System32\Drivers\ksecdd.sys
0x89E7C000 \SystemRoot\system32\drivers\ndis.sys
0x89F87000 \SystemRoot\system32\drivers\msrpc.sys
0x89FB2000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A00A000 \SystemRoot\System32\drivers\tcpip.sys
0x8A0F1000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A20C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A31B000 \SystemRoot\system32\drivers\volsnap.sys
0x8A354000 \SystemRoot\System32\Drivers\spldr.sys
0x8A35C000 \SystemRoot\System32\Drivers\mup.sys
0x8A36B000 \SystemRoot\System32\drivers\ecache.sys
0x8A392000 \SystemRoot\system32\drivers\disk.sys
0x8A3A3000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A3C4000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A3EF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A200000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8A10C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8DA00000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8E142000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E1E1000 \SystemRoot\System32\drivers\watchdog.sys
0x8E1EE000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8A11B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8A159000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8A168000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8A17A000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8E20B000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x8E592000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8E5A2000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8E5B0000 \SystemRoot\system32\DRIVERS\jmcr.sys
0x8E5C7000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x8E5ED000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8E200000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A19C000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8E1F9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8A1CB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8E1FB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8A1D6000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8A1DF000 \SystemRoot\system32\DRIVERS\enecir.sys
0x807E5000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x89FEC000 \SystemRoot\System32\Drivers\tosrfcom.sys
0x8E60F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E63D000 \SystemRoot\system32\DRIVERS\storport.sys
0x8E67E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E689000 \SystemRoot\system32\DRIVERS\ManyCam.sys
0x8E68F000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x8E69C000 \SystemRoot\system32\DRIVERS\ks.sys
0x8E6C6000 \SystemRoot\System32\Drivers\RootMdm.sys
0x8E6CE000 \SystemRoot\system32\drivers\modem.sys
0x8E6DB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8E6F2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8E6FD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8E720000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8E72F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8E743000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E758000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E768000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0x8E785000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8E787000 \SystemRoot\system32\DRIVERS\circlass.sys
0x8E795000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E79F000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8E7AC000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8E7E0000 \SystemRoot\system32\DRIVERS\tosporte.sys
0x8E7EB000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8EE0E000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8F02F000 \SystemRoot\system32\drivers\portcls.sys
0x8F05C000 \SystemRoot\system32\drivers\drmk.sys
0x8F081000 \SystemRoot\system32\DRIVERS\smserial.sys
0x8F18E000 \SystemRoot\system32\drivers\nvhda32v.sys
0x8F19E000 \SystemRoot\system32\DRIVERS\hidir.sys
0x8F1A9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8F1B9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8F1C0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8F1C9000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8F1D1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8F1DA000 \SystemRoot\System32\Drivers\Null.SYS
0x8F1E1000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F1E8000 \SystemRoot\System32\drivers\vga.sys
0x805D5000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F1F4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8EE00000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E600000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F209000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F217000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8F220000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F236000 \SystemRoot\system32\DRIVERS\smb.sys
0x8F24A000 \SystemRoot\system32\drivers\afd.sys
0x8F292000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F2C4000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F2DA000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F2E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F2FB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F337000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F341000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F358000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8F393000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x8F3A9000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8F3B6000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8F3C1000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x95EA0000 \SystemRoot\System32\win32k.sys
0x8F3CB000 \SystemRoot\System32\drivers\Dxapi.sys
0x8F3D5000 \SystemRoot\system32\DRIVERS\monitor.sys
0x960C0000 \SystemRoot\System32\TSDDD.dll
0x960E0000 \SystemRoot\System32\cdd.dll
0x8F3E4000 \SystemRoot\system32\drivers\luafv.sys
0x81A0F000 \SystemRoot\system32\drivers\spsys.sys
0x81ABE000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x81ACE000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x81AF8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x81B02000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x81B15000 \SystemRoot\system32\drivers\HTTP.sys
0x81B80000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81B9D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x81BB6000 \SystemRoot\System32\drivers\mpsdrv.sys
0x81BCB000 \SystemRoot\system32\drivers\mrxdav.sys
0x8A3CD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9B60D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9B646000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9B65E000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9B685000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B6D1000 \SystemRoot\system32\drivers\peauth.sys
0x9B7AF000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9B7B9000 \SystemRoot\System32\drivers\tcpipreg.sys
0x77240000 \Windows\System32\ntdll.dll

Processes (total 57):
0 System Idle Process
4 System
452 C:\Windows\System32\smss.exe
520 csrss.exe
572 csrss.exe
580 C:\Windows\System32\wininit.exe
616 C:\Windows\System32\services.exe
628 C:\Windows\System32\lsass.exe
636 C:\Windows\System32\lsm.exe
812 C:\Windows\System32\svchost.exe
856 C:\Windows\System32\nvvsvc.exe
884 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\audiodg.exe
1124 C:\Windows\System32\SLsvc.exe
1164 C:\Windows\System32\svchost.exe
1256 C:\Windows\System32\winlogon.exe
1336 C:\Windows\System32\svchost.exe
1516 C:\Windows\System32\spoolsv.exe
1540 C:\Windows\System32\svchost.exe
1744 C:\Windows\System32\lxdxcoms.exe
1784 C:\Program Files\System Control Manager\MSIService.exe
1900 C:\Windows\System32\PnkBstrA.exe
1928 C:\Windows\System32\svchost.exe
1968 C:\Windows\System32\svchost.exe
2024 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
264 C:\Windows\System32\svchost.exe
344 C:\Windows\System32\SearchIndexer.exe
528 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
744 C:\Windows\System32\rundll32.exe
2668 C:\Windows\System32\taskeng.exe
2676 C:\Windows\System32\dwm.exe
2764 C:\Windows\explorer.exe
2848 C:\Program Files\Windows Defender\MSASCui.exe
2912 C:\Windows\System32\rundll32.exe
2960 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
3032 C:\Program Files\System Control Manager\MGSysCtrl.exe
3040 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3060 D:\Application\Office12\GrooveMonitor.exe
3068 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3104 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
3180 D:\L4D2\steam.exe
3220 C:\Program Files\Windows Media Player\wmpnscfg.exe
3248 C:\Windows\System32\wbem\unsecapp.exe
3264 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
3396 WmiPrvSE.exe
3476 C:\Program Files\Windows Media Player\wmpnetwk.exe
4032 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
4040 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
796 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
2584 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3712 C:\Windows\System32\SearchProtocolHost.exe
2920 C:\Windows\System32\SearchFilterHost.exe
3960 C:\Users\Garry\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f4100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000c`f0900000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEKT-00F3T0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!




#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 29 August 2010 - 07:10 PM

Hello.

Please delete the copy of ComboFix that is on your desktop. Then download a new copy from one of the links below:
Link 1, Link 2

Run ComboFix again just by clicking on it.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/topic339924.html
  • Click the Browse button. Locate and select the following files:
    1. c:\qoobox\quarentine\c\windows\system32\userinit.exe
    (If more than one file is listed, do one at a time.)
  • Under the comments section, say that Panda asked for the submission.

Please tell me if the ads are still appearing.

With Regards,
The Panda

Edited by PropagandaPanda, 29 August 2010 - 07:32 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 18 September 2010 - 09:26 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users