
Binaya
my logs are here
DDS (Ver_10-03-17.01) - NTFSx86
Run by vinaya at 5:19:31.46 on Sun 08/22/2010
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575.317 [GMT -7:00]
AV: My Security Shield *On-access scanning enabled* (Updated) {09433DA5-A405-452C-B22F-98D08A3CCDBD}
FW: My Security Shield *enabled* {1888D069-C896-440F-A6E8-E6CE269E412D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Mx One Antivirus\mogtr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\winwpvnn.exe
C:\Documents and Settings\vinaya\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Mx_One_Guardian_Tiempo_Real] c:\program files\mx one antivirus\mogtr.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\vinaya\applic~1\mozilla\firefox\profiles\66rzmfho.default\
FF - prefs.js: browser.search.selectedEngine - search
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-21 365904]
R3 aic32p;aic32p;\??\c:\windows\system32\drivers\hfojin.sys --> c:\windows\system32\drivers\hfojin.sys [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-21 20952]
=============== Created Last 30 ================
2010-08-21 22:15:02 0 d-sh--w- c:\docume~1\alluse~1\applic~1\MSAXALIS
2010-08-21 22:10:02 0 d-sh--w- c:\docume~1\alluse~1\applic~1\752f0da
2010-08-21 21:37:57 194048 ----a-w- c:\windows\Efiqia.exe
2010-08-21 21:16:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-21 21:16:02 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-08-21 21:15:45 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-08-21 21:15:45 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-08-21 21:15:45 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-08-21 21:15:45 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-08-21 21:15:45 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-21 17:10:14 0 d-----w- c:\docume~1\vinaya\applic~1\Malwarebytes
2010-08-21 17:10:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 17:10:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-21 17:10:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 17:10:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-21 04:11:00 28672 ------w- c:\windows\system32\SiSHook.dll
2010-08-21 04:11:00 184320 ------w- c:\windows\system32\SiSApCom.dll
2010-08-21 04:11:00 110592 ------w- c:\windows\system32\TVMode.dll
2010-08-21 04:10:41 331776 ----a-w- c:\windows\system32\sistray.exe
2010-08-21 04:10:35 103549 ----a-w- c:\windows\VGAsetup.ini
2010-08-21 04:10:29 49152 ----a-w- c:\windows\system32\SiSPower.dll
2010-08-21 04:10:11 0 d-----w- c:\program files\SiS VGA Utilities V3.64
2010-08-21 04:10:05 0 d-----w- c:\windows\system32\trayres
2010-08-21 04:10:01 100532 ----a-w- c:\windows\system32\VGAunistlog.ini
2010-08-20 14:41:49 0 d-----w- c:\docume~1\vinaya\applic~1\COWON
2010-08-20 14:30:44 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-08-20 14:10:44 0 d-----w- c:\program files\Mx One Antivirus
2010-08-20 14:03:48 0 d-----w- c:\windows\pss
2010-08-20 13:58:03 0 d-sh--w- c:\documents and settings\vinaya\PrivacIE
2010-08-20 13:52:36 26144 ------w- c:\windows\system32\spupdsvc.exe
2010-08-20 13:51:21 0 dc-h--w- c:\windows\ie8
2010-08-20 13:49:40 0 d-----w- C:\downloads
2010-08-20 13:49:40 0 d-----w- c:\docume~1\vinaya\applic~1\GrabPro
2010-08-20 13:49:36 0 d-----w- c:\program files\Orbitdownloader
2010-08-20 13:47:47 0 d-----w- c:\program files\common files\COWON
2010-08-20 13:47:45 0 d-----w- c:\program files\JetAudio
2010-08-20 13:46:58 0 d-----w- c:\program files\CCleaner
2010-08-20 13:43:01 0 d-----w- c:\windows\system32\LogFiles
2010-08-20 13:41:48 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-08-20 13:40:33 36484 ----a-w- c:\windows\system32\drivers\SMBios.sys
2010-08-20 13:40:28 0 d-----w- C:\TempEI4
2010-08-20 12:31:56 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-20 12:30:51 0 d--h--w- c:\program files\WindowsUpdate
2010-08-20 12:29:31 0 d-----w- c:\program files\common files\MSSoap
2010-08-20 12:27:13 0 d-----w- c:\program files\Online Services
2010-08-20 12:27:03 0 d-----w- c:\program files\HashTab Shell Extension
2010-08-20 12:27:01 0 d-----w- c:\program files\Unlocker
2010-08-20 12:27:01 0 d-----w- c:\program files\Microsoft PowerToys
2010-08-20 12:26:37 0 d-----w- c:\program files\MSN Messenger
2010-08-20 12:26:28 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-20 12:26:25 0 d-----w- c:\program files\Messenger
2010-08-20 12:26:21 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-20 12:25:32 0 d-----w- c:\program files\Windows NT
2010-08-20 05:00:56 0 d-----w- c:\program files\common files\ODBC
2010-08-20 05:00:50 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-20 05:00:16 0 d-----r- c:\documents and settings\all users\Documents
==================== Find3M ====================
2010-08-20 12:27:57 21640 ----a-w- c:\windows\system32\emptyregdb.dat
============= FINISH: 5:20:24.34 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-22 07:04:16
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\vinaya\LOCALS~1\Temp\pxddqpog.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF8545510]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xF2FE1F00, 0x24000, 0x48000000]
? C:\WINDOWS\system32\drivers\hfojin.sys The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Attached Files
Edited by binaya, 22 August 2010 - 09:11 AM.