Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit,bubrix


  • This topic is locked This topic is locked
2 replies to this topic

#1 malinmore

malinmore

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 26 August 2010 - 02:41 PM

ComboFix 10-08-26.01 - m.pinker 26/08/2010 20:09:55.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3070.2133 [GMT 1:00]
Running from: c:\users\m.pinker\Desktop\ComboFix.exe
AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
SP: Prevx 3.0 *enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D902}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\wininit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\wininit.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 19:19 . 2010-08-26 19:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-26 19:19 . 2010-08-26 19:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-26 15:29 . 2010-08-26 19:21 -------- d-----w- c:\users\m.pinker\AppData\Local\temp
2010-08-26 09:13 . 2010-08-26 09:13 -------- d-----w- c:\programdata\bdch
2010-08-26 05:52 . 2010-08-26 05:52 -------- d-----w- c:\program files\Common Files\Java
2010-08-25 07:59 . 2010-08-25 07:59 -------- d-----w- c:\windows\system32\Wat
2010-08-25 05:42 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-23 21:33 . 2010-08-23 21:33 -------- d-----w- c:\program files\MSSOAP
2010-08-23 21:29 . 2010-07-27 11:50 253072 ----a-w- c:\windows\system32\drivers\Trufos.sys
2010-08-23 21:12 . 2010-07-09 14:08 327368 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-23 20:40 . 2010-08-23 20:40 -------- d-----w- c:\program files\New folder
2010-08-23 14:32 . 2010-08-23 14:32 -------- d-----w- c:\users\m.pinker\AppData\Roaming\QuickScan
2010-08-20 07:49 . 2010-08-20 07:49 -------- d-----w- c:\program files\Freemake
2010-08-15 05:56 . 2010-08-15 05:56 -------- d-----w- c:\users\m.pinker\AppData\Roaming\Recordpad
2010-08-14 15:11 . 2010-08-14 15:12 -------- d-----w- C:\temp
2010-08-14 15:10 . 2010-08-14 15:17 -------- d-----w- c:\users\m.pinker\AppData\Roaming\SuperEZ Wave Editor Pro
2010-08-14 14:51 . 2010-08-24 05:52 -------- d-----w- c:\program files\QuickTime
2010-08-12 08:24 . 2010-08-12 08:24 -------- d-----w- c:\users\m.pinker\AppData\Roaming\EPSON
2010-08-11 05:29 . 2010-06-19 04:07 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-08-09 21:12 . 2010-08-09 21:12 -------- d-----w- c:\program files\Audacity
2010-08-09 19:23 . 2010-08-09 19:27 -------- d-----w- c:\users\m.pinker\AppData\Local\orpgidmex
2010-08-09 19:23 . 2010-08-09 19:27 -------- d-----w- c:\users\m.pinker\AppData\Local\benhityth
2010-08-09 19:23 . 2010-08-09 19:27 -------- d-----w- c:\users\m.pinker\AppData\Local\kdhhibxce
2010-08-09 08:10 . 2010-08-14 14:52 -------- d-----w- c:\users\m.pinker\AppData\Local\WinZip
2010-07-30 14:12 . 2010-07-30 14:12 -------- d-----w- c:\program files\NCH Software
2010-07-30 14:12 . 2010-08-24 18:55 -------- d-----w- c:\programdata\NCH Swift Sound
2010-07-30 14:11 . 2010-08-24 18:56 -------- d-----w- c:\program files\NCH Swift Sound
2010-07-30 14:11 . 2010-08-21 20:43 -------- d-----w- c:\users\m.pinker\AppData\Roaming\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 19:09 . 2010-03-01 06:58 -------- d-----w- c:\programdata\PrevxCSI
2010-08-26 14:21 . 2010-03-01 00:13 -------- d-----w- c:\program files\SpywareBlaster
2010-08-26 05:52 . 2010-06-03 16:03 -------- d-----w- c:\program files\Java
2010-08-24 05:53 . 2010-03-01 23:23 -------- d-----w- c:\users\m.pinker\AppData\Roaming\Azureus
2010-08-24 05:53 . 2010-03-04 20:04 -------- d-----w- c:\program files\CyberScrub Professional
2010-08-24 05:53 . 2010-03-01 15:07 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2010-08-24 05:52 . 2008-09-08 16:28 -------- d-----w- c:\program files\Windows Live
2010-08-24 05:52 . 2010-03-09 23:05 -------- d-----w- c:\program files\Microsoft
2010-08-24 05:51 . 2010-02-28 23:48 -------- d-----w- c:\program files\BitDefender
2010-08-23 21:36 . 2010-08-23 14:29 684490 ----a-w- c:\programdata\bdinstall.bin
2010-08-23 21:33 . 2010-02-28 23:48 -------- d-----w- c:\programdata\BitDefender
2010-08-23 21:14 . 2010-02-28 23:45 -------- d-----w- c:\program files\Common Files\BitDefender
2010-08-14 14:51 . 2010-03-14 14:21 -------- d-----w- c:\programdata\Apple Computer
2010-08-12 09:11 . 2010-03-01 14:54 -------- d-----w- c:\program files\epson
2010-08-09 08:10 . 2010-05-20 16:10 -------- d-----w- c:\programdata\WinZip
2010-08-05 08:20 . 2010-03-01 00:07 -------- d-----w- c:\program files\CCleaner
2010-08-04 21:50 . 2010-07-15 14:10 -------- d--h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-04 21:50 . 2010-07-15 14:10 -------- d-----w- c:\programdata\Lavasoft
2010-08-04 21:50 . 2010-07-15 14:10 -------- d-----w- c:\program files\Lavasoft
2010-07-31 18:58 . 2010-03-23 22:27 -------- d-----w- c:\users\m.pinker\AppData\Roaming\DVD Flick
2010-07-29 06:30 . 2010-08-11 05:30 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 05:30 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-27 13:39 . 2010-05-27 14:59 -------- d-----w- c:\program files\Vuze_Remote
2010-07-21 07:34 . 2010-07-21 07:34 -------- d-----w- c:\program files\ToniArts
2010-07-21 07:34 . 2010-03-01 15:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-18 15:05 . 2010-03-01 23:22 -------- d-----w- c:\program files\Vuze
2010-07-17 04:00 . 2010-06-03 16:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 14:21 . 2010-07-15 14:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-14 14:05 . 2010-07-14 14:05 -------- d-----w- c:\program files\Auslogics
2010-07-12 08:56 . 2010-07-15 14:10 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-12 08:55 . 2010-07-15 14:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-07-19 06:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-08 15:40 . 2010-07-08 15:39 -------- d-----w- c:\users\m.pinker\AppData\Roaming\Memory Card Download
2010-07-08 15:39 . 2010-07-08 15:39 -------- d-----w- c:\program files\Memory Card Download
2010-07-08 09:37 . 2010-07-08 09:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2010-06-30 06:25 . 2010-08-11 05:30 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 11:55 . 2010-06-28 11:55 970320 ----a-w- c:\windows\system32\drivers\avckf.sys
2010-06-28 11:55 . 2010-06-28 11:55 633424 ----a-w- c:\windows\system32\drivers\avc3.sys
2010-06-22 02:47 . 2010-08-11 05:30 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 05:30 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 05:30 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 05:30 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 05:30 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 05:30 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:11 . 2010-06-18 15:11 72784 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-06-16 05:48 . 2010-08-11 05:30 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 05:30 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-06-08 06:02 . 2010-08-11 05:30 1233920 ----a-w- c:\windows\system32\msxml3.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-08-26_15.31.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-08 13:37 . 2010-08-26 18:42 42942 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-08-26 19:23 46126 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-03-08 13:37 . 2010-08-26 15:32 12022 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3552818889-4155271885-3735010614-1000_UserData.bin
+ 2010-03-08 13:37 . 2010-08-26 18:42 12022 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3552818889-4155271885-3735010614-1000_UserData.bin
+ 2010-03-08 12:00 . 2010-08-26 19:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-08 12:00 . 2010-08-26 15:30 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 12:00 . 2010-08-26 19:21 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 12:00 . 2010-08-26 15:30 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2010-08-26 19:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-08-26 15:30 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:31 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-26 14:19 . 2010-08-26 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-08-26 18:40 . 2010-08-26 19:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-08-26 14:19 . 2010-08-26 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-08-26 18:40 . 2010-08-26 19:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:03 . 2010-08-26 14:32 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2010-08-26 18:54 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-01 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2011\ieshow.exe" [2010-08-10 71216]
"BDAgent"="c:\program files\BitDefender\BitDefender 2011\bdagent.exe" [2010-08-11 1405584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
R3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2008-09-08 945920]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-05-28 14896]
R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2010-07-23 307544]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-25 1343400]
R4 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [2010-06-28 633424]
R4 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [2010-06-28 970320]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-03-01 22024]
S0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [2010-03-01 27656]
S1 Bdfndisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2010-06-18 72784]
S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys [2010-06-18 88144]
S1 Bdvedisk;Bdvedisk;c:\windows\system32\DRIVERS\bdvedisk.sys [2010-01-19 85128]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-03-01 4368952]
S2 Updatesrv;BitDefender Desktop Update Service;c:\program files\BitDefender\BitDefender 2011\updatesrv.exe [2010-08-10 42400]
S3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [2010-05-13 152528]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]


--- Other Services/Drivers In Memory ---

*Deregistered* - bdftdif
*Deregistered* - kblzfls
*Deregistered* - Profos
*Deregistered* - SCDEmu

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-03-01 14:10]

2010-08-15 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-14 18:51]

2010-08-15 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-14 18:51]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 22:32]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 22:32]

2010-08-15 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-30 18:50]

2010-08-15 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-30 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: google.co.uk\www
Trusted Zone: https
Trusted Zone: northernbank.co.uk\ebanking
FF - ProfilePath - c:\users\m.pinker\AppData\Roaming\Mozilla\Firefox\Profiles\iovfjcdy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\BitDefender\BitDefender 2011\bdaphffext\components\bdaphff3.6.dll
FF - component: c:\program files\BitDefender\BitDefender 2011\bdaphffext\components\bdaphff3.dll
FF - plugin: c:\program files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\kblzfls]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\BitDefender\BitDefender 2011\pchooklaunch32.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Secunia\PSI\psi.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-08-26 20:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 19:28
ComboFix2.txt 2010-08-26 15:39

Pre-Run: 629,487,349,760 bytes free
Post-Run: 629,409,734,656 bytes free

- - End Of File - - D8FEF5B55DB067F95494C4F62BDC6B1C
ComboFix 10-08-26.01 - m.pinker 26/08/2010 20:09:55.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3070.2133 [GMT 1:00]
Running from: c:\users\m.pinker\Desktop\ComboFix.exe
AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
SP: Prevx 3.0 *enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D902}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\wininit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\wininit.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 19:19 . 2010-08-26 19:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-26 19:19 . 2010-08-26 19:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-26 15:29 . 2010-08-26 19:21 -------- d-----w- c:\users\m.pinker\AppData\Local\temp
2010-08-26 09:13 . 2010-08-26 09:13 -------- d-----w- c:\programdata\bdch
2010-08-26 05:52 . 2010-08-26 05:52 -------- d-----w- c:\program files\Common Files\Java
2010-08-25 07:59 . 2010-08-25 07:59 -------- d-----w- c:\windows\system32\Wat
2010-08-25 05:42 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-23 21:33 . 2010-08-23 21:33 -------- d-----w- c:\program files\MSSOAP
2010-08-23 21:29 . 2010-07-27 11:50 253072 ----a-w- c:\windows\system32\drivers\Trufos.sys
2010-08-23 21:12 . 2010-07-09 14:08 327368 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-08-23 20:40 . 2010-08-23 20:40 -------- d-----w- c:\program files\New folder
2010-08-23 14:32 . 2010-08-23 14:32 -------- d-----w- c:\users\m.pinker\AppData\Roaming\QuickScan
2010-08-20 07:49 . 2010-08-20 07:49 -------- d-----w- c:\program files\Freemake
2010-08-15 05:56 . 2010-08-15 05:56 -------- d-----w- c:\users\m.pinker\AppData\Roaming\Recordpad
2010-08-14 15:11 . 2010-08-14 15:12 -------- d-----w- C:\temp
2010-08-14 15:10 . 2010-08-14 15:17 -------- d-----w- c:\users\m.pinker\AppData\Roaming\SuperEZ Wave Editor Pro
2010-08-14 14:51 . 2010-08-24 05:52 -------- d-----w- c:\program files\QuickTime
2010-08-12 08:24 . 2010-08-12 08:24 -------- d-----w- c:\users\m.pinker\AppData\Roaming\EPSON
2010-08-11 05:29 . 2010-06-19 04:07 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-08-09 21:12 . 2010-08-09 21:12 -------- d-----w- c:\program files\Audacity
2010-08-09 19:23 . 2010-08-09 19:27 -------- d-----w- c:\users\m.pinker\AppData\Local\orpgidmex
2010-08-09 19:23 . 2010-08-09 19:27 -------- d-----w- c:\users\m.pinker\AppData\Local\benhityth
2010-08-09 19:23 . 2010-08-09 19:27 -------- d-----w- c:\users\m.pinker\AppData\Local\kdhhibxce
2010-08-09 08:10 . 2010-08-14 14:52 -------- d-----w- c:\users\m.pinker\AppData\Local\WinZip
2010-07-30 14:12 . 2010-07-30 14:12 -------- d-----w- c:\program files\NCH Software
2010-07-30 14:12 . 2010-08-24 18:55 -------- d-----w- c:\programdata\NCH Swift Sound
2010-07-30 14:11 . 2010-08-24 18:56 -------- d-----w- c:\program files\NCH Swift Sound
2010-07-30 14:11 . 2010-08-21 20:43 -------- d-----w- c:\users\m.pinker\AppData\Roaming\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 19:09 . 2010-03-01 06:58 -------- d-----w- c:\programdata\PrevxCSI
2010-08-26 14:21 . 2010-03-01 00:13 -------- d-----w- c:\program files\SpywareBlaster
2010-08-26 05:52 . 2010-06-03 16:03 -------- d-----w- c:\program files\Java
2010-08-24 05:53 . 2010-03-01 23:23 -------- d-----w- c:\users\m.pinker\AppData\Roaming\Azureus
2010-08-24 05:53 . 2010-03-04 20:04 -------- d-----w- c:\program files\CyberScrub Professional
2010-08-24 05:53 . 2010-03-01 15:07 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2010-08-24 05:52 . 2008-09-08 16:28 -------- d-----w- c:\program files\Windows Live
2010-08-24 05:52 . 2010-03-09 23:05 -------- d-----w- c:\program files\Microsoft
2010-08-24 05:51 . 2010-02-28 23:48 -------- d-----w- c:\program files\BitDefender
2010-08-23 21:36 . 2010-08-23 14:29 684490 ----a-w- c:\programdata\bdinstall.bin
2010-08-23 21:33 . 2010-02-28 23:48 -------- d-----w- c:\programdata\BitDefender
2010-08-23 21:14 . 2010-02-28 23:45 -------- d-----w- c:\program files\Common Files\BitDefender
2010-08-14 14:51 . 2010-03-14 14:21 -------- d-----w- c:\programdata\Apple Computer
2010-08-12 09:11 . 2010-03-01 14:54 -------- d-----w- c:\program files\epson
2010-08-09 08:10 . 2010-05-20 16:10 -------- d-----w- c:\programdata\WinZip
2010-08-05 08:20 . 2010-03-01 00:07 -------- d-----w- c:\program files\CCleaner
2010-08-04 21:50 . 2010-07-15 14:10 -------- d--h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-04 21:50 . 2010-07-15 14:10 -------- d-----w- c:\programdata\Lavasoft
2010-08-04 21:50 . 2010-07-15 14:10 -------- d-----w- c:\program files\Lavasoft
2010-07-31 18:58 . 2010-03-23 22:27 -------- d-----w- c:\users\m.pinker\AppData\Roaming\DVD Flick
2010-07-29 06:30 . 2010-08-11 05:30 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 05:30 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-27 13:39 . 2010-05-27 14:59 -------- d-----w- c:\program files\Vuze_Remote
2010-07-21 07:34 . 2010-07-21 07:34 -------- d-----w- c:\program files\ToniArts
2010-07-21 07:34 . 2010-03-01 15:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-18 15:05 . 2010-03-01 23:22 -------- d-----w- c:\program files\Vuze
2010-07-17 04:00 . 2010-06-03 16:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 14:21 . 2010-07-15 14:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-14 14:05 . 2010-07-14 14:05 -------- d-----w- c:\program files\Auslogics
2010-07-12 08:56 . 2010-07-15 14:10 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-12 08:55 . 2010-07-15 14:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-07-19 06:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-08 15:40 . 2010-07-08 15:39 -------- d-----w- c:\users\m.pinker\AppData\Roaming\Memory Card Download
2010-07-08 15:39 . 2010-07-08 15:39 -------- d-----w- c:\program files\Memory Card Download
2010-07-08 09:37 . 2010-07-08 09:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2010-06-30 06:25 . 2010-08-11 05:30 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 11:55 . 2010-06-28 11:55 970320 ----a-w- c:\windows\system32\drivers\avckf.sys
2010-06-28 11:55 . 2010-06-28 11:55 633424 ----a-w- c:\windows\system32\drivers\avc3.sys
2010-06-22 02:47 . 2010-08-11 05:30 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 05:30 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 05:30 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 05:30 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 05:30 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 05:30 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:11 . 2010-06-18 15:11 72784 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-06-16 05:48 . 2010-08-11 05:30 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 05:30 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-06-11 14:09 . 2010-06-11 14:09 290816 ----a-w- c:\users\m.pinker\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-06-08 06:02 . 2010-08-11 05:30 1233920 ----a-w- c:\windows\system32\msxml3.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-08-26_15.31.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-08 13:37 . 2010-08-26 18:42 42942 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-08-26 19:23 46126 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-03-08 13:37 . 2010-08-26 15:32 12022 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3552818889-4155271885-3735010614-1000_UserData.bin
+ 2010-03-08 13:37 . 2010-08-26 18:42 12022 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3552818889-4155271885-3735010614-1000_UserData.bin
+ 2010-03-08 12:00 . 2010-08-26 19:21 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-08 12:00 . 2010-08-26 15:30 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 12:00 . 2010-08-26 19:21 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 12:00 . 2010-08-26 15:30 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2010-08-26 19:21 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-08-26 15:30 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:31 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-08 13:07 . 2010-08-26 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-08 13:07 . 2010-08-26 19:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-26 14:19 . 2010-08-26 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-08-26 18:40 . 2010-08-26 19:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-08-26 14:19 . 2010-08-26 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-08-26 18:40 . 2010-08-26 19:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:03 . 2010-08-26 14:32 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2010-08-26 18:54 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-01 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2011\ieshow.exe" [2010-08-10 71216]
"BDAgent"="c:\program files\BitDefender\BitDefender 2011\bdagent.exe" [2010-08-11 1405584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
R3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2008-09-08 945920]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-05-28 14896]
R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2010-07-23 307544]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-25 1343400]
R4 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [2010-06-28 633424]
R4 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [2010-06-28 970320]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-03-01 22024]
S0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [2010-03-01 27656]
S1 Bdfndisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2010-06-18 72784]
S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys [2010-06-18 88144]
S1 Bdvedisk;Bdvedisk;c:\windows\system32\DRIVERS\bdvedisk.sys [2010-01-19 85128]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-03-01 4368952]
S2 Updatesrv;BitDefender Desktop Update Service;c:\program files\BitDefender\BitDefender 2011\updatesrv.exe [2010-08-10 42400]
S3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [2010-05-13 152528]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]


--- Other Services/Drivers In Memory ---

*Deregistered* - bdftdif
*Deregistered* - kblzfls
*Deregistered* - Profos
*Deregistered* - SCDEmu

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ sysagent
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-03-01 14:10]

2010-08-15 c:\windows\Tasks\expressburnSevenDays.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-14 18:51]

2010-08-15 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-14 18:51]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 22:32]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 22:32]

2010-08-15 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-30 18:50]

2010-08-15 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-30 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: google.co.uk\www
Trusted Zone: https
Trusted Zone: northernbank.co.uk\ebanking
FF - ProfilePath - c:\users\m.pinker\AppData\Roaming\Mozilla\Firefox\Profiles\iovfjcdy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-gb.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\BitDefender\BitDefender 2011\bdaphffext\components\bdaphff3.6.dll
FF - component: c:\program files\BitDefender\BitDefender 2011\bdaphffext\components\bdaphff3.dll
FF - plugin: c:\program files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\kblzfls]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\BitDefender\BitDefender 2011\pchooklaunch32.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Secunia\PSI\psi.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-08-26 20:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 19:28
ComboFix2.txt 2010-08-26 15:39

Pre-Run: 629,487,349,760 bytes free
Post-Run: 629,409,734,656 bytes free

- - End Of File - - D8FEF5B55DB067F95494C4F62BDC6B1C

Edited by boopme, 26 August 2010 - 02:58 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 AM

Posted 31 August 2010 - 08:01 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:56 AM

Posted 05 September 2010 - 07:19 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users